YouTube IP Hijacking

• Previous message (by thread): YouTube IP Hijacking
• Next message (by thread): YouTube IP Hijacking
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun Feb 24, 2008 at 04:32:45PM -0500, Martin Hannigan wrote:
> Let's avoid speculation as to the why and reserve this thread for
> global restoration activity.

So, from the tit-bits I've picked up from IRC and first-hand knowledge,
it would appear that 17557 leaked an announcement of 208.65.153.0/24 to 
3491 (PCCW/BTN). After several calls to PCCW NOC, including from Youtube
themselves, PCCW claimed to be shutting down the links to 17557. Initially
I saw the announcement change from "3491 17557" to "3491 17557 17557", so 
I speculate that they shut down the primary link (or filtered the announcement
on that link), and the prefix was still coming in over a secondary link 
(hence the prepend). After more prodding, that route vanished too.

Various mitigations were talked about and tried, including Youtube announcing
the /24 as 2*/25, but these announcements did not seem to make it out to the 
world at large.

Currently Youtube are announcing the /24 themselves - I assume this will drop
at some time once it's safe.

It was noticed that all the youtube.com DNS servers were in the affected /24.
Youtube have subsequently added a DNS server in another prefix.

Simon
-- 
Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration *
   Director    |    * Domain & Web Hosting * Internet Consultancy * 
  Bogons Ltd   | * http://www.bogons.net/  *  Email: info at bogons.net  * 

• Previous message (by thread): YouTube IP Hijacking
• Next message (by thread): YouTube IP Hijacking
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]