North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: YouTube IP Hijacking

  • From: Josh Karlin
  • Date: Mon Feb 25 13:43:17 2008
  • Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:references:x-google-sender-auth; bh=4bA4RcXhnWFcSFHZZgh49/ypqzliOZ2LXG5YLMMjeUw=; b=pF46sI31PKoSehK1T0nYyNgnNy7Sbg/sxOjKn+Zk6FGw3MC9Olwg1ktTBaUerO40KhnqlFYYZuqThr2rk28V8D70yySth5ePqt7aOUApfg7G4hJ6Z0kZi16WcEE/HGjDP8BSzvtiE1evXatQAjSlszUzjKlhK9warlxFIGbRBzA=
  • Domainkey-signature: a=rsa-sha1; c=nofws;; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:references:x-google-sender-auth; b=ch+GMPJb8zUJ3eU0I+wz7G1B1E7MmQcMyavYe5tQTPg4w7xULnbtDEdRy4SDuk000Xbq9DabZ5FMBRqkcsdhui/t9hZpEm+5k5AyXkNSYV7kTQk9c3278zWpCGZgnpjT+t9oKyQM35dnSuTeAtBSZWHPFR4cNQ9bNt7ToVaOk64=


It's primarily a proof of concept site, to show that such an idea would be useful, but it has been running for over a year now and discovered many interesting hijacks (such as eBay/google/etc..). 

You're right that there is a glaring ommission, which is yesterday's youtube hijack.  This is due to a bug in the sub-prefix lookup code (which can cause the IAR to miss some sub-prefix hijacks), which I'm currently fixing.  Once that is done I'll rerun the IAR over yesterday's logs and it will show up.


On Mon, Feb 25, 2008 at 10:37 AM, Tomas L. Byrnes <[email protected]> wrote:

This is a very interesting site. However, I notice that, in the "all in
the last 24 hours" it doesn't show the YouTube hijack. It does have a
lot of entries for 17557, most recently on 2/17.

How reliable is this system?

> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On
> Behalf Of Hank Nussbacher
> Sent: Sunday, February 24, 2008 11:33 PM
> To: Steven M. Bellovin; [email protected]
> Subject: Re: YouTube IP Hijacking
> At 05:31 AM 25-02-08 +0000, Steven M. Bellovin wrote:
> >Seriously -- a number of us have been warning that this could happen.
> >More precisely, we've been warning that this could happen
> *again*; we
> >all know about many older incidents, from the barely noticed to the
> >very noisy.  (AS 7007, anyone?)  Something like S-BGP will
> stop this cold.
> >
> >Yes, I know there are serious deployment and operational
> issues.  The
> >question is this: when is the pain from routing incidents
> great enough
> >that we're forced to act?  It would have been nice to have done
> >something before this, since now all the world's script kiddies have
> >seen what can be done.
> "we've been warning that this could happen *again*" - this is
> happening every day - just look to:
> for samples.  Thing is - these prefix hijacks are not big
> ticket sites like Youtube or Microsoft or Cisco or even
> - but rather just sites that never make it
> onto the NANOG radar.
> -Hank