North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: YouTube IP Hijacking

  • From: Simon Lockhart
  • Date: Sun Feb 24 17:12:00 2008

On Sun Feb 24, 2008 at 04:32:45PM -0500, Martin Hannigan wrote:
> Let's avoid speculation as to the why and reserve this thread for
> global restoration activity.

So, from the tit-bits I've picked up from IRC and first-hand knowledge,
it would appear that 17557 leaked an announcement of to 
3491 (PCCW/BTN). After several calls to PCCW NOC, including from Youtube
themselves, PCCW claimed to be shutting down the links to 17557. Initially
I saw the announcement change from "3491 17557" to "3491 17557 17557", so 
I speculate that they shut down the primary link (or filtered the announcement
on that link), and the prefix was still coming in over a secondary link 
(hence the prepend). After more prodding, that route vanished too.

Various mitigations were talked about and tried, including Youtube announcing
the /24 as 2*/25, but these announcements did not seem to make it out to the 
world at large.

Currently Youtube are announcing the /24 themselves - I assume this will drop
at some time once it's safe.

It was noticed that all the DNS servers were in the affected /24.
Youtube have subsequently added a DNS server in another prefix.

Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration *
   Director    |    * Domain & Web Hosting * Internet Consultancy * 
  Bogons Ltd   | *  *  Email: [email protected]  *