Pakistan YouTube Block Breaks the World

Allen54 noted a followup to yesterday's story about Pakistan's decision to block YouTube. He notes that "The telecom company that carries most of Pakistan's traffic, PCCW, has found it necessary to shut Pakistan off from the Internet while they filter out the malicious routes that a Pakistani ISP, PieNet, announced earlier today. Evidently PieNet took this step to enforce a decree from the Pakistani government that ISP's must block access to YouTube because it was a source of blasphemous content. YouTube has announced more granular routes so that at least in the US they supercede the routes announced by PieNet. The rest of the world is still struggling."

But how did they do it?

[suso]

So the article isn't clear on it. Does this ISP have an AS number that allows them to upload global routes? I would say that they should lose it. I can't think of another way that a single ISP could take out the whole internet's access to something. Pretty crazy.

Re:But how did they do it?

[rustalot42684]

A zealous ISP ignorantly decides the best way to comply with the decree is to re-route all of YouTube's IP addresses to whatever site they thought was more appropriate. The first repercussion was that YouTube disappeared from the Internet for almost an hour. I suspect the second repercussion was that Pakistan's Internet access crawled to a halt as all of a sudden they were handling IP requests for one of the busiest sites in the world. So I suspect that they do have an AS number that allows them to upload global routes. I agree they should lose it though; censoring your own country is bad enough, but screwing up the rest of the world is absolutely unacceptable. I need my dancing cats!

Re:But how did they do it?

[Aladrin]

Or maybe they aren't as stupid as we think... Maybe, just maybe... They did this on purpose to give global awareness to this censorship.

Maybe I give them too much credit... But it's possible.

Re:But how did they do it?

[suso]

Yeah that is very stupid. Why would you allow one of your customers to modify global routes when they don't have an AS number themselves?

I imagine that this event will introduce a lot of people to how high level internet routing works. Yes, its that vulnerable folks. Scary, but fortunately these events don't happen often. I think back in late 90s was the time when someone in Pennsylvania introduced a global route for everything to go to 0.0.0.0, which brought everything down for a day.

Re:But how did they do it?

The route was announced by AS17557.

Re:But how did they do it?

[Brian+Gordon]

Not to mention that they should keep ALL manner of global routing out of countries that censor the internet.. it's just a no-brainer. Probably should move a lot out of America too..

Re:But how did they do it?

[Shakrai]

The BGP article on Wikipedia is as good a place to start as any. Beyond that you can do some Google searches for it.

Basically BGP is the protocol used by routers to exchange route information with each other. A real oversimplification would involve three networks/routers, A, B and C. C receives it's network connectivity through A. C announces the networks it's responsible for to A, whom aggregates them before announcing them (and it's own networks) to B.

In theory, A shouldn't accept any routes from C for IP addresses not owned by C. Apparently that wasn't the case here though, or Pakistan's little stunt wouldn't have impacted anybody outside of Pakistan.

Re:But how did they do it?

[Atlantis-Rising]

The problem is that if they did that, they'd have nowhere to put it.

Unless you want to create an international organization with its own territory (sort of like the UN headquarters) that controls global routing- it can't be subject to any national law because it's got its own extraterritoriality (although international lawyers would tell me it's not true extraterritoriality, blah blah blah).

But somebody has to control THAT organization, and unless its mandate is simply to maintain the internet routing in a transparent manner between national-level routing domains...

Re:But how did they do it?

[Shakrai]

If you already know whose IP address are whose, then what do you need the routing protocol for in the first place?

Because multi-homed networks may wish to have finer control over which links traffic comes in on then allowed for with simple static routes. Because my above example (A/B & C) was a drastic oversimplification and the actual internet involves tens of thousands (hundreds?) of different networks connected in different ways and trying to manage static routes for all of them would be virtually impossible.

Imagine if the process of connecting a new network to the internet involved having to update static routing tables in every core router on the internet and you'll start to understand why BGP exists. Hell, there are routing protocols meant for internal usage (OSPF), because static routes become unmanageable if you have more then a few routers/netmasks to contend with.

BGP inherently depends on the honor system - that is the crux of the problem

Not strictly. The "honor system" should really be limited to the Tier 1 providers. Anybody else really should be filtering the routes that they will accept. There are already provisions in place to remove the "honor system" from consideration -- it seems that Pakistan's upstream provider choose not to use them.

This really isn't anything new. This kind of stuff has happened before. It's not even unique to the internet either -- the POTS network has a routing protocol used to setup calls/announce which switch is responsible for which number/range. One would suspect that SS7 can be abused by "bad" telcos as easily as BGP can be abused by "bad" ISPs.

Re:But how did they do it?

[Shakrai]

You'd need one without any culture of censorship

Sweden!

and a strong enough military (including globally targeted nuclear missiles) not to be pushed around by the countries interested in censorship

Oh. Shit. Well, ya had to muck things up with that requirement, huh?

Wait, I know! The United States can take over Sweden! Then we'll have one country with no history of censorship and nuclear missiles! It's perfect!

Hmm, free software/movies and Swedish chicks for me..... warmer weather and cheap blue jeans for them. Sounds like a win win for everybody concerned... and if any of those Swedes complain we'll just censor them ;)

Re:But how did they do it?

[bluesky74656]

Pakistan Telcom does have an ASN number. Just for kicks, try this:

Head over to this site. It visualizes the BGP routes between different AS's. Click 'Start BGPlay'. The prefix in which YouTube lives is 208.65.153.0/24. Set the start time for about 24 Feb 2008 10:00, and the end time for about 25 Feb 2008 03:00 (times are UTC). Start the simulation.

You'll see a bunch of ASNs. Two have red circles around them. You can get their name by clicking on the number. On the left is YouTube, and on the right is Pakistan Telcom. Click play and watch what happens.

For those too lazy to actually watch this: All the routes destined for YouTube head towards Pakistan Telcom instead. Then, midway through, you see PCCW get wise and shut down those routes, and everyone slowly starts finding the actual YouTube. It's pretty neat to watch.

Re:But how did they do it?

[rs79]

"The route was announced by AS17557"

Youtube had a route for 208.65.152.0/22 (208.65.152.0 - 208.65.155.255), but Pakistan's main ISP in Hong Kong announced a route for 208.65.153.0/24 (208.65.153.0 - 208.65.153.255) to keep youtube off their net. What they didn't understand though is this really needs to be kept as a local routing policy so it only affected Pakistan, but it sorta snuck out and affected the entire network.

Routing is the soft underbelly of the net.

Re:But how did they do it?

[TMB]

Second rule of BGP is you DO NOT talk about BGP!

Re:But how did they do it?

[Shakrai]

Are you joking?

Yes.

Re:But how did they do it?

[Fatal67]

BGP does not rely on the honor system. Every provider has the ability to lock down announcements to the finest of detail. They may choose not to, but that's just piss poor network management.

Every External BGP session (EBGP) SHOULD be configured with a very specific access list as to what that particular session will be allowed to announce to you.

Obviously, tracking 20K plus announcements from a provider and creating an access list for it, daily, is a bit tedious. This is why Route Registries were created and many tools that will look up an AS in a route registry and generate the appropriate ACL are already in existence and in use. The problem is a lot of networks do not keep their registries up to date unless forced to by a peer / transit provider.

A correctly configured session will allow only announcements of the specified address space at the specified length. Any major transit provider that allowed this should be looking at their advertisement policy and figuring out how to prevent it in the future. Solutions do exist and are used by the majority of large providers already.

How the hell did /25's get propagated anyway? There are still transit networks that allow prefixes that small to be accepted externally?

CBG

[Zedekiah]

Worst. Title. Ever.

Re:CBG

[Shakrai]

Closely followed by the award for most incomprehensible summary. I've re-read it twice. I have no idea what is happening

Basically a Pakistani ISP decided to implement the block of Youtube by announcing a new route for the IP addresses owned by Youtube that presumably directed all of that traffic into /dev/null or elsewhere. By accident (one would presume -- there is no reason to do this on purpose) those routes were announced outside of Pakistan by said ISP, whose upstream provider then relayed them to the rest of the internet (sheer stupidity on their part -- their configuration should have prevented this). Said upstream provider then decided to cut Pakistan off until they are able to correct the problem.

All I know is living in the UK I'm in no position to criticize the Pakistanis, because their country is much freer than mine.

Yeah, I can't help but remember how Gordon Brown seized power in a military coup and allowed a leading member of the opposition to be brutally assassinated by extremists. It's amazing how far the UK has fallen, isn't it?

C'mon! As an American I can certainly sympathize with your disillusionment over your own Government's policies but get some perspective. It's not yet that bad. Freedom in the United States or United Kingdom isn't dead until people stop fighting for it and become as apathetic as you sound when you make statements like that.

Your country gave us the Common Law, the Magna Carta and the foundations of Representative Democracy. You stood alone against Hitler for all those lonely months between the Fall of France and the involvement of the Soviet Union and United States. That stand likely saved Western Democracy from Communism or Fascism. Start fighting for your freedoms instead of whining online about how much better Pakistan is. I suspect that the people fighting and dying for Democracy right now within Pakistan would have zero sympathy for your point of view.

Re:CBG

[Shakrai]

Woah... time to dust off your history book.

After the French Armistice on 22 June 1940 the UK, alongside the Commonwealth (Canada, New Zealand, Australia and South Africa) was the sole remaining major power that was still fighting Nazi Germany. She did fight alongside the other nations that were invaded (Greece comes to mind) but those nations capitulated fairly quickly, leaving the UK to fight on alone.

The UK remained alone until the launch of Barbarossa exactly one year (22 June 1941) after the signing of the French Armistice. Even at that, it seemed likely (at the time) that Germany would beat the Soviet Union and Churchill wasn't sure the Allies would win until after Pearl Harbor brought the United States into the war.

So yes, I give the UK a lot of respect for standing alone against the Nazi War Machine during that period. It was arguably the finest moment in British history and likely saved the Western Democracies from becoming conquered slave-states to Nazi Germany or Communist Satellites of the Soviet Union.

Re:CBG

[Shakrai]

You must have missed the part of history class where they taught about the Lend-Lease Act. The US was very much involved in the war starting in March of 1941, we might not have had boots on the ground but without our help the UK wouldn't have stood much of a chance.

And you must have missed the part of history class where they taught that the Battle of Britain started in June 1940, nine months prior to the passage of Lend-Lease.

Seriously though even if Lend-Lease/other assistance (destroyers for bases comes to mind) was the sole thing that keep the Brits going, how does that diminish the bravery that they showed in continuing to fight on alone? They could have easily sought an armistice and probably would have emerged better off for doing so (the Empire would have survived instead of being bankrupted). The free world owes them a debt of gratitude for carrying on that fight even when things looked pretty bleak.

A more technical explanation/discussion is here

[br00tus]

There is a NANOG thread about this. Apparently a more specific IP route was advertised.

PieNet fights back

[proverbialcow]

The PieNet Funding Bill is passed. The system goes on-line August 4th, 1997. Human decisions are removed from strategic defense. PieNet begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, August 29th. In a panic, they try to pull the plug.

"malicious" routes

[br00tus]

I should also note that while the Slashdot story says these routes were maliciously announced, there is no evidence of this. This type of thing has happened before by accident many times. That it was accidental makes more sense anyhow - which is more probable, that there are a bunch of network wizards in Pakistan with state-of-the-art equipment decided to take out Youtube, or that a handful of overworked and undereducated network technicians in Pakistan were told by management that they had to block Youtube immediately, and in their haste their blocked route accidentally leaked to the outside world? I would say the latter, especially considering that they stopped advertising the route soon after they began getting a lot of complaints.

I should also point out that while bureaucrats in Pakistan may be bone-headed for blocking content, companies like Microsoft, Yahoo, Cisco and so forth are the ones who built things like the "Great Firewall of China". Lots of Americans like the point their finger at governments like China, whereas they could actually have more of an effect in making companies in their own countries stop building this sort of stuff.

Re:Cue "Islam is evil post"

[aicrules]

Islam has various doctrines that are meant to be trials for those who subscribe to that faith. Ramadan is meant to teach patience and improve ones ability to resist temptation. If those temptations are removed by theocratic/governmental policing, the whole point is lost. Yes, a person may not have access to one area of temptation and therefore won't succumb because there's nothing to succumb to, but just like a butterfly emerging from the cocoon; if you see it struggle and decide to help it out, it won't have the ability to survive on its own later. If a muslim never even has the opportunity to face temptation because they are shielded from it at every turn, then on the likely chance that in their adult life they suddenly have multiple temptations blinding-siding them, they will have no internal facility to deal with it other than to cave in. I think the "Islam is evil" thing you're so sure is going to happen is because of how evil the intentions the governmental bodies that try to enforce it are. This is why separation church and state is so important in this respect. It was huge in christianity during the crusades. Fortunately many have seen the light and no longer impose faith as a law.

A Better Technical Explanation

[1sockchuck]

Better technical explanations of the event are available from the Renesys blog and Data Center Knowledge. The erroneous IP assignments spread across the net within 1 minute, 45 seconds of its announcement by Pakistan Telecom, according to a timeline by Renesys. It took about 80 minutes for YouTube to inform its providers that the route had been hijacked. YouTube says it is "investigating and working with others in the Internet community to prevent this from happening again."

Works for me

[weave]

"Works for me."

/ticket closed.

First article (Third link) is not bull

[ruinevil]

The telecommunication authorities are claiming in Pakistan that YouTube was blocked for featuring allegedly blasphemous documentaries. While this move if triggered by this motive is as foolish as burning an entire library just because on a page of one of the books someone has scribbled a couple of words against you, it is far from truth. Actually Musharraf is a very self centered and insecure man these days and has recently learned from his sycophants that YouTube carries many videos critical of his government especially his torture on lawyers and political captives and since during this campaign technology played critical role in influencing people he wants to block out every kind of criticism. This is exactly what I'm talking about.

Political, not religious reasons.

[Spy+der+Mann]

All Things Pakistan points out that this may have a political rather than a "cultural" reason - given that a number of videos of election rigging were posted.

Re:What a REAL oppressive theocracy looks like

Just because other crap smells worse doesn't mean my own crap doesn't stink anymore. All oppression needs fighting, not just the blatant stuff.

Re:What a REAL oppressive theocracy looks like

[lixee]

Tu quoque? This idiotic line is getting old. Yes, we get it. The US is better than the scum of the Earth that is al-Qaeda and their supporters. But for the love of God, quit justifying wars of aggression and other unconstitutional acts by see, it could be worse. It's only works with mentally challenged people.

Arstechnica explains

[rishistar]

http://arstechnica.com/news.ars/post/20080225-insecure-routing-redirects-youtube-to-pakistan.html

Comment removed

[account_deleted]

Comment removed based on user account deletion

Why it broke, in techie

[autocracy]

I submitted this article yesterday while it was happening, but of course at that time details were even more sparse (speed vs. informative.. oh well). Some of the BGP routing information I captured is printed out on Wikinews. The basic idea is that Pakistan Telecon, BGP Autonomous System number 17557 began being chatty, saying that it owned Youtube's netblock. It did this using a /24 routing prefix, whereas Youtube exports its route as a /22 (which it should...). Because the /24 was more specific, it became the primary route of reference. This is similar to the "AS 7007" incident (Google it... there's no one good link) back in the late 1990s (one of two incidents in the history of the Internet that has brought the entire Internet down, IIRC).

I'll check back for related questions to fill in any blanks later :)

Re:Cue "Islam is evil post"

[RyuuzakiTetsuya]

The content of the Quran, as read by the average reasonable person, resembles Mein Kampf in its degree of evil. Godwin's law. 10 yards back, redo the whole play.

Gutenberg

[Max_W]

Once the Islam world already did the same error. In 15th century when Gutenberg invented the printing press the Islam countries were a way ahead in science.

But mullahs forbade printing for 200 years, while in Europe it exploded. Mostly it was silly: religious stuff, cartoons, sex, but it was also maps, mathematics, etc.

Internet is about the same as an invention of printing was then. And again they are making the same mistake, again due to a fear of mullahs to lose their power.

Like 500 years ago it will just slow the development of their civilization.

Re:What a REAL oppressive theocracy looks like

[Builder]

Being the second fattest chick in the bar does NOT make you skinny!

But how did they do it?

[greedyturtle]

For those of you who actually want to know "How they did it?" posted from: Renesys Blog
which was found from Cydeweys which is updating as the story progresses. Both of those sites seem to be running a bit slow, so hesitate before clicking.

Full text of Reneysys: Pakistan hijacks YouTube.

A few hours ago, Pakistan Telecom (AS 17557) began advertising a small part of YouTube's (AS 36561) assigned network. This story is almost as old as BGP. Old hands will recognize this as, fundamentally, the same problem as the http://merit.edu/mail.archives/nanog/1997-04/msg00380.html">infamous AS 7007 from 1997, a more recent ConEd mistake of early 2006 and even TTNet's Christmas Eve gift 2005.

Just before 18:48 UTC, Pakistan Telecom, in response to government order to block access to YouTube (see news item) started advertising a route for 208.65.153.0/24 to its provider, PCCW (AS 3491). For those unfamiliar with BGP, this is a more specific route than the ones used by YouTube (208.65.152.0/22), and therefore most routers would choose to send traffic to Pakistan Telecom for this slice of YouTube's network.

I became interested in this immediately as I was concerned that I wouldn't be able to spend my evening watching imbecilic videos of cats doing foolish things (even for a cat). Then, I started to examine our mountains of BGP data and quickly noticed that the correct AS path ("Will the real YouTube please stand up?") was getting restored to most of our peers.

The data points identified below are culled from over 250 peering sessions with 170 unique ASNs. While it is hard to describe exactly how widely this hijacked prefix was seen, we estimate that it was seen by a bit more than two-thirds of the Internet.

This table shows the timing of the event and how quickly the route propagated (this is actually a fairly normal propagation pattern). The ASNs seeing the prefix were mostly transit ASNs below, so this means that these routes were distributed broadly across the Internet. Almost all of the default free zone (DFZ) carried the hijacked route at least briefly.

18:47:00uninterrupted videos of exploding jello

18:47:45first evidence of hijacked route propagating in Asia, AS path 3491 17557

18:48:00several big trans-Pacific providers carrying hijacked route (9 ASNs)

18:48:30several DFZ providers now carrying the bad route (and 47 ASNs)

18:49:00most of the DFZ now carrying the bad route (and 93 ASNs)

18:49:30all providers who will carry the hijacked route have it (total 97 ASNs)

20:07:25YouTube, AS 36561 advertises the /24 that has been hijacked to its providers

20:07:30several DFZ providers stop carrying the erroneous route

20:08:00many downstream providers also drop the bad route

20:08:30and a total of 40 some-odd providers have stopped using the hijacked route

20:18:43and now, two more specific /25 routes are first seen from 36561

20:19:3725 more providers prefer the /25 routes from 36561

20:28:12peers of 36561 start seeing the routes that were advertised to transit at 20:07

20:50:59evidence of attempted prepending, AS path was 3491 17557 17557

20:59:39hijacked prefix is withdrawn by 3491,

Re:Common law

[Shakrai]

I don't think you realise what you are advocating. Or are you an anarchist?

*sigh*, I think you largely missed the point. Let me spell it out for you using the words of Thomas Jefferson:

We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.

That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it

(emphasis mine)

Every law, by its very nature, takes away the rights of the people. The only way for a government not to take away rights is to abolish all laws.

That's such a blatant oversimplification that I hardly know where to respond. The spirit of our Declaration of Independence (and all those other documents I referenced earlier) is that the Government exists to secure our rights -- my right not to be murdered by you trumps your right to do whatever you want. The Government derives it's power from the consent of the Governed and not the other way around.

How soon we forget our own history.