February 24, 2008 General 1

youtube had their ip’s hijacked. Pakistan was advertising an invalid route announcement which not only blocked youtube for Pakistan but other networks for some reason accepted this as a valid route and blocked youtube for other networks as well. This was caused because the gov’t of Pakistan said all Pakistani networks have to block youtube. The Pakastani networks should not have let this false route leak out of their networks..but also other networks should not have accepted this route advertisement. I found this posting on the nanog list:

As you guys probably know Youtube’s IP’s are being hijacked. Trace:
~ $ host youtube.com
youtube.com has address 208.65.153.253
youtube.com has address 208.65.153.238
youtube.com has address 208.65.153.251
[Same /24]

701 3491 17557
64.74.137.253 (metric 1) from 66.151.144.148 (66.151.144.148)
Origin IGP, metric 100, localpref 100, valid, external
Community: 65010:300
Last update: Sun Feb 24 11:33:05 2008 [PST8PDT]
3491 17557
216.218.135.205 from 216.218.135.205 (216.218.252.164)
Origin IGP, metric 100, localpref 100, valid, external, best
Last update: Sun Feb 24 10:47:57 2008 [PST8PDT]

So, it seems that youtube’s ip block has been hijacked by a more
specific prefix being advertised. This is a case of IP hijacking, not
case of DNS poisoning, youtube engineers doing something stupid, etc.
For people that don’t know. The router will try to get the most specific
prefix. This is by design, not by accident. This is a case of censorship
on the internet. Anyways, I hope this doesn’t get into a political
situation, and someone stops this.

What action are you going to take? Are you going to filter
announcements from AS17557, or just filter that specific announcement?
Considering youtube is a fairly high-traffic website I think that other
operators are just going to start filtering that AS. This is a great
example of global politics getting in the way of honest corporatism.
This is also an example of how vulnerable the internet is, and how lax
providers are in their filtering policies. I don’t know how large
Pakistani Telecom is, but it I bet its not large enough that PCCW should
be allowing it to advertise anything.

There’s a quick reply:

You are making the assumption of malice when the more likely cause is one of accident on the part of probably stressed NOC staff at 17557.

They probably have that /24 going to a gateway walled garden box which replies with a site saying ‘we have banned this’, and that /24 route is leaking outside of their AS via PCCW due to dodgy filters/communities.

This is still an ip hijack..it may not have been intended to be inet wide..but it’s still an ip hijack.

As of this posting youtube is now back online..:) The nanong conversation is here.

*UPDATE* i don’t normally do this..but heck little me got mentioned by Leo Laprote on his national radio show. Wow..just incredible. Nanog actually saw it first on the mailing list..:) I’ll post a link to the techguy podcast that it was first broadcast on when it gets posted.

I have noticed youtube is getting routed to honkong..BUT they have redone their dns to have their hong kong ip’s resolve the site back to youtube.com. This is not hard to do but it shows that youtube is getting around the bgp errors using dns..:)

nslookup youtube.com

Non-authoritative answer:
Name: youtube.com
Addresses: 208.65.153.251, 208.65.153.253, 208.65.153.238

tracert youtube.com

Tracing route to youtube.com [208.65.153.253]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.255.1
2 6 ms 7 ms 9 ms 10.240.255.1
3 13 ms 8 ms 11 ms ge-3-1-sr01.jefferson.md.bad.comcast.net [68.86.
255.209]
4 7 ms 7 ms 10 ms ge-2-23-ur01.frederick.md.bad.comcast.net [68.86
.252.50]
5 11 ms 10 ms 9 ms te-9-1-ur02.shphrdstwn.wv.bad.comcast.net [68.86
.252.77]
6 10 ms 9 ms 8 ms te-9-1-ur01.shphrdstwn.wv.bad.comcast.net [68.86
.252.73]
7 11 ms 9 ms 10 ms te-9-1-ur01.martinsburg.wv.bad.comcast.net [68.8
6.252.69]
8 11 ms 11 ms 15 ms te-7-3-ar01.manassascc.va.bad.comcast.net [68.86
.252.54]
9 21 ms 19 ms 28 ms po-10-ar01.howardcounty.md.bad.comcast.net [68.8
7.129.29]
10 24 ms 21 ms 21 ms po-10-ar02.whitemarsh.md.bad.comcast.net [68.87.
129.34]
11 44 ms 24 ms 25 ms pos-0-6-0-0-cr01.philadelphia.pa.ibone.comcast.n
et [68.86.85.9]
12 26 ms 33 ms 31 ms 64.215.24.86
13 32 ms 27 ms 29 ms 64.215.24.85
14 105 ms 105 ms 101 ms YOUTUBE-LLC.Te6-3.400.ar2.SJC2.gblx.net [64.208.
26.114]
15 101 ms 102 ms 106 ms youtube.com.hk [208.65.153.253]

Trace complete.

ZDNET posted an hour before i did..:).

*UPDATE* There’s another thread starting on nanog bout prevention of this kind of hijack.

Renesys has some good data on this as wlel as a mention of other major incidents like this during the past decade.

About 1.5 hours ago Pakistan has lifted the youtube ban…I get their network engineers are a bit red-faced right now..next time they’ll probably make sure their filters are in place. However if you read into the stories this tells me that they did it this way on purpose with no regard for the consequences. I’m sure the engineers who did this knew the consequences but they had higher up pushing them on. We’ll see how this works out..:)

Here’s other updates:
Cnet
TMC
Taipei Times
Network World