YouTube Hijacking: A RIPE NCC RIS case study
On Sunday, 24 February 2008, Pakistan Telecom (AS17557) started an unauthorised announcement of the prefix 188.8.131.52/24. One of Pakistan Telecom's upstream providers, PCCW Global (AS3491) forwarded this announcement to the rest of the Internet, which resulted in the hijacking of YouTube traffic on a global scale.
In this report we show how the events were seen by RIPE NCC's Routing Information Service (RIS) and how, in general, one can use the RIS tools to obtain hard data on network events.
- Before, during and after Sunday, 24 February 2008: AS36561 (YouTube) announces 184.108.40.206/22. Note that AS36561 also announces other prefixes, but they are not involved in the event.
- Sunday, 24 February 2008, 18:47 (UTC): AS17557 (Pakistan Telecom) starts announcing 220.127.116.11/24. AS3491 (PCCW Global) propagates the announcement. Routers around the world receive the announcement, and YouTube traffic is redirected to Pakistan.
- Sunday, 24 February 2008, 20:07 (UTC): AS36561 (YouTube) starts announcing 18.104.22.168/24. With two identical prefixes in the routing system, BGP policy rules, such as preferring the shortest AS path, determine which route is chosen. This means that AS17557 (Pakistan Telecom) continues to attract some of YouTube's traffic.
- Sunday, 24 February 2008, 20:18 (UTC): AS36561 (YouTube) starts announcing 22.214.171.124/25 and 126.96.36.199/25. Because of the longest prefix match rule, every router that receives these announcements will send the traffic to YouTube.
- Sunday, 24 February 2008, 20:51 (UTC): All prefix announcements, including the hijacked /24 which was originated by AS17557 (Pakistan Telecom) via AS3491 (PCCW Global), are seen prepended by another 17557. The longer AS path means that more routers prefer the announcement originated by YouTube.
- Sunday, 24 February 2008, 21:01 (UTC): AS3491 (PCCW Global) withdraws all prefixes originated by AS17557 (Pakistan Telecom), thus stopping the hijack of 188.8.131.52/24. Note that AS17557 was not completely disconnected by AS3491. Prefixes originated by other Pakistani ASs were still announced by AS17557 through AS3491.
The prefixes involved in the hijack and YouTube's counter measures were already known from reports on various mailing lists. However, even if this information had not been reported, it is easy to find in the RIPE NCC's Routing Information Service (RIS).
Pakistan aimed to block the YouTube website. youtube.com has three IP numbers in the DNS: 184.108.40.206, 220.127.116.11 and 18.104.22.168.
The RISwhois tool (accessible via whois protocol on riswhois.ripe.net or through the web interface at http://www.ris.ripe.net/cgi-bin/riswhois.cgi) provides a quick look at the most recent set of Routing Information Base (RIB) dumps from the various RIS Remote Route Collectors (RRCs). By entering the IP address 22.214.171.124, we see YouTube (still) originating 126.96.36.199/22, 188.8.131.52/24 and 184.108.40.206/25. The /22 is the one that is most widely seen (by 112 RIS peers). The /24 is seen by 105 peers. The /25 announcement, however, only makes it to 21 of the peers.
When a routing event is still fresh, it's likely that the associated prefix announcement hasn't yet been included in an RIS RIB dump. In that case, the main RIS search page, http://www.ris.ripe.net/perl-risapp/risearch.html, can be useful. Looking up a youtube.com IP address using the "Less specific" option for the period Sunday, 24 February 2008, 18:00 (UTC) to Monday, 25 February 2008, 01:00 (UTC), shows both AS17557 (Pakistan Telecom) and AS36561 (YouTube) as origin. Folding out the tabs, we see the prefixes involved, as well as an overview of the update/withdrawal events. This shows the last unauthorised announcement from Pakistan was received on Sunday, 24 February 2008, 21:01:22 (UTC).
To understand the dynamics of the route announcements, withdrawals and the "competition" in BGP between the Pakistani /24 and YouTube announcement, we can use the visualisation tool BGPlay. This tool was designed and written by the Computer Networks Research Group at Roma Tre University and has been integrated into the RIS service portfolio. BGPlay snapshots illustrating the state of the network at some key points in time are subject of the next section.
It is important to note that the RIS can only show the collected BGP information and not routing, as such, for the whole Internet. Based on this information, it is not possible to make statements about how many sites had their traffic to YouTube hijacked. The data in RISwhois already shows the /24 announcement does not reach the same number of peers as the aggregate /22. However, in BGPlay you can see that in the two minutes following the first announcement at 18:47 (UTC), the unauthorised route had spread to its largest extent in the RIS routing view.
Routing States - BGPlay Snapshots
Before, during and after Sunday, 24 February 2008
AS36561 (YouTube) announces 220.127.116.11/22. Note that its connectivity almost doesn't change during the period of the hijacking.
The prefix 18.104.22.168/24 is not announced on the Internet before the event:
Sunday, 24 February 2008, 18:49 (UTC)
AS17557 (Pakistan Telecom) has been announcing 22.214.171.124/24 for the past two minutes. RIS peers around the world have received the route update, and YouTube traffic is being redirected to Pakistan.
Sunday, 24 February 2008, 21:23 (UTC)
AS36561 (YouTube) has been announcing 126.96.36.199/24 since 20:07 (UTC). The bogus announcement from AS17557 (Pakistan Telecom) has been withdrawn, and RIS peers now only have routes to YouTube's AS36561
Since Sunday, 24 February 2008, 20:18 (UTC)
AS36561 (YouTube) is announcing 188.8.131.52/25 and 184.108.40.206/25. Note that both of these prefixes are much less visible on the Internet than the /24 prefix.
Path Evolution of the Hijacked Prefix as Observed by an RIS Peer
In order to have a complete view of the routing changes that the hijacked prefix (220.127.116.11/24) underwent over the course of the hijacking, we used the experimental BGPath tool from Roma Tre University. The following picture shows the evolution of the path chosen by a specific peer (in this case AS3333, RIPE NCC) to reach the hijacked prefix.
This picture shows that:
- Until Sunday, 24 February 2008, 18:47 (UTC), AS3333 (RIPE NCC) had no path toward 18.104.22.168/24
- On Sunday, 24 February 2008, from 18:47 to 20:52 (UTC), AS3333 (RIPE NCC) observed 22.214.171.124/24 being announced by AS17557 (Pakistan Telecom) through two distinct paths (3333 6320 3549 3491 17557 and 3333 12859 3491 17557)
- Since Sunday, 24 February 2008, 20:52 (UTC), AS3333 (RIPE NCC) has observed 126.96.36.199/24 being announced by AS36561 (YouTube) through the path 3333 3356 3549 36561
As the above timeline shows, this event happened in a relatively short time interval: YouTube reacted about 80 minutes after the Pakistan Telecom announcements, and all the major events finished after about two hours. While this report showed that the tools provided by RIPE NCC (such as RISwhois and BGPlay) can help in following and analysing events even on such a short timeline, we also note that unauthorised announcements like this can be prevented from spreading throughout the Internet by appropriate routing configuration by operators of Autonomous Systems. The RIPE NCC provides the RIPE Routing Registry in order to facilitate such configuration. Currently the RIPE community is discussing the introduction of digital certificates for Internet number resources. These certificates are intended to provide a tool to further enhance routing configuration throughout the Internet.