24 February 2008
The government of Pakistan has ordered all ISPs in the country to block access to Youtube. By itself, it's yet another sign of government censorship; that's bad, but this example is hardly unique. As the article points out, a fair number of other countries have blocked Youtube in the past. However, the way it was done this time is worrisome.
The obvious way to keep users from reaching a destination is to install some sort of access control list blocking the IP address. Pakistan Telecom did it differently: they created their own machines with the appropriate IP addresses (220.127.116.11, 18.104.22.168, and 22.214.171.124), so that any of their users who tried to reach Youtube presumably received a notice about the new government rule. Unfortunately, they made a serious mistake: they "announced" the network to the entire Internet.
This blog is not the place for a full tutorial on Internet routing. For now, let it suffice to say that an organization or ISP that "owns" a particular IP address announces it to the rest of the Internet. Other ISPs believe the announcement and thus know how to reach that address. (Caution: this description is grossly oversimplified.) Crucially, an address announcement with a "longer prefix" — a more specific route; the analog of announcing a particular street within a city, rather than the city itself — will be used preferentially by parties who wish to reach that particular address.
That's what happened here. Pakistan Telecom misconfigured a router so they announced a route to Youtube. Worse yet, they announced a very specific route (a "/24", in Internet parlance). The effect was to take Youtube off the air globally for about an hour.
This sort of hijacking isn't new. Spammers have done it to hide their tracks. There was a famous instance in 1997 known as the AS 7007 incident. But this is a serious security issue. In 1999, the National Academies called routing problems one of the two most serious threats to the global Internet. In other words, professionals have long known this could happen.
The added risk now is that the whole world has been told how easy it is to take networks off the air. I'm not particularly concerned about a national government doing this deliberately, e.g., to prevent any "defamation" from being seen across the Internet. That sort of thing is noticed and dealt with fairly expeditiously. I am worried about freelance attacks by hacktivists or simple mischief makers who have compromised ISP routers.
I've been worrying about routing security for many years; in fact, it's what got me interested in Internet security in the first place. We need to do something about the problem, such as deploying S-BGP. But deploying it will take years; we need to start soon, before sites more important than Youtube are hijacked.
Update: Here is an excellent timeline of the incident.