North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Update on PHAS (ref Youtube hijack)

  • From: Mohit Lad
  • Date: Sun Mar 02 00:11:53 2008

Dear all,

Discussions on the recent Youtube incident raised the question about availability of our projects PHAS (Prefix Hijack Alert System).
Unfortunately, the timing of the hijack coincided with our transitioning to the next stage of PHAS, thus it was unavailable at the time. We have switched back to the last stable version and the site is fully functional now. We apologize for the inconvenience.

For people not familiar with PHAS, we analyze BGP updates received from different vantage points and maintain 3 sets for each prefix.
1. Origin set
2. Last hop set
3. Sub-prefix set
Anyone may register with PHAS for the prefixes he/she wants to watch, and select the types of alarms of interest. Each time the set changes, an email is sent to the registered email addresses.

If you want to get an idea of the alarms generated, you can register for one or more active prefixes that are constantly generating alarms as seen in

For the youtube hijack case:
1. since a more specific prefix was observed for youtube's prefix, PHAS caught the incident as a "sub-prefix set change" and an alarm was generated.

2. PHAS does not rely on information from IRR, so any manipulations to IRR (or outdated entries) would not affect PHAS.

3. Some folks questioned whether PHAS would detect cases of hijack if origin AS was unchanged: from the above, one can see that PHAS catches any sub prefix announcements, and any changes to the last hop (i.e. next hop to origin AS).

It is true that the current version of PHAS does not detect AS path manipulations beyond the last hop. We are developing solutions to this problem and hoping to combine the new solution into PHAS soon.

Our recent results also show that the farther away from the origin the hijacker inserts his AS number, the less impact it would have on the Internet. For folks interested in how the impact of a hijack may vary depending on which prefix is involved and the hijacker's location, we have a paper in DSN 2007 with some interesting results.