[102659] in North American Network Operators' Group
RE: YouTube IP Hijacking
daemon@ATHENA.MIT.EDU (John van Oppen)
Sun Feb 24 16:22:56 2008
Date: Sun, 24 Feb 2008 13:06:03 -0800
From: "John van Oppen" <john@vanoppen.com>
To: "Tomas L. Byrnes" <tomb@byrneit.net>, "Will Hargrave" <will@harg.net>,
<nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
Looks like it just went back to normal:
cr1-sea-A>show ip bgp 208.65.153.253
BGP routing table entry for 208.65.153.0/24, version 41150187
Paths: (3 available, best #3)
Flag: 0x8E0
Advertised to update-groups:
1 3 4 6 13 14
16 =20
3356 3549 36561, (Received from a RR-client)
208.76.153.126 (metric 110) from 208.76.153.126 (208.76.153.126)
Origin IGP, metric 0, localpref 50, valid, internal
Community: 3356:3 3356:22 3356:86 3356:575 3356:666 3356:2011
3549:4142 3549:30840 11404:1000 11404:1030
2914 3549 36561, (Received from a RR-client)
208.76.153.125 (metric 310) from 208.76.153.125 (208.76.153.125)
Origin IGP, metric 0, localpref 49, valid, internal
Community: 2914:420 2914:2000 2914:3000 11404:1000 11404:1010
3491 3549 36561
63.216.14.137 from 63.216.14.137 (63.216.14.9)
Origin IGP, localpref 51, valid, external, best
Community: 3491:2000 3491:2003 3491:3549 11404:1000 11404:1020
cr1-sea-A>
Probably worth noting that the performace at least from our perspective
(via PCCW) is abysmal. As a side note, I know PCCW allows unfiltered
route-announcement capability to a large number of their customers, our
feed appears to be that way (or they apply RADB filters instantly which
would be a bit impressive). =20
John van Oppen
Spectrum Networks LLC
206.973.8302 (Direct)
206.973.8300 (main office)
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Tomas L. Byrnes
Sent: Sunday, February 24, 2008 12:50 PM
To: Will Hargrave; nanog@merit.edu
Subject: RE: YouTube IP Hijacking
Pakistan is deliberately blocking Youtube.
http://politics.slashdot.org/article.pl?sid=3D08/02/24/1628213
Maybe we should all block Pakistan.
=20
> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On=20
> Behalf Of Will Hargrave
> Sent: Sunday, February 24, 2008 12:39 PM
> To: nanog@nanog.org
> Subject: Re: YouTube IP Hijacking
>=20
>=20
> Sargun Dhillon wrote:
>=20
> > So, it seems that youtube's ip block has been hijacked by a more=20
> > specific prefix being advertised. This is a case of IP=20
> hijacking, not=20
> > case of DNS poisoning, youtube engineers doing something=20
> stupid, etc.
> > For people that don't know. The router will try to get the most=20
> > specific prefix. This is by design, not by accident.
>=20
> You are making the assumption of malice when the more likely=20
> cause is one of accident on the part of probably stressed NOC=20
> staff at 17557.
>=20
> They probably have that /24 going to a gateway walled garden=20
> box which replies with a site saying 'we have banned this',=20
> and that /24 route is leaking outside of their AS via PCCW=20
> due to dodgy filters/communities.
>=20
> Will
>=20
