Internet Routing Insecurity::Pakistan Nukes YouTube?

So, assume you’re an ISP in Pakistan and, for whatever reason, you receive an order such as this (PDF) from the Pakistan Telecommunication Authority (PTA). The letter is from the Deputy Director of Enforcement with the PTA, and is requiring that you immediately block access to a YouTube URL, or more specifically (actually, less specifically, but that’s a different issue), that you block access to 3 specific IP addresses: 208.65.153.238, 208.65.153.253 and 208.65.153.251.

These three IP addresses correspond to the DNS A resource records associated with www.youtube.com:

danny@rover% host -t a www.youtube.com
www.youtube.com has address 208.65.153.238
www.youtube.com has address 208.65.153.251
www.youtube.com has address 208.65.153.253

So, avoiding all discussion about whether or not said censorship is appropriate, and just focusing on how you’d actually go about blocking access to these IPs, or YouTube in general, you have a few options. Realistically, as a network engineer you could either:

  1. deploy access-control lists (ACLs) on all your router interfaces dropping packets to or from these IPs
  2. OR statically route the three IPs, or perhaps the covering prefix (208.65.153.0/24), to a null or discard interface on all the routers in your network
  3. OR employ something akin to a BGP blackhole routing function that results in all packets destined to those three specific IPs, or the covering prefixes, being discarded as a result of null or discard next hop packet forwarding policies, as discussed here

The first of which would require that you augment all existing ACL filtering policies on all router interfaces in your network, the second would require that you add static routes to every router in your network, and the last of which typically requires only that you announce a route for 208.65.153.0/24 to all your routers, tagged with a BGP community that maps to a “blackhole” policy on routers in your network.

So, assume you pick option 2. However, what you fail to recall is that your routing policies currently result in redistribution of all configured static routes into your set of globally advertised BGP routes. The net result is that you start announcing to the world that you provide destination reachability for the YouTube 208.65.153.0/24. Or, assume you pick option 3 above but your policies are broken such that you inadvertently announce reachability for 208.65.153.0/24 to your upstream provider, who happily conveys this to the global Internet. Same effect…

Either way, the net-net is that you’re announcing reachability to your upstream for 208.85.153.0/24, and your upstream provider, who is obviously not validating your prefix announcements based on Regional Internet Registry (RIR) allocations or even Internet Routing Registry (IRR) objects, is conveying to the rest of the world, via the Border Gateway Protocol (BGP), that you, AS 17557 (PKTELECOM-AS-AP Pakistan Telecom), provide reachability for the Internet address space (prefix) that actually belongs to YouTube, AS 36561.

To put icing on the cake, assume that YouTube, who owns 208.65.153.0/24, as well as 208.65.152.0/24 and 208.65.154.0/23, announces a single aggregated BGP route for the four /24 prefixes, announced as 208.65.152.0/22. Now recall that routing on the Internet always prefers the most specific route, and that global BGP routing currently knows this:

  • 208.65.152.0/22 via AS 36561 (YouTube)
  • 208.65.153.0/24 via AS 17557 (Pakistan Telecom)

And you want to go to one of the YouTube IPs within the 208.65.153.0/24. Well, bad news.. YouTube is currently unavailable because all the BGP speaking routers on the Internet believe Pakistan Telecom provides the best connectivity to YouTube. The result is that you’ve not only taken YouTube offline within your little piece of the Internet, you’ve single-handedly taken YouTube completely off the Internet.

A complete denial of service (DoS), intentional or not.

Even uglier is that even if the folks at YouTube begin announcing the /24 as well, and the global routing table looks like this:

  • 208.65.152.0/22 via AS 36561 (YouTube)
  • 208.65.153.0/24 via AS 36561 (YouTube)
  • 208.65.153.0/24 via AS 17557 (Pakistan Telecom)

YouTube reachability will still be half-broken, as the prefix length for the route via Pakistan Telecom is the same length as the prefix length for the YouTube announced route, and so BGP will [usually] next consider the shortest BGP path as the optimal route to the destination based solely on number of AS ‘hops’, resulting in a large portion of the Internet still preferring the /24 via Pakistan Telecom. You’re probably asking yourself now, then why doesn’t YouTube announce two /25s for the /24 in question? The reality is that most providers on the Internet don’t accept anything longer than a /24 BGP route announcement, so it’d be filtered and not installed in their routing tables.

So, what’s the root problem here? Let’s see, where to start:

  • no authoritative source for who owns and/or is permitted to provide transit services for what IP address spaces on the Internet
  • little or no explicit BGP customer prefix filters on the Internet
  • little or no inter-provider prefix filtering on the Internet
  • no route authentication and authorization update mechanism (eg., SBGP, soBGP, etc..) in today’s global routing system

I fully suspect that the announcements from Pakistan Telecom for YouTube address space were the result of a misconfiguration or routing policy oversight, and seriously doubt impact to YouTube reachability [beyond Pakistan’s Internet borders] was intentional. The route announcements from Pakistan Telecom have long since been withdrawn (or filtered). We had a similar event at an ISP I worked for in 1998 (YES, a decade ago) – obviously, nothing has changed regarding this extremely fragile and vulnerable piece of Internet infrastructure since that time.

Some pointers to different discussions regarding prefix filtering on the Internet are available here, and here (search for ‘filter’). Our friends at Renesys, who blogged in parallel about some of the routing aspects of the event here, the Prefix Hijack Alert System (PHAS), a few various features in our very own Arbor Peakflow, and some other products do help detect hijackings of this sort. As far as prevention, well, as unbelievable as it may seem, you’re mostly out of luck today, unfortunately.

Interestingly, in the latest edition of the Infrastructure Security Report, BGP route hijacking yet again took a back seat to pretty much everything else in the list (in the world?). I suspect until the next event, it will again….

24 Responses to “Internet Routing Insecurity::Pakistan Nukes YouTube?”

February 25, 2008 at 2:43 pm, Pakistan blocks the whole world from seeing YouTube - Page 2 - Netpond ™ said:

[…] is a very good read for those interested. Internet Routing Insecurity::Pakistan Nukes YouTube? · Security to the Core | Arbor Networks Securit… __________________ Varzi Network – We are 100% Committed To Serving Your Business. Multiple Tier […]

February 25, 2008 at 2:59 pm, Wordout - And The US Is Outsourcing To These Guys?! said:

[…] was a source of blasphemous content, and decreed that YouTube access must be blocked. There’s several ways Pakistani officials could have accomplished this without affecting the rest of us. They […]

February 25, 2008 at 11:08 am, ZDNet Government mobile edition said:

[…] a technical view, see Danny McPherson’s post on Arbor Networks. The larger point is that the blackout has exposed some serious issues here: So, what’s the root […]

February 25, 2008 at 11:42 am, Bil Corry said:

Couldn’t Pakistan (or anyone for that matter) use this technique to capture data going to sensitive domains (Pentagon, CIA, etc) and perform a man-in-the-middle attack by bridging packets to the legitimate sites?

February 25, 2008 at 1:26 pm, YouTube, Flickr on Airtel - Page 2 - India Broadband Forum said:

[…] serious net security weaknesses | ZDNet Government | ZDNet.com A link from within that article – Internet Routing Insecurity:akistan Nukes YouTube? Security to the Core | Arbor Networks Security Bl… […]

February 25, 2008 at 1:34 pm, alfredo reino » Archivo del Blog » Eso pasa por censurar said:

[…] Y sienta un peligroso precedente el saber que “por error” se puede evitar que el mundo entero visite una web determinada. El sueño de todo integrista (recordemos que la orden de censura es debida a unos videos supuestamente “blasfemos”) Los detalles técnicos en el excelente blog de Arbor Networks. […]

February 25, 2008 at 1:48 pm, YouTube DoS’ed Off Net By Pakistan said:

[…] nascent government.  Others suspect it was more of a simple misconfiguration.  Danny McPherson at Arbor Networks provides an excellent analysis on how this happened and thinks it was an accident.  He writes: I fully suspect that the […]

February 25, 2008 at 1:48 pm, YouTube DoS’ed Off Net By Pakistan said:

[…] nascent government.  Others suspect it was more of a simple misconfiguration.  Danny McPherson at Arbor Networks provides an excellent analysis on how this happened and thinks it was an accident.  He writes: I fully suspect that the […]

February 25, 2008 at 7:53 pm, Technology In Life » InternetExplorer 8 (IE8) Beta Download Coming Soon said:

[…] InternetRouting Insecurity::Pakistan Nukes YouTube? […]

February 25, 2008 at 3:57 pm, Michael said:

Does anyone know what content Pakistan was trying to block? In compliance with Pakistan’s struggle against human rights, YouTube has removed the content.

…just as they aide Egypt in torturing it’s citizens….

ref:
URL taken down for Pakistan:
http://www.youtube.com/index?&session=7e5hkMFSDF9uZK_A_9Feh7ypmCCrxK9r7y7qPn5SGbYRpIdXWyeDwnCDGCp3hQZESDnkNo4NxH0zLL3MyyNKy4cEVwnB6Enjwyw2QdRB0ROAuZBU9QASbGASjSVcX9ogPKCcXVmayNUIGCjQRLoxFKYQE3_pT5mWHCFaz9uAdsl3n_u4e3jtOFlJqOuaFcXDXKhQZobCjGqgQbIGEAi3kWha22YmBiIpMYNTRhrmWVv27B6KUE2YIZJDuxPQWz3uEW0ZR1LIVZnwbwgXmWBvRzi1M6hv2pxVv52IrPmtC_Y_tb241t2iPjVgxikqktLk

Aiding Egyptian torture:
http://yro.slashdot.org/article.pl?sid=07/11/30/0448207
http://blogs.guardian.co.uk/news/2007/11/youtube_suspends_egyptian_blog.html
et al

February 25, 2008 at 11:57 pm, YouTube, Flickr on Airtel - Page 2 - India Broadband Forum said:

[…] serious net security weaknesses | ZDNet Government | ZDNet.com A link from within that article – Internet Routing Insecurity – Pakistan Nukes YouTube? Security to the Core | Arbor Networks Security… __________________ Last edited by gregory house : Yesterday at 11:00 PM. Reason: How the hell […]

February 26, 2008 at 4:37 am, Pakisztán kinyírta a Youtube-ot | doransky said:

[…] természetesen komoly mennyiségű szakirodalom gyűlt össze az ügy mögött húzódó gigászi biztonsági […]

February 26, 2008 at 9:58 pm, youtube stopped for 45 minutes « hakawi-tech - تكنولوجيا حكاوى said:

[…] Here is a technical analysis of how this happened link  […]

February 29, 2008 at 7:49 am, The 0011 Blog » Pakistan hijacks YouTube (By Mistake?) said:

[…] Article #2 here […]

February 29, 2008 at 5:52 pm, Internet necesita una revisión de seguridad. | Dondado said:

[…] para Pakistán, al final lo hizo para Pakistán… y para los demás. Los detalles técnicos en Arbor Networks a donde llegué desde el blog de Alfredo […]

March 03, 2008 at 8:19 pm, Risky Business » Blog Archives » Risky Business #52 — EXCLUSIVE: Winlockpwn code release said:

[…] project page for the firewire attack Arbor Networks blog post on Pakistan’s accidental nuking of YouTube More reading on Cold Boot More reading on […]

March 22, 2008 at 8:09 pm, uptech » Blog Archive » Internets Routing Awesome said:

[…] can tell from the date on my last post I’ve been having some time availability issues lately. This article talks about how flaws in the routing protocol BGP took down one of the best parts of the Internet, […]

May 16, 2008 at 8:29 am, aamir attaa said:

Is there any mechanism available for ISPs for blocking a single URL instead of whole IP??

May 21, 2008 at 8:56 pm, Risky Business: The official podcast of AusCERT ‘08 » Blog Archives » INTERVIEW: How to destroy the Internet with Danny McPherson said:

[…] February Danny enjoyed a 15 minutes of fame of sorts when he blogged about a snafu at a Pakistani ISP that saw YouTube knocked offline for two […]

May 21, 2008 at 9:28 pm, A Series of Tubes » Blog Archives » A Series of Tubes #52 — How to destroy the Internet said:

[…] February Danny enjoyed a 15 minutes of fame of sorts when he blogged about a snafu at a Pakistani ISP that saw YouTube knocked offline for two […]

May 23, 2008 at 8:49 pm, System Advancements at the Monastery » Blog Archive » From Cyber Space with Love said:

[…] featuring cartoons of the Prophet Mohammad. According to Danny McPherson, in his posting “Internet Routing Insecurity::Pakistan Nukes YouTube?” Pakistan Telecom had three […]

August 27, 2008 at 3:49 pm, Bil Corry said:

To follow up with my question above, the answer is yes, you can use it as a man-in-the-middle attack:

http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html

January 07, 2011 at 8:14 am, What do you do when the Military squats your ASN….you let them said:

[…] a concern) and inherent lack of security in the way we route things on the internet as detailed by Arbor Networks when Pakistan Telecom started announcing the netblocks for YouTube. You can also read Renesys’s analysis of that event, also you should consider reading all of […]

February 14, 2011 at 8:02 am, Bienvenue à Packetstan | Test-bot.com said:

[…] sites. Il ya quelques années j’étais à un client qui essaie d’expliquer comment une FAI au Pakistan a pris vers le bas plus de YouTube . Chaque fois que je l’ai mentionné dans le pays du Pakistan, je le prononce mal que […]

Comments are closed.