[102733] in North American Network Operators' Group
Re: YouTube IP Hijacking
daemon@ATHENA.MIT.EDU (Josh Karlin)
Mon Feb 25 13:42:23 2008
Date: Mon, 25 Feb 2008 11:38:41 -0700
From: "Josh Karlin" <karlinjf@cs.unm.edu>
To: "Tomas L. Byrnes" <tomb@byrneit.net>
Cc: nanog@merit.edu
In-Reply-To: <70D072392E56884193E3D2DE09C097A9EF1C@pascal.zaphodb.org>
Errors-To: owner-nanog@merit.edu
------=_Part_5874_7730232.1203964721344
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Tomas:
It's primarily a proof of concept site, to show that such an idea would be
useful, but it has been running for over a year now and discovered many
interesting hijacks (such as eBay/google/etc..).
You're right that there is a glaring ommission, which is yesterday's youtube
hijack. This is due to a bug in the sub-prefix lookup code (which can cause
the IAR to miss some sub-prefix hijacks), which I'm currently fixing. Once
that is done I'll rerun the IAR over yesterday's logs and it will show up.
Josh
On Mon, Feb 25, 2008 at 10:37 AM, Tomas L. Byrnes <tomb@byrneit.net> wrote:
>
> This is a very interesting site. However, I notice that, in the "all in
> the last 24 hours" it doesn't show the YouTube hijack. It does have a
> lot of entries for 17557, most recently on 2/17.
>
> How reliable is this system?
>
>
>
> > -----Original Message-----
> > From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On
> > Behalf Of Hank Nussbacher
> > Sent: Sunday, February 24, 2008 11:33 PM
> > To: Steven M. Bellovin; nanog@merit.edu
> > Subject: Re: YouTube IP Hijacking
> >
> >
> > At 05:31 AM 25-02-08 +0000, Steven M. Bellovin wrote:
> >
> > >Seriously -- a number of us have been warning that this could happen.
> > >More precisely, we've been warning that this could happen
> > *again*; we
> > >all know about many older incidents, from the barely noticed to the
> > >very noisy. (AS 7007, anyone?) Something like S-BGP will
> > stop this cold.
> > >
> > >Yes, I know there are serious deployment and operational
> > issues. The
> > >question is this: when is the pain from routing incidents
> > great enough
> > >that we're forced to act? It would have been nice to have done
> > >something before this, since now all the world's script kiddies have
> > >seen what can be done.
> >
> > "we've been warning that this could happen *again*" - this is
> > happening every day - just look to:
> > http://cs.unm.edu/~karlinjf/IAR/prefix.php?filter=most<http://cs.unm.edu/%7Ekarlinjf/IAR/prefix.php?filter=most>
> > http://cs.unm.edu/~karlinjf/IAR/subprefix.php?filter=most<http://cs.unm.edu/%7Ekarlinjf/IAR/subprefix.php?filter=most>
> > for samples. Thing is - these prefix hijacks are not big
> > ticket sites like Youtube or Microsoft or Cisco or even
> > whitehouse.gov - but rather just sites that never make it
> > onto the NANOG radar.
> >
> > -Hank
> >
> >
> >
> >
>
------=_Part_5874_7730232.1203964721344
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Tomas:<br><br>It's primarily a proof of concept site, to show that such an idea would be useful, but it has been running for over a year now and discovered many interesting hijacks (such as eBay/google/etc..). <br><br>
You're right that there is a glaring ommission, which is yesterday's youtube hijack. This is due to a bug in the sub-prefix lookup code (which can cause the IAR to miss some sub-prefix hijacks), which I'm currently fixing. Once that is done I'll rerun the IAR over yesterday's logs and it will show up.<br>
<br>Josh<br><br><br><div class="gmail_quote">On Mon, Feb 25, 2008 at 10:37 AM, Tomas L. Byrnes <<a href="mailto:tomb@byrneit.net">tomb@byrneit.net</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
This is a very interesting site. However, I notice that, in the "all in<br>
the last 24 hours" it doesn't show the YouTube hijack. It does have a<br>
lot of entries for 17557, most recently on 2/17.<br>
<br>
How reliable is this system?<br>
<div class="Ih2E3d"><br>
<br>
<br>
> -----Original Message-----<br>
> From: <a href="mailto:owner-nanog@merit.edu">owner-nanog@merit.edu</a> [mailto:<a href="mailto:owner-nanog@merit.edu">owner-nanog@merit.edu</a>] On<br>
</div><div class="Ih2E3d">> Behalf Of Hank Nussbacher<br>
> Sent: Sunday, February 24, 2008 11:33 PM<br>
> To: Steven M. Bellovin; <a href="mailto:nanog@merit.edu">nanog@merit.edu</a><br>
> Subject: Re: YouTube IP Hijacking<br>
><br>
><br>
</div><div><div></div><div class="Wj3C7c">> At 05:31 AM 25-02-08 +0000, Steven M. Bellovin wrote:<br>
><br>
> >Seriously -- a number of us have been warning that this could happen.<br>
> >More precisely, we've been warning that this could happen<br>
> *again*; we<br>
> >all know about many older incidents, from the barely noticed to the<br>
> >very noisy. (AS 7007, anyone?) Something like S-BGP will<br>
> stop this cold.<br>
> ><br>
> >Yes, I know there are serious deployment and operational<br>
> issues. The<br>
> >question is this: when is the pain from routing incidents<br>
> great enough<br>
> >that we're forced to act? It would have been nice to have done<br>
> >something before this, since now all the world's script kiddies have<br>
> >seen what can be done.<br>
><br>
> "we've been warning that this could happen *again*" - this is<br>
> happening every day - just look to:<br>
> <a href="http://cs.unm.edu/%7Ekarlinjf/IAR/prefix.php?filter=most" target="_blank">http://cs.unm.edu/~karlinjf/IAR/prefix.php?filter=most</a><br>
> <a href="http://cs.unm.edu/%7Ekarlinjf/IAR/subprefix.php?filter=most" target="_blank">http://cs.unm.edu/~karlinjf/IAR/subprefix.php?filter=most</a><br>
> for samples. Thing is - these prefix hijacks are not big<br>
> ticket sites like Youtube or Microsoft or Cisco or even<br>
> <a href="http://whitehouse.gov" target="_blank">whitehouse.gov</a> - but rather just sites that never make it<br>
> onto the NANOG radar.<br>
><br>
> -Hank<br>
><br>
><br>
><br>
><br>
</div></div></blockquote></div><br>
------=_Part_5874_7730232.1203964721344--
