You're viewing an archived page. It is no longer being updated.
On Sunday, 24 February 2008, Pakistan Telecom (AS17557) started an unauthorised announcement of the prefix 184.108.40.206/24. One of Pakistan Telecom's upstream providers, PCCW Global (AS3491) forwarded this announcement to the rest of the Internet, which resulted in the hijacking of YouTube traffic on a global scale.
In this report we show how the events were seen by RIPE NCC's Routing Information Service (RIS) and how, in general, one can use the RIS tools to obtain hard data on network events.
The prefixes involved in the hijack and YouTube's counter measures were already known from reports on various mailing lists. However, even if this information had not been reported, it is easy to find in the RIPE NCC's Routing Information Service (RIS).
Pakistan aimed to block the YouTube website. youtube.com has three IP numbers in the DNS: 220.127.116.11, 18.104.22.168 and 22.214.171.124.
The RISwhois tool (accessible via whois protocol on riswhois.ripe.net or through the web interface at http://www.ris.ripe.net/cgi-bin/riswhois.cgi) provides a quick look at the most recent set of Routing Information Base (RIB) dumps from the various RIS Remote Route Collectors (RRCs). By entering the IP address 126.96.36.199, we see YouTube (still) originating 188.8.131.52/22, 184.108.40.206/24 and 220.127.116.11/25. The /22 is the one that is most widely seen (by 112 RIS peers). The /24 is seen by 105 peers. The /25 announcement, however, only makes it to 21 of the peers.
When a routing event is still fresh, it's likely that the associated prefix announcement hasn't yet been included in an RIS RIB dump. In that case, the main RIS search page, http://www.ris.ripe.net/perl-risapp/risearch.html, can be useful. Looking up a youtube.com IP address using the "Less specific" option for the period Sunday, 24 February 2008, 18:00 (UTC) to Monday, 25 February 2008, 01:00 (UTC), shows both AS17557 (Pakistan Telecom) and AS36561 (YouTube) as origin. Folding out the tabs, we see the prefixes involved, as well as an overview of the update/withdrawal events. This shows the last unauthorised announcement from Pakistan was received on Sunday, 24 February 2008, 21:01:22 (UTC).
To understand the dynamics of the route announcements, withdrawals and the "competition" in BGP between the Pakistani /24 and YouTube announcement, we can use the visualisation tool BGPlay. This tool was designed and written by the Computer Networks Research Group at Roma Tre University and has been integrated into the RIS service portfolio. BGPlay snapshots illustrating the state of the network at some key points in time are subject of the next section.
It is important to note that the RIS can only show the collected BGP information and not routing, as such, for the whole Internet. Based on this information, it is not possible to make statements about how many sites had their traffic to YouTube hijacked. The data in RISwhois already shows the /24 announcement does not reach the same number of peers as the aggregate /22. However, in BGPlay you can see that in the two minutes following the first announcement at 18:47 (UTC), the unauthorised route had spread to its largest extent in the RIS routing view.
Before, during and after Sunday, 24 February 2008
AS36561 (YouTube) announces 18.104.22.168/22. Note that its connectivity almost doesn't change during the period of the hijacking.
The prefix 22.214.171.124/24 is not announced on the Internet before the event:
Sunday, 24 February 2008, 18:49 (UTC)
AS17557 (Pakistan Telecom) has been announcing 126.96.36.199/24 for the past two minutes. RIS peers around the world have received the route update, and YouTube traffic is being redirected to Pakistan.
Sunday, 24 February 2008, 21:23 (UTC)
AS36561 (YouTube) has been announcing 188.8.131.52/24 since 20:07 (UTC). The bogus announcement from AS17557 (Pakistan Telecom) has been withdrawn, and RIS peers now only have routes to YouTube's AS36561
Since Sunday, 24 February 2008, 20:18 (UTC)
AS36561 (YouTube) is announcing 184.108.40.206/25 and 220.127.116.11/25. Note that both of these prefixes are much less visible on the Internet than the /24 prefix.
In order to have a complete view of the routing changes that the hijacked prefix (18.104.22.168/24) underwent over the course of the hijacking, we used the experimental BGPath tool from Roma Tre University. The following picture shows the evolution of the path chosen by a specific peer (in this case AS3333, RIPE NCC) to reach the hijacked prefix.
This picture shows that:
As the above timeline shows, this event happened in a relatively short time interval: YouTube reacted about 80 minutes after the Pakistan Telecom announcements, and all the major events finished after about two hours. While this report showed that the tools provided by RIPE NCC (such as RISwhois and BGPlay) can help in following and analysing events even on such a short timeline, we also note that unauthorised announcements like this can be prevented from spreading throughout the Internet by appropriate routing configuration by operators of Autonomous Systems. The RIPE NCC provides the RIPE Routing Registry in order to facilitate such configuration. Currently the RIPE community is discussing the introduction of digital certificates for Internet number resources. These certificates are intended to provide a tool to further enhance routing configuration throughout the Internet.