YouTube Prefix Hijacking
February 28th, 2008By Supranamaya Ranjan
The impact that prefix hijacking, inadvertent or otherwise, can have on the Internet was brought to the fore recently when YouTube was inaccessible for almost 2 hours from most of the world. We were tracking the global BGP routing tables at that time and NarusInsight Secure Suite (NSS) generated alerts as soon as the incident happened. First, at Feb 24, 18:43:00 UTC, the prefix 208.65.153.0/24 was detected to appear in the routing tables for the first time and hence was immediately classified as ‘Subnet Hijacking’. Note that YouTube only announces the super-prefix 208.65.153.0/22 and hence the appearance of the more specific prefix 208.65.153.0/24 from an AS different from YouTube led it to be classified as a Subnet hijacking. Next, after about hour and a half, YouTube engineers announced the /24 prefix for the first time in order to regain their lost traffic. Since the /24 was being announced by two ASes at the same time, this announcement was classified as ‘Duplicate Hijacking’.
An interesting angle that is often overlooked regarding prefix hijacking is that there are other incidents that look similar to a hijacking that happen all the time. Multi-homing is one such case which looks similar to a prefix hijacking. For instance, when an ISP signs up a new upstream service provider and is hence multi-homed to the Internet via multiple upstream providers. Now when the link to the current provider goes down, the ISP would fall back upon the new provider, who would then announce the prefix on its behalf. Overall, from the perspective of an observer outside this ISP, it would appear that this prefix is announced (and hence owned by) two different ASes.
Indeed, in the 2 hours that the YouTube hijacking was happening, there were ~743 total BGP prefix hijacking alerts that were reported by NSS, a majority of which were really cases of multi-homing or of an ISP having obtained a new prefix block. How could an ISP, that is monitoring the health of the BGP routes that it is receiving, distinguish the YouTube hijacking from all these other alerts? NSS ranks prefix hijacking alerts by their impact to traffic and hence in this case, the YouTube alerts were ranked at the top.
The quick and drastic effect of this false prefix announcement was evident in the sudden drop in traffic headed to YouTube. As shown in the graph below, the traffic heading to YouTube drops to 0 bytes/sec around midnight Feb 25, 2008 and stays at that level for the next hour and a half, until when YouTube announced its /24 to obtain its rightfully-owned traffic. The fact that this drop was not due to diurnal variations that occur in traffic (when traffic drops down during the night time), is evident from the fact that during the same time duration, traffic heading to Google was still the same (~ 1 MB/sec).
Fig. 1: Drop in traffic heading to YouTube
This incident is sure to open the flood-gates of discussion on security in BGP. In the past, authentication of BGP sessions has been proposed as a means to prevent un-authenticated routers from leaking BGP routes on to the Internet. But even if YouTube did have authenticated BGP sessions with all its one-hop peers, clearly it still wasn’t able to prevent someone many AS hops away from causing grave damage. While the BGP community searches for the right mechanism to stop such leaked routes from propagating, currently ISPs can benefit from solutions such as NSS which provide for timely detection of a hijacked prefix and also quantify the impact the hijacking would have on traffic.