North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: YouTube IP Hijacking

  • From: Tomas L. Byrnes
  • Date: Sun Feb 24 16:27:25 2008

Clearly, they are incensed by youtube content, so what makes anyone
think that they would not be trying to engage in a case of Cyber-Jihad?

I hosted the site that was rated #1 on Google for the Jyllands Posten
(di2.nu) cartoons when it was a current issue, and I STILL get lots of
script kiddie DOS from the Islamic world.

I generally don't assume malice when mere incompetence will suffice, but
in the case of the Islamic world, they've proved themselves malicious
towards the non-Islamic world often, and violently, enough, that I don't
believe they deserve that presumption of innocence any more.

In either case, the correct COA is to filter all advertisements with AS
17557 in the path, until they fix the routes they are advertising, and
let us know how they plan on making sure this doesn't happen again.
 

> -----Original Message-----
> From: Neil Fenemor [mailto:[email protected]] 
> Sent: Sunday, February 24, 2008 1:01 PM
> To: Tomas L. Byrnes
> Cc: Will Hargrave; [email protected]
> Subject: Re: YouTube IP Hijacking
> 
> While they are deliberately blocking Youtube nationally, I 
> suspect the wider issue has no malice, and is a case of 
> poorly constructed/ implemented  outbound policies on their 
> part, and poorly constructed/ implemented inbound polices on 
> their upstreams part.
> 
> On 25/02/2008, at 9:49 AM, Tomas L. Byrnes wrote:
> 
> >
> > Pakistan is deliberately blocking Youtube.
> >
> > http://politics.slashdot.org/article.pl?sid=08/02/24/1628213
> >
> > Maybe we should all block Pakistan.
> >
> >
> >
> >> -----Original Message-----
> >> From: [email protected] [mailto:[email protected]] 
> On Behalf 
> >> Of Will Hargrave
> >> Sent: Sunday, February 24, 2008 12:39 PM
> >> To: [email protected]
> >> Subject: Re: YouTube IP Hijacking
> >>
> >>
> >> Sargun Dhillon wrote:
> >>
> >>> So, it seems that youtube's ip block has been hijacked by a more 
> >>> specific prefix being advertised. This is a case of IP
> >> hijacking, not
> >>> case of DNS poisoning, youtube engineers doing something
> >> stupid, etc.
> >>> For people that don't know. The router will try to get the most 
> >>> specific prefix. This is by design, not by accident.
> >>
> >> You are making the assumption of malice when the more 
> likely cause is 
> >> one of accident on the part of probably stressed NOC staff 
> at 17557.
> >>
> >> They probably have that /24 going to a gateway walled garden box 
> >> which replies with a site saying 'we have banned this', 
> and that /24 
> >> route is leaking outside of their AS via PCCW due to dodgy 
> >> filters/communities.
> >>
> >> Will
> >>
> 
> Neil Fenemor
> FX Networks
> 
> 
>