nanog mailing list archives

Re: YouTube IP Hijacking

From: "Josh Karlin" <karlinjf () cs unm edu>
Date: Mon, 25 Feb 2008 11:38:41 -0700

Tomas:

It's primarily a proof of concept site, to show that such an idea would be
useful, but it has been running for over a year now and discovered many
interesting hijacks (such as eBay/google/etc..).

You're right that there is a glaring ommission, which is yesterday's youtube
hijack.  This is due to a bug in the sub-prefix lookup code (which can cause
the IAR to miss some sub-prefix hijacks), which I'm currently fixing.  Once
that is done I'll rerun the IAR over yesterday's logs and it will show up.

Josh


On Mon, Feb 25, 2008 at 10:37 AM, Tomas L. Byrnes <tomb () byrneit net> wrote:


This is a very interesting site. However, I notice that, in the "all in
the last 24 hours" it doesn't show the YouTube hijack. It does have a
lot of entries for 17557, most recently on 2/17.

How reliable is this system?

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On
Behalf Of Hank Nussbacher
Sent: Sunday, February 24, 2008 11:33 PM
To: Steven M. Bellovin; nanog () merit edu
Subject: Re: YouTube IP Hijacking


At 05:31 AM 25-02-08 +0000, Steven M. Bellovin wrote:

Seriously -- a number of us have been warning that this could happen.
More precisely, we've been warning that this could happen

*again*; we

all know about many older incidents, from the barely noticed to the
very noisy.  (AS 7007, anyone?)  Something like S-BGP will

stop this cold.


Yes, I know there are serious deployment and operational

issues.  The

question is this: when is the pain from routing incidents

great enough

that we're forced to act?  It would have been nice to have done
something before this, since now all the world's script kiddies have
seen what can be done.


"we've been warning that this could happen *again*" - this is
happening every day - just look to:
http://cs.unm.edu/~karlinjf/IAR/prefix.php?filter=most<http://cs.unm.edu/%7Ekarlinjf/IAR/prefix.php?filter=most>
http://cs.unm.edu/~karlinjf/IAR/subprefix.php?filter=most<http://cs.unm.edu/%7Ekarlinjf/IAR/subprefix.php?filter=most>
for samples.  Thing is - these prefix hijacks are not big
ticket sites like Youtube or Microsoft or Cisco or even
whitehouse.gov - but rather just sites that never make it
onto the NANOG radar.

-Hank

Current thread:

Re: YouTube IP Hijacking, (continued)
- - - Re: YouTube IP Hijacking Patrick W. Gilmore (Feb 24)
    - Re: YouTube IP Hijacking Sean Donelan (Feb 24)
    - Re: YouTube IP Hijacking Steven M. Bellovin (Feb 25)
    - Secure BGP (Was: YouTube IP Hijacking) michael.dillon (Feb 25)
    - Re: Secure BGP (Was: YouTube IP Hijacking) Jeroen Massar (Feb 25)
    - Re: Secure BGP (Was: YouTube IP Hijacking) Sandy Murphy (Feb 25)
    - Re: YouTube IP Hijacking Scott Francis (Feb 25)
    - Re: YouTube IP Hijacking Hank Nussbacher (Feb 25)
    - Re: YouTube IP Hijacking Patrick W. Gilmore (Feb 25)
    - RE: YouTube IP Hijacking Tomas L. Byrnes (Feb 25)
    - Re: YouTube IP Hijacking Josh Karlin (Feb 25)
    - [admin] [summary] RE: YouTube IP Hijacking Alex Pilosov (Feb 25)
    - Re: [admin] [summary] RE: YouTube IP Hijacking Danny McPherson (Feb 25)
    - Re: [admin] [summary] RE: YouTube IP Hijacking Alex Pilosov (Feb 25)
    - Re: [admin] [summary] RE: YouTube IP Hijacking Danny McPherson (Feb 25)
    - Re: [admin] [summary] RE: YouTube IP Hijacking Danny McPherson (Feb 25)
    - RE: [admin] [summary] RE: YouTube IP Hijacking Barry Greene (bgreene) (Feb 25)
    - Re: [admin] [summary] RE: YouTube IP Hijacking Arnd Vehling (Feb 26)
    - Re: [admin] [summary] RE: YouTube IP Hijacking Leo Vegoda (Feb 26)
    - Re: [admin] [summary] RE: YouTube IP Hijacking Arnd Vehling (Feb 26)
    - Re: [admin] [summary] RE: YouTube IP Hijacking Adrian Chadd (Feb 25)

(Thread continues...)