When Pakistan Telecom blocked YouTube's traffic one Sunday evening in February, the ISP created an international incident that wreaked havoc on the popular video site for more than two hours.
RIPE NCC, the European registry for Internet addresses, has conducted an analysis of what happened during Pakistan Telecom's hijacking of YouTube's traffic and the steps that YouTube took to stop the attack.
We posed some questions to RIPE NCC's Chief Scientist Daniel Karrenberg about the YouTube incident. Here's what he had to say:
How frequently do hijacking incidents like the Pakistan Telecom/YouTube incident happen?
Misconfigurations of iBGP (internal BGP, the protocol used between the routers in the same Autonomous System) happen regularly and are usually the result of an error. One such misconfiguration caused the Pakistan Telecom/YouTube incident. It appears that the Pakistan Telecom/YouTube incident was not an "attack" as some have labeled it, but a configuration error.
What is significant about the YouTube incident?
This incident was significant simply because it affected a prominent Internet service and therefore caught the public's attention.
Your analysis shows that YouTube reacted 80 minutes after the attack and that the attack was over after about two hours. Can you put that timeframe in context? Is that fast or slow?
This is normal, perhaps on the quick side.
What could YouTube have done to stop the attack sooner?
Nothing. It's also worth noting, though, that if everyone were to announce /24s [relatively small blocks of address space], it would present a serious problem for the Internet routing system.
Is there any technology or standard on the horizon -- possibly DNS Security or Secure BGP -- that could help prevent these types of attacks?
Securing BGP certainly offers a solution for this attack. However, much could be done today without new technology if ISPs configured BGP properly.
Are other US Web sites vulnerable to a similar type of attack?
What can network managers do to prevent or minimize these types of attacks?
Network managers should do what they can to ensure that their ISPs and peers configure BGP properly.
Can I get more information about RIPE's Routing Information Service tools that were used to observe this event? Are these tools available to enterprise network managers? How much do they cost?
There's a full introduction to RIPE NCC's Routing Information Services available. But in short, the tools are free to use, and the service is financed by the RIPE NCC membership for the benefit of the whole Internet community.
What about the BGPlay visualization tool (mentioned in the case study)? Is that available, too? How much does it cost?
Yes, BGPlay is available publicly and can be used free of charge. For more information, see this site.
Your case study mentions that the RIPE community is discussing the introduction of digital certificates for Internet number resources. How would this help avoid this type of attack? What is the status of that roll-out?
Certification, in this context, would be an enhancement for good BGP configuration. Discussions about the adoption of certification in the RIPE NCC service region are still being conducted, led by the RIPE Certification Task Force. More information on this task force, and on certification in general, is available at here.
Some decisions in this area are due to be made at RIPE 56 meeting in Berlin in May 2008.