[102666] in North American Network Operators' Group
Re: YouTube IP Hijacking
daemon@ATHENA.MIT.EDU (Simon Lockhart)
Sun Feb 24 17:10:03 2008
Date: Sun, 24 Feb 2008 21:59:38 +0000
From: Simon Lockhart <simon@slimey.org>
To: Martin Hannigan <hannigan@gmail.com>
Cc: "Tomas L. Byrnes" <tomb@byrneit.net>, nanog@merit.edu
In-Reply-To: <2d106eb50802241332t5fdd2621l2e609498ef75c9ee@mail.gmail.com>
Errors-To: owner-nanog@merit.edu
On Sun Feb 24, 2008 at 04:32:45PM -0500, Martin Hannigan wrote:
> Let's avoid speculation as to the why and reserve this thread for
> global restoration activity.
So, from the tit-bits I've picked up from IRC and first-hand knowledge,
it would appear that 17557 leaked an announcement of 208.65.153.0/24 to
3491 (PCCW/BTN). After several calls to PCCW NOC, including from Youtube
themselves, PCCW claimed to be shutting down the links to 17557. Initially
I saw the announcement change from "3491 17557" to "3491 17557 17557", so
I speculate that they shut down the primary link (or filtered the announcement
on that link), and the prefix was still coming in over a secondary link
(hence the prepend). After more prodding, that route vanished too.
Various mitigations were talked about and tried, including Youtube announcing
the /24 as 2*/25, but these announcements did not seem to make it out to the
world at large.
Currently Youtube are announcing the /24 themselves - I assume this will drop
at some time once it's safe.
It was noticed that all the youtube.com DNS servers were in the affected /24.
Youtube have subsequently added a DNS server in another prefix.
Simon
--
Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration *
Director | * Domain & Web Hosting * Internet Consultancy *
Bogons Ltd | * http://www.bogons.net/ * Email: info@bogons.net *
