YouTube IP Hijacking
John van Oppen
john at vanoppen.com
Sun Feb 24 21:06:03 UTC 2008
Looks like it just went back to normal:
cr1-sea-A>show ip bgp 208.65.153.253
BGP routing table entry for 208.65.153.0/24, version 41150187
Paths: (3 available, best #3)
Flag: 0x8E0
Advertised to update-groups:
1 3 4 6 13 14
16
3356 3549 36561, (Received from a RR-client)
208.76.153.126 (metric 110) from 208.76.153.126 (208.76.153.126)
Origin IGP, metric 0, localpref 50, valid, internal
Community: 3356:3 3356:22 3356:86 3356:575 3356:666 3356:2011
3549:4142 3549:30840 11404:1000 11404:1030
2914 3549 36561, (Received from a RR-client)
208.76.153.125 (metric 310) from 208.76.153.125 (208.76.153.125)
Origin IGP, metric 0, localpref 49, valid, internal
Community: 2914:420 2914:2000 2914:3000 11404:1000 11404:1010
3491 3549 36561
63.216.14.137 from 63.216.14.137 (63.216.14.9)
Origin IGP, localpref 51, valid, external, best
Community: 3491:2000 3491:2003 3491:3549 11404:1000 11404:1020
cr1-sea-A>
Probably worth noting that the performace at least from our perspective
(via PCCW) is abysmal. As a side note, I know PCCW allows unfiltered
route-announcement capability to a large number of their customers, our
feed appears to be that way (or they apply RADB filters instantly which
would be a bit impressive).
John van Oppen
Spectrum Networks LLC
206.973.8302 (Direct)
206.973.8300 (main office)
-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Tomas L. Byrnes
Sent: Sunday, February 24, 2008 12:50 PM
To: Will Hargrave; nanog at merit.edu
Subject: RE: YouTube IP Hijacking
Pakistan is deliberately blocking Youtube.
http://politics.slashdot.org/article.pl?sid=08/02/24/1628213
Maybe we should all block Pakistan.
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On
> Behalf Of Will Hargrave
> Sent: Sunday, February 24, 2008 12:39 PM
> To: nanog at nanog.org
> Subject: Re: YouTube IP Hijacking
>
>
> Sargun Dhillon wrote:
>
> > So, it seems that youtube's ip block has been hijacked by a more
> > specific prefix being advertised. This is a case of IP
> hijacking, not
> > case of DNS poisoning, youtube engineers doing something
> stupid, etc.
> > For people that don't know. The router will try to get the most
> > specific prefix. This is by design, not by accident.
>
> You are making the assumption of malice when the more likely
> cause is one of accident on the part of probably stressed NOC
> staff at 17557.
>
> They probably have that /24 going to a gateway walled garden
> box which replies with a site saying 'we have banned this',
> and that /24 route is leaking outside of their AS via PCCW
> due to dodgy filters/communities.
>
> Will
>
More information about the NANOG
mailing list