Pakistan YouTube Block Breaks the World 343
Allen54 noted a followup to yesterday's story about Pakistan's decision to block YouTube. He notes that "The telecom company that carries most of Pakistan's traffic, PCCW, has found it necessary to shut Pakistan off from the Internet while they filter out the malicious routes that a Pakistani ISP, PieNet, announced earlier today. Evidently PieNet took this step to enforce a decree from the Pakistani government that ISP's must block access to YouTube because it was a source of blasphemous content. YouTube has announced more granular routes so that at least in the US they supercede the routes announced by PieNet. The rest of the world is still struggling."
But how did they do it? (Score:5, Insightful)
Re: (Score:3, Informative)
Re:But how did they do it? (Score:5, Interesting)
I imagine that this event will introduce a lot of people to how high level internet routing works. Yes, its that vulnerable folks. Scary, but fortunately these events don't happen often. I think back in late 90s was the time when someone in Pennsylvania introduced a global route for everything to go to 0.0.0.0, which brought everything down for a day.
Re:But how did they do it? (Score:5, Insightful)
Re:But how did they do it? (Score:5, Insightful)
Unless you want to create an international organization with its own territory (sort of like the UN headquarters) that controls global routing- it can't be subject to any national law because it's got its own extraterritoriality (although international lawyers would tell me it's not true extraterritoriality, blah blah blah).
But somebody has to control THAT organization, and unless its mandate is simply to maintain the internet routing in a transparent manner between national-level routing domains...
But how did they do it? (Score:5, Informative)
which was found from Cydeweys [cydeweys.com] which is updating as the story progresses. Both of those sites seem to be running a bit slow, so hesitate before clicking.
Full text of Reneysys: Pakistan hijacks YouTube.
A few hours ago, Pakistan Telecom (AS 17557) began advertising a small part of YouTube's (AS 36561) assigned network. This story is almost as old as BGP. Old hands will recognize this as, fundamentally, the same problem as the http://merit.edu/mail.archives/nanog/1997-04/msg00380.html [slashdot.org]">infamous AS 7007 from 1997, a more recent ConEd mistake of early 2006 [renesys.com] and even TTNet's Christmas Eve gift 2005 [renesys.com].
Just before 18:48 UTC, Pakistan Telecom, in response to government order [renesys.com] to block access to YouTube (see news item [yahoo.com]) started advertising a route for 208.65.153.0/24 to its provider, PCCW (AS 3491). For those unfamiliar with BGP, this is a more specific route than the ones used by YouTube (208.65.152.0/22), and therefore most routers would choose to send traffic to Pakistan Telecom for this slice of YouTube's network.
I became interested in this immediately as I was concerned that I wouldn't be able to spend my evening watching imbecilic videos of cats doing foolish things (even for a cat). Then, I started to examine our mountains of BGP data and quickly noticed that the correct AS path ("Will the real YouTube please stand up?") was getting restored to most of our peers.
The data points identified below are culled from over 250 peering sessions with 170 unique ASNs. While it is hard to describe exactly how widely this hijacked prefix was seen, we estimate that it was seen by a bit more than two-thirds of the Internet.
This table shows the timing of the event and how quickly the route propagated (this is actually a fairly normal propagation pattern). The ASNs seeing the prefix were mostly transit ASNs below, so this means that these routes were distributed broadly across the Internet. Almost all of the default free zone (DFZ) carried the hijacked route at least briefly.
18:47:00uninterrupted videos of exploding jello [youtube.com]
18:47:45first evidence of hijacked route propagating in Asia, AS path 3491 17557
18:48:00several big trans-Pacific providers carrying hijacked route (9 ASNs)
18:48:30several DFZ providers now carrying the bad route (and 47 ASNs)
18:49:00most of the DFZ now carrying the bad route (and 93 ASNs)
18:49:30all providers who will carry the hijacked route have it (total 97 ASNs)
20:07:25YouTube, AS 36561 advertises the
20:07:30several DFZ providers stop carrying the erroneous route
20:08:00many downstream providers also drop the bad route
20:08:30and a total of 40 some-odd providers have stopped using the hijacked route
20:18:43and now, two more specific
20:19:3725 more providers prefer the
20:28:12peers of 36561 start seeing the routes that were advertised to transit at 20:07
20:50:59evidence of attempted prepending, AS path was 3491 17557 17557
20:59:39hijacked prefix is withdrawn by 3491,
Re: (Score:3, Interesting)
Thing is that there dosn't appear to be a candiate country to do this. You'd need one without any culture of censorship and a strong enough military (including globally targeted nuclear missiles) not to be pushed around by the countries interested in censorship.
Comment removed (Score:5, Funny)
Re:But how did they do it? (Score:4, Funny)
They may not have nukes, but they DO have the Swedish Bikini Team, which is a powerful force for good. For example, name one time when North Korea has invaded Sweden. Just one. I rest my case.
* * * * *
"Buying the right computer and getting it to work properly is no more complicated than building a nuclear reactor from wristwatch parts in a darkened room using only your teeth."
—Dave Barry
Comment removed (Score:5, Funny)
Re:But how did they do it? (Score:4, Informative)
If you're talking about reverend Åke Green he didn't just say "I think homosexuality is bad", he called homosexuality an "abnormal, a horrible cancerous tumor in the body of society". And he while he did stand trial he was not found guilty of any crime.
/Mikael
Re: (Score:3, Informative)
Re: (Score:2, Informative)
Re: (Score:3, Informative)
Re: (Score:3, Informative)
Try it without the slash:
http://en.wikipedia.org/wiki/Border_Gateway_Protocol [wikipedia.org]
Re:But how did they do it? (Score:4, Funny)
Re:But how did they do it? (Score:5, Funny)
Comment removed (Score:5, Informative)
Re: (Score:3, Funny)
Re: (Score:3, Interesting)
If you already know whose IP address are whose, then what do you need the routing protocol for in the first place? BGP inherently depends on the honor system - that is the crux of the problem. There is no "in theory" where this is really solved (yet).
Comment removed (Score:5, Informative)
Re: (Score:3, Interesting)
the POTS network has a routing protocol used to setup calls/announce which switch is responsible for which number/range. One would suspect that SS7 can be abused by "bad" telcos as easily as BGP can be abused by "bad" ISPs.
It can and does happen.
Though it's usually caused by error rather than malice.
It doesn't take much to screw up call routing, usually by passing traffic to the wrong exchange which then either gets analyzed and sent on to it's correct destination via a longer-than-necessary route or ends up in a routing loop, and eventually chokes up the trunk group before the call fails.
Re: (Score:3, Informative)
Re:But how did they do it? (Score:4, Interesting)
Every External BGP session (EBGP) SHOULD be configured with a very specific access list as to what that particular session will be allowed to announce to you.
Obviously, tracking 20K plus announcements from a provider and creating an access list for it, daily, is a bit tedious. This is why Route Registries were created and many tools that will look up an AS in a route registry and generate the appropriate ACL are already in existence and in use. The problem is a lot of networks do not keep their registries up to date unless forced to by a peer / transit provider.
A correctly configured session will allow only announcements of the specified address space at the specified length. Any major transit provider that allowed this should be looking at their advertisement policy and figuring out how to prevent it in the future. Solutions do exist and are used by the majority of large providers already.
How the hell did
Arstechnica explains (Score:5, Informative)
Re:But how did they do it? (Score:5, Interesting)
Re:But how did they do it? (Score:5, Insightful)
Maybe I give them too much credit... But it's possible.
Re: (Score:2)
Re:But how did they do it? (Score:4, Funny)
Re:But how did they do it? (Score:4, Informative)
Re: (Score:2)
Re:But how did they do it? (Score:5, Interesting)
Youtube had a route for 208.65.152.0/22 (208.65.152.0 - 208.65.155.255), but Pakistan's main ISP in Hong Kong announced a route for 208.65.153.0/24 (208.65.153.0 - 208.65.153.255) to keep youtube off their net. What they didn't understand though is this really needs to be kept as a local routing policy so it only affected Pakistan, but it sorta snuck out and affected the entire network.
Routing is the soft underbelly of the net.
Re: (Score:3, Insightful)
Re: (Score:2, Informative)
http://arstechnica.com/news.ars/post/20080225-insecure-routing-redirects-youtube-to-pakistan.html [arstechnica.com]
Basically, pakistan telecom blackholed the network using BGP to advertise that all traffic to thos
Re:But how did they do it? (Score:5, Interesting)
Pakistan Telcom does have an ASN number. Just for kicks, try this:
Head over to this site [routeviews.org]. It visualizes the BGP routes between different AS's. Click 'Start BGPlay'. The prefix in which YouTube lives is 208.65.153.0/24. Set the start time for about 24 Feb 2008 10:00, and the end time for about 25 Feb 2008 03:00 (times are UTC). Start the simulation.
You'll see a bunch of ASNs. Two have red circles around them. You can get their name by clicking on the number. On the left is YouTube, and on the right is Pakistan Telcom. Click play and watch what happens.
For those too lazy to actually watch this: All the routes destined for YouTube head towards Pakistan Telcom instead. Then, midway through, you see PCCW get wise and shut down those routes, and everyone slowly starts finding the actual YouTube. It's pretty neat to watch.
Re: (Score:3, Funny)
Re: (Score:3, Funny)
http://www.youtube.com/watch?v=IBAnCsmf2A4 [youtube.com]
It's Pakistan's main telecom company (Score:3, Informative)
Just about any ISP is going to get themselves a BGP Autonomous System Number and use BGP to communicate with other ISPs.
A long long time ago, when the Internet was smaller and more trusting, long enough ago that I've forgotten the names of the guilty parties, some company in Virginia made a mistake in configuring their router, and announced that their T1 was a really really good route to MAE-East, and about 1/3 of the packe
Re:But how did they do it? (Score:4, Insightful)
Rather more likely is that this has something to do with the recent elections in Pakistan. The Musharaf just lost the election he had hoped would allow him to complete his transition from dictatorship to elected President. Instead he lost control of the process with the assassination of Bhutto.
Independent TV is a much bigger threat to the regime than independent press. Blogs have rather less credibility than actual video of a demonstration.
I suspect that the ISP chose this method of blocking the traffic for precisely the reason that it would cause the maximum notice. Implement a local block in Pakistan and the Pakistanis complain. Implement the block in such a way that it affects the whole region and you have so many more people working to circumvent the censorship.
BGP security has been a big concern for me for some time. In fact it is such a concern that it is one of the issues I did not address in my book on Internet crime precisely because I did not want to give people ideas.
CBG (Score:5, Insightful)
Re:CBG (Score:4, Funny)
Unless it's all a cunning plan by my Governemnt to make it seem like I can connect, but reality I'm behind Hadrian's Firewall and surfing the UK Intranet. Which, admittedly, knowing the UK Government is perfectly possible... All I know is living in the UK I'm in no position to criticize the Pakistanis, because their country is much freer than mine.
Comment removed (Score:5, Insightful)
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Comment removed (Score:5, Insightful)
Re: (Score:3, Informative)
Comment removed (Score:5, Interesting)
Re:CBG (Score:4, Insightful)
He's an elected Member of Parliament, and supported by a majority in the Commons, which makes him Prime Minister. He could be turfed out tomorrow if he loses a motion of confidence, and parlimentary elections MUST take place by 2011.
OK, the first past the post system can throw out some weird results, and Labour does happen to get the best of them. Sixteen years of Tory government hints that this isn't a huge issue however.That is an issue of whether the Labour party has broken a commitment - this can be judged by voters at the next election or by MPs any time.
That was horrendous I agree, and the investigation after it not a great deal better. That said, it did happen 1 day after an attempted suicide bombing of the tube, and 1 month after a successful one. If the police where ever going to overreact it was then.
And will later be featured on national news, and (even before that) receive a grovelling apology from the Home Secretary. The reason that one went away was because the apology was accepted - maybe it shouldn't been but as you said the chap was a lifelong Labour member, and he can make his own decisions.
Agree with you on the DNA thing, but you don't help your argument by starting off with a badly supported rant.
Re: (Score:3, Interesting)
Comment removed (Score:5, Insightful)
Re: (Score:3, Interesting)
Re: (Score:3, Funny)
Re: (Score:3, Interesting)
A more technical explanation/discussion is here (Score:5, Informative)
"malicious" routes (Score:5, Insightful)
I should also point out that while bureaucrats in Pakistan may be bone-headed for blocking content, companies like Microsoft, Yahoo, Cisco and so forth are the ones who built things like the "Great Firewall of China". Lots of Americans like the point their finger at governments like China, whereas they could actually have more of an effect in making companies in their own countries stop building this sort of stuff.
Re: (Score:2)
Re: (Score:2)
Or you might be doing him a favour ? If a government were to revoke access themselves they might find themselves facing a rebellion. If someone else does it for them then the blame is passed on. The effect is, never-the-less, the same. The Internet has been censored.
Of cours
Re:"malicious" routes (Score:4, Insightful)
Propagating the change to the rest of the world may have been accidental, but the purpose -- to block YouTube throughout Pakistan -- counts as malicious in my book.
Orignal story is outdated (Score:3, Informative)
It's too bad that my comment from yesterday [slashdot.org], which links to detailed technical information [cydeweys.com], is still languishing buried.
PieNet fights back (Score:5, Funny)
Re:PieNet fights back (Score:4, Funny)
Miles Dyson: I feel like I'm gonna throw up.
John: Too much pie? Do you need some Redi-chill?
T-1: Cool Whip, dickwad.
Hey, we can use this! (Score:2)
Religious purification (Score:4, Insightful)
They might as well isolate the country, keeping them from experiencing the interwebs altogether, it'll be impossible to keep their youth from being corrupted.
What a REAL oppressive theocracy looks like (Score:3, Insightful)
Re:What a REAL oppressive theocracy looks like (Score:5, Insightful)
Re:What a REAL oppressive theocracy looks like (Score:5, Insightful)
Re: (Score:3, Insightful)
Re:What a REAL oppressive theocracy looks like (Score:4, Interesting)
If not... are you saying that theocratic regimes may censor, but ultimately do less harm than we do?
I guess I'm confused.
Comment removed (Score:5, Insightful)
Re: (Score:2)
Re:What a REAL oppressive theocracy looks like (Score:5, Funny)
Religion as a cover for Political Censorship (Score:4, Insightful)
So if an Islamic court has any authority to order the PTT to block YouTube because of "blasphemy", it's because YouTube is carrying political news about the situation in Pakistan that Musharraff doesn't want people in Pakistan watching. If Iran had tried that kind of thing, that really would be a theocratic problem, but that's not the issue here. If they implemented it in a way that blocks YouTube from the rest of the world, it's because of incompetence, not malice. (That kind of thing happens a lot, usually because somebody does a bad job of router configuration, but usually ISPs filter out incorrect advertisements; their upstream provider didn't do a good enough job here.)
So in some sense it is similar to Bush in the US - pandering to the religious right wingers as a way to get radical right-wing politics done.
Re:Will somebody please. . . (Score:4, Insightful)
Re: (Score:3, Interesting)
Last time I checked, 1971 camr before 2003. So data from 1971 can't be used to answer a "since 2003" question.
That might look l
A Better Technical Explanation (Score:5, Informative)
obQuote (Score:3, Insightful)
Evidently PieNet took this step to enforce a decree from the Pakistani government that ISP's must block access to YouTube because it was a source of blasphemous content.
--Thomas Jefferson
Works for me (Score:5, Funny)
"Works for me."
First article (Third link) is not bull (Score:5, Insightful)
Re: (Score:2)
The burning of libraries is nothing new in the sordid history of humanity. How foolish of us to think it wouldn't take on a new form in today's technologically enhanced world.
Political, not religious reasons. (Score:5, Informative)
The rest of the world is still struggling .... (Score:3, Funny)
A bit less hyperbole might have been more apt here, dear editors.
Re: (Score:3, Funny)
It's not that you can't survive without YouTube; it's that a lot of people are going to be quite pissed at Pakistan right now. I'm sure that all the major *chans are planning an invasion as we speak, the Pirate Bay is arming torrents of mass destruction, and the botnet owners are bringing their armies to DEFCON 1.
/b-tards, pirate fleets, and zombie hords; Pakistan is going to feel the full wrath of the Internet.
Just to keep a perspective (Score:3, Funny)
Why it broke, in techie (Score:5, Informative)
I'll check back for related questions to fill in any blanks later :)
Blaspheme doubtful (Score:2, Insightful)
Re:Blaspheme doubtful (Score:4, Informative)
Statistically, Pakistan has the one of the worst records of religious tolerance in the world, and is listed as a country of particular concern by the USCIRF (http://www.uscirf.gov/countries/countriesconcerns/index.html [uscirf.gov] http://en.wikipedia.org/wiki/1971_Bangladesh_atrocities [wikipedia.org]). Even middle-eastern countries are actually doing somewhat better.
heh. (Score:3, Funny)
I'm more in favor of this being motivated by the large number of vote rigging videos and independent news vids floating around youtube that are outside of Pakistani government control.
Gutenberg (Score:5, Interesting)
But mullahs forbade printing for 200 years, while in Europe it exploded. Mostly it was silly: religious stuff, cartoons, sex, but it was also maps, mathematics, etc.
Internet is about the same as an invention of printing was then. And again they are making the same mistake, again due to a fear of mullahs to lose their power.
Like 500 years ago it will just slow the development of their civilization.
Re: (Score:2, Informative)
It goes some way to explaining why YouTube became unavailable, but doesn't go into detail.
Re: (Score:2)
See here [cisco.com] and here [wikipedia.org] for details.
Basically, the Pakistan ISP told the internet world to redirect elsewhere all packets destined for Youtube.
Re: (Score:2)
Comment removed (Score:4, Insightful)
Re:Cue "Islam is evil post" (Score:5, Insightful)
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
just like a butterfly emerging from the cocoon; if you see it struggle and decide to help it out, it won't have the ability to survive on its own later.
You know, I'd never heard this analogy before, so I looked it up online. Every reference to it that I can *easily* find has some sort of religious message behind it.
My own personal suspicion is that one very easily can help a butterfly emerge from its crystalis; if one doesn't damage the wings in the process, the butterfly would probably benefit greatly from not having to struggle free. It's not as though they face great epistemological issues in their daily lives.
Re: (Score:3, Insightful)
That is why Islam has social laws against bad public behavior.
Re:Cue "Islam is evil post" (Score:5, Funny)
Re: (Score:2)
Re: (Score:3, Interesting)
And religion was just a dead herring.
BBC said outage was only 2 hours. (Score:4, Informative)