Sunday, 6 April 2008

YouTube Blackout

Introduction

I sent this to a few friends in the beginning of March 2008 (One of them posted it on his Blog). It may still be of interest but the BGP data for the YouTube event may no longer be available.

You can read more about the event on Arstechnica.

The Technique I describe may be used for any event - you just need the network address and the dates surrounding the event.

YouTube Outage BGP Replay

Last week Pakistan Telecom was ordered by their government to block access to YouTube. They did this by re-directing routes containing the YouTube addresses to an internal dead-end. A mistake was made that advertised this to their peer and thus the remainder of the internet.

The IP range that was affected was 208.65.152.0/22. Pakistan added more specific routes for 208.65.153.0/24 which are a longer match and so take priority.

To see what happened go to this site and start the java applet.

http://bgplay.routeviews.org/bgplay/

To see how it should look enter this address: 208.65.152.0/22, yesterday’s date and todays date - don’t worry about the time fields. [This route should also work now: 208.65.153.0/24]

The AS (autonomous system - roughly meaning a country or large ISP or large company) 36561 is where youtube packets should generally be sent. You can see all the lines from other domains leading to this AS for this address range.

Press the play button (a small triangle) to start the animation. You should see the links occasionally changing as changes are made or transmission links break or are fixed.

Now press the New Query button.

Then enter the address that poisoned BGP: 208.65.153.0/24, 23/2/2008 and 26/2/2008 - a period around the event.

Initially the page has no lines. This is because prior to the event, this route was not used. Just imagine all the links still going to AS 36561.

Press the Play button.

Over time you see the rouge Pakistan Telecom domain 17557 start to become the priority route for all YouTube traffic until it seems to have all the routes. When the fault was fixed you can see the links moving back to AS 36561 where they should be.

Imagine how easy it is now to interrupt any domain or the whole internet? I think this risk will be fixed shortly.