On Sunday, YouTube became unreachable from most, if not all, of the Internet. No "sorry we're down" or cutesy kitten-with-screwdriver page, nothing. What happened was that packets sent to YouTube were flowing to Pakistan. Which was curious, because the Pakistan government had just instituted a ban on the popular video sharing site. What apparently happened is that Pakistan Telecom routed the address block that YouTube's servers are in to a "black hole" as a simple measure to filter access to the service. However, this routing information escaped from Pakistan Telecom to its ISP PCCW in Hong Kong, which propagated the route to the rest of the world. So any packets for YouTube would end up in Pakistan Telecom's black hole instead.
On the North American Network Operators Group (NANOG) mailing list, where many engineers in charge of Internet routing hang out, the consensus is that this was an accident. Only one or two people suggest that it may be a malicious act, possibly a trial of something bigger. So why was this incident so devastating to YouTube's reachability?
Originally, IP addressing was set up for three different classes of users: classes A, B, and C. Class A users, such as the original ARPANET, got an address block of 16777216 addresses so they could connect millions of systems to the Internet. Class B users, such as universities, got 65536 addresses. Class C users, such as businesses with only a small number of Internet-connected systems, got 256 addresses. Obviously, these classes often didn't fit well with the number of addresses needed, which led to a lot of waste. So in the early 1990s, a new system, called Classless Inter-Domain Routing (CIDR) was created so that IP addresses could be used much more efficiently.
CIDR allows address blocks to be given out in power of two blocks, such as 256 (/24), 512 (/23), 1024 (/22), and so on. The number after the slash indicates how many of the 32 address bits are "network" bits, the remaining bits are used to number hosts. So /24 is 24 network bits and 8 bits to number hosts, which allows for 256 addresses. An interesting side effect of CIDR is that a particular IP address can now fall within multiple address ranges. For instance, a router could have both 10.0.0.0/8 and 10.10.0.0/16 in its routing table. Then, if a packet for 10.10.10.10 arrives, how should it be forwarded? The answer is: longest match first. The smallest address block, with the largest number after the slash, takes precedence.
In the case of YouTube and Pakistan Telecom, YouTube injected the address block 208.65.152.0/22 (208.65.152.0 - 208.65.155.255) in the Internet's routing tables, while Pakistan Telecom advertised the 208.65.153.0/24 (208.65.153.0 - 208.65.153.255) block. So even though YouTube's routing information was still there, packets would flow towards Pakistan Telecom because of the longest match first rule.
This vulnerability has been known for a long time, and smaller scale accidents of this nature happen at regular intervals. But so far, efforts within the IETF to make the Border Gateway Protocol, which governs Internet routing, more robust against this type of accident (or attack) haven't produced any results yet. There are routing databases around the world where network operators can register their IP address blocks for the purpose of generating filters automatically, but since everyone has to register their own address blocks, and many people don't, the filters generated from these databases often do more harm than good. This means that the only thing that prevents things like this from happening are the filters that everyone sets up for their own address blocks, and filters that ISPs apply to their BGP-capable customers manually.
A likely result of this incident is that more network operators will start to announce their IP address blocks as a collection of /24 blocks. /24 is the smallest address range that is widely accepted between ISPs, so announcing the /24 yourself provides some protection against others doing the same. However, the problem with that is that it increases the routing tables in routers, which exacerbates problems from global routing table growth that already exist.
Facebook
Twitter
Instagram