nanog mailing list archives

RE: YouTube IP Hijacking

From: "Tomas L. Byrnes" <tomb () byrneit net>
Date: Sun, 24 Feb 2008 13:06:50 -0800


Clearly, they are incensed by youtube content, so what makes anyone
think that they would not be trying to engage in a case of Cyber-Jihad?

I hosted the site that was rated #1 on Google for the Jyllands Posten
(di2.nu) cartoons when it was a current issue, and I STILL get lots of
script kiddie DOS from the Islamic world.

I generally don't assume malice when mere incompetence will suffice, but
in the case of the Islamic world, they've proved themselves malicious
towards the non-Islamic world often, and violently, enough, that I don't
believe they deserve that presumption of innocence any more.

In either case, the correct COA is to filter all advertisements with AS
17557 in the path, until they fix the routes they are advertising, and
let us know how they plan on making sure this doesn't happen again.

-----Original Message-----
From: Neil Fenemor [mailto:neil.fenemor () fx net nz] 
Sent: Sunday, February 24, 2008 1:01 PM
To: Tomas L. Byrnes
Cc: Will Hargrave; nanog () merit edu
Subject: Re: YouTube IP Hijacking

While they are deliberately blocking Youtube nationally, I 
suspect the wider issue has no malice, and is a case of 
poorly constructed/ implemented  outbound policies on their 
part, and poorly constructed/ implemented inbound polices on 
their upstreams part.

On 25/02/2008, at 9:49 AM, Tomas L. Byrnes wrote:


Pakistan is deliberately blocking Youtube.

http://politics.slashdot.org/article.pl?sid=08/02/24/1628213

Maybe we should all block Pakistan.

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]

On Behalf

Of Will Hargrave
Sent: Sunday, February 24, 2008 12:39 PM
To: nanog () nanog org
Subject: Re: YouTube IP Hijacking


Sargun Dhillon wrote:

So, it seems that youtube's ip block has been hijacked by a more 
specific prefix being advertised. This is a case of IP

hijacking, not

case of DNS poisoning, youtube engineers doing something

stupid, etc.

For people that don't know. The router will try to get the most 
specific prefix. This is by design, not by accident.


You are making the assumption of malice when the more

likely cause is

one of accident on the part of probably stressed NOC staff

at 17557.


They probably have that /24 going to a gateway walled garden box 
which replies with a site saying 'we have banned this',

and that /24

route is leaking outside of their AS via PCCW due to dodgy 
filters/communities.

Will


Neil Fenemor
FX Networks

Current thread:

YouTube IP Hijacking Sargun Dhillon (Feb 24)
- Re: YouTube IP Hijacking Will Hargrave (Feb 24)
  - RE: YouTube IP Hijacking Tomas L. Byrnes (Feb 24)
    - Re: YouTube IP Hijacking Neil Fenemor (Feb 24)
    - RE: YouTube IP Hijacking Tomas L. Byrnes (Feb 24)
    - Re: YouTube IP Hijacking Will Hargrave (Feb 24)
    - Re: YouTube IP Hijacking Martin Hannigan (Feb 24)
    - Re: YouTube IP Hijacking Simon Lockhart (Feb 24)
    - Re: YouTube IP Hijacking Jim Mercer (Feb 25)
    - Re: YouTube IP Hijacking Alexander Harrowell (Feb 25)
    - Re: YouTube IP Hijacking Jim Mercer (Feb 25)
    - RE: YouTube IP Hijacking John van Oppen (Feb 24)
- Re: YouTube IP Hijacking Ravi Pina (Feb 24)
  - Re: YouTube IP Hijacking Max Tulyev (Feb 24)
    - Re: YouTube IP Hijacking Jim Popovitch (Feb 24)

(Thread continues...)