RE: Youtube BGP/IP hijacked

From: Scott Morris (smorris@ipexpert.com)
Date: Fri Feb 29 2008 - 18:22:25 ARST

• Next message: Scott Morris: "RE: Youtube BGP/IP hijacked"
• Previous message: Shawn Zandi: "Re: Youtube BGP/IP hijacked"
• Maybe in reply to: Shawn Zandi: "Youtube BGP/IP hijacked"
• Next in thread: Scott Morris: "RE: Youtube BGP/IP hijacked"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ok, you are correct, they are a transit. I hadn't researched, simply made
an assumption off a post I saw on a different board.

There appear to be 23 unique downstream ASN's that peer with Pakistan
Telecom.

However, best I can tell there are less than 900 routes coming through
there. At least reported through an AT&T peering point.

bgpquery@Emanon-Edge-J4300>show route aspath-regex ".* 17557 .*" | match BGP
| count
Count: 882 lines

bgpquery@Emanon-Edge-J4300>

Which, of course, changes the focus... that means it's more Pakistan
Telecom's problem than any upstream (there are four upstreams as far as I
can tell from different Lookingglass servers).

If you are going to be a transit AS, then you need to be doing some
filtering to figure out just who is or is not transiting you (e.g. you don't
want one of your upstreams deciding you are a shorter path to another
upstream). At least unless you have an IX agreement or bandwidth to kill!
:) From the different points I looked at, they do not appear to be an IX.

but either way there needs to be some responsibility in knowing how to do
filtering. If you make a conscious decision to blackhole a route, the
burden goes to you on HOW you do that and what impact it will have on the
rest of the world. There are much more safe and thoughtful ways to
blackhole traffic they don't want!

As I noted about marketing opportunity, perhaps this is an opportunity for
some good CCIEs/CCIE candidates from around here to educate people on how to
best filter routes, or best direct unwanted traffic to the bit bucket
instead of announcing out prefixes to the rest of the world they don't own!
 

Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE-M
#153, JNCIS-ER, CISSP, et al.
CCSI/JNCI-M/JNCI-ER
VP - Technical Training - IPexpert, Inc.
IPexpert Sr. Technical Instructor

A Cisco Learning Partner - We Accept Learning Credits!

smorris@ipexpert.com

Telephone: +1.810.326.1444
Fax: +1.810.454.0130
http://www.ipexpert.com

-----Original Message-----
From: Shawn Zandi [mailto:szmetal@gmail.com]
Sent: Friday, February 29, 2008 2:26 PM
To: smorris@ipexpert.com
Subject: Re: Youtube BGP/IP hijacked

Scott,
I think, There are too many multi-homed service providers under Pakistan
Telecom, no its not a Tier-1, but a transit AS.

On Fri, Feb 29, 2008 at 11:13 PM, Scott Morris <smorris@ipexpert.com> wrote:
> Why is it a nighmare? Pakistan Telecom is NOT a transit network.
> It's NOT a Tier-1 network. So by that I should know EXACTLY what
> prefixes they have registered to them.
>
> And if they want to announce any extras in the future, it should be
> up to them to let PCCW know. Not difficult! :)
>
> Scott
>
>
>
> -----Original Message-----
> From: Shawn Zandi [mailto:szmetal@gmail.com]
> Sent: Friday, February 29, 2008 2:09 PM
> To: smorris@ipexpert.com
> Subject: Re: Youtube BGP/IP hijacked
>
> exactly, but how PCCW can filter announcements, thats a nightmare to
> maintain such a policy, maybe we should wait for announcements digital
> certificates implementation.
>
> Shawn Zandi,
> www.shafagh.com
>
> On Fri, Feb 29, 2008 at 10:24 PM, Scott Morris <smorris@ipexpert.com>
wrote:
> > This is why filtering in BGP (in and out) is a good idea. But also
> a > demonstration of lack-of-BGP skills on a global basis!
> >
> > Marketing opportunity? :)
> >
> >
> > Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider)
> #4713, > JNCIE-M #153, JNCIS-ER, CISSP, et al.
> > CCSI/JNCI-M/JNCI-ER
> > VP - Technical Training - IPexpert, Inc.
> > IPexpert Sr. Technical Instructor
> >
> > A Cisco Learning Partner - We Accept Learning Credits!
> >
> > smorris@ipexpert.com
> >
> >
> >
> > Telephone: +1.810.326.1444
> > Fax: +1.810.454.0130
> > http://www.ipexpert.com
> >
> >
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf > Of Shawn Zandi > Sent: Friday, February 29, 2008 12:56 PM
> > To: Cisco certification > Subject: Youtube BGP/IP hijacked > >
> As you may be aware from recent news reports, traffic to the >
> youtube.com website was 'hijacked' on a global scale on Sunday, 24
> February 2008.
> > The incident was a result of the unauthorized BGP announcement of
> the > prefix > 208.65.153.0/24 and caused the popular video sharing
> website to > become unreachable from most, if not all, of the
> Internet.
> > http://www.ripe.net/news/study-youtube-hijacking.html
> >
> > Shawn Zandi
> > www.shafagh.com
> >
> >
> >
> ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
>
>

--
Shafagh Zandi,
www.shafagh.com

• Next message: Scott Morris: "RE: Youtube BGP/IP hijacked"
• Previous message: Shawn Zandi: "Re: Youtube BGP/IP hijacked"
• Maybe in reply to: Shawn Zandi: "Youtube BGP/IP hijacked"
• Next in thread: Scott Morris: "RE: Youtube BGP/IP hijacked"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2008 - 16:54:50 ARST