"Router war" caused YouTube outage
The RIPE Network Coordination Centre, which is responsible for coordinating internet resources within Europe, has explained the cause of the YouTube online video service blackout last February. According to Daniel Karrenberg, head of research at RIPE NCC and colleagues Ticiana Refice and Luca Cittadini of the Universita Roma Tre, Pakistan Telecom simply co-opted YouTube's IP address range as its own. Just one minute later the incorrect route, called a /24 block – according to CIDR terminology, of the YouTube address block was entered in numerous routers. As Refice explained, at a meeting of the IP address administrative body RIPE in Berlin on Monday, data traffic then flowed to Pakistan.
For several years, RIPE NCC has had a monitoring infrastructure in place to observe losses of service and attacks. In the analysis of the YouTube attack, the Routing Information System (RIS) helped to evaluate BGP data from some 600 peers at 15 different locations. The data, collected by remote routing collectors, are also archived and made available via a web interface, both now and for later re-examination.
Two additional monitoring systems, Traffic Measurement (TTM) and DNS Monitoring Services (DNSMON), have their fingers on the pulse of the net, via data transfer rates and in the system via root and ccTLD servers. With the help of these tools, At the Berlin meeting, Mark Dranse of RIPE NCC gave a detailed description of the curbed network traffic due to the severed underwater cable in the Near East. Some 60 per cent of Egypt, Sudan and Kuwait were cut off from the Internet as a result.
Using the BGPPlay tool researchers were also able to graphically reconstruct some of the events in the YouTube outage. An hour and twenty minutes after the block in Pakistan, YouTube reacted, announcing the theft of the /24 address block in order to get data traffic back on track. Refice characterised the effect of the block as visible, but not devastating, because there were two competing 18.104.22.168/24 address blocks. Also, the attempt a short time later to decide the battle by co-opting the smaller 22.214.171.124/25 block failed because /25 blocks are usually not disseminated by network operators.The confrontation did not end until it was stopped at Pakistan Telecom or its upstream provider PCCW.
Refice pointed out that what the YouTube outage showed was that the mere announcement of the stolen route was not enough to solve the problem. His recommended course of action was working together with the upstream provider. Internet service providers need clear processes to enable them to establish rapid communication with upstream providers and peering partners. They could avoid this problem by filtering incorrect routes.
The YouTube outage also sparked a fundamental debate within RIPE over what to make of the increasing number of small subdivisions within routing tables. Experts warned that if the reaction to such attacks was widespread entry of /24 addresses, the routing tables – already bursting at the seams – would explode. In Berlin, Karrenberg presented the initial results of an analysis that shows that in fact more than half of routing table entries are already /24 addresses. He was surprised by the high number and asked for a response from providers to find an explanation. RIPE NCC will publish the results of the new study soon. Refice's advice was to revoke small sub-blocks if they were disseminated as the result of an attack. YouTube provided a model response and is currently reachable again at 126.96.36.199/22.