YouTube IP Hijacking

John van Oppen john at vanoppen.com
Sun Feb 24 21:06:03 UTC 2008


Looks like it just went back to normal:

cr1-sea-A>show ip bgp 208.65.153.253
BGP routing table entry for 208.65.153.0/24, version 41150187
Paths: (3 available, best #3)
Flag: 0x8E0
  Advertised to update-groups:
     1          3          4          6          13         14
16        
  3356 3549 36561, (Received from a RR-client)
    208.76.153.126 (metric 110) from 208.76.153.126 (208.76.153.126)
      Origin IGP, metric 0, localpref 50, valid, internal
      Community: 3356:3 3356:22 3356:86 3356:575 3356:666 3356:2011
3549:4142 3549:30840 11404:1000 11404:1030
  2914 3549 36561, (Received from a RR-client)
    208.76.153.125 (metric 310) from 208.76.153.125 (208.76.153.125)
      Origin IGP, metric 0, localpref 49, valid, internal
      Community: 2914:420 2914:2000 2914:3000 11404:1000 11404:1010
  3491 3549 36561
    63.216.14.137 from 63.216.14.137 (63.216.14.9)
      Origin IGP, localpref 51, valid, external, best
      Community: 3491:2000 3491:2003 3491:3549 11404:1000 11404:1020
cr1-sea-A>



Probably worth noting that the performace at least from our perspective
(via PCCW) is abysmal.    As a side note, I know PCCW allows unfiltered
route-announcement capability to a large number of their customers, our
feed appears to be that way (or they apply RADB filters instantly which
would be a bit impressive).   



John van Oppen
Spectrum Networks LLC
206.973.8302 (Direct)
206.973.8300 (main office)

-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Tomas L. Byrnes
Sent: Sunday, February 24, 2008 12:50 PM
To: Will Hargrave; nanog at merit.edu
Subject: RE: YouTube IP Hijacking


Pakistan is deliberately blocking Youtube.

http://politics.slashdot.org/article.pl?sid=08/02/24/1628213

Maybe we should all block Pakistan.

 

> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On 
> Behalf Of Will Hargrave
> Sent: Sunday, February 24, 2008 12:39 PM
> To: nanog at nanog.org
> Subject: Re: YouTube IP Hijacking
> 
> 
> Sargun Dhillon wrote:
> 
> > So, it seems that youtube's ip block has been hijacked by a more 
> > specific prefix being advertised. This is a case of IP 
> hijacking, not 
> > case of DNS poisoning, youtube engineers doing something 
> stupid, etc.
> > For people that don't know. The router will try to get the most 
> > specific prefix. This is by design, not by accident.
> 
> You are making the assumption of malice when the more likely 
> cause is one of accident on the part of probably stressed NOC 
> staff at 17557.
> 
> They probably have that /24 going to a gateway walled garden 
> box which replies with a site saying 'we have banned this', 
> and that /24 route is leaking outside of their AS via PCCW 
> due to dodgy filters/communities.
> 
> Will
> 



More information about the NANOG mailing list