This week, we saw an indication of what could be massive disruptions on the Internet. Way back in 2002, I pointed out our continued vulnerability to prefix injection attacks – from intentional and unintentional insertions (see NANOG BGP Security Update). This weekend, we had the Pakistan Telecom Authority (PTA) order their ISPs to block access to YouTube – specifically addresses in 220.127.116.11/24. Blocking is not the problem. Leaking the prefix used to trigger the block is a problem. A problem which spread from one side of the Internet to the other.
While we have our dialog on NANOG and peers blog about the problem (Danny McPherson @ http://tinyurl.com/3y3pzl & Martin A. Brown @ http://www.renesys.com/blog/2008/02/pakistan_hijacks_youtube_1.shtml ), lets look at this from two angles. First, what is the immediate problem we need to resolve. Second, what is the real threat we need to worry about.
First, the immediate problem is simple. We had a censorship order to block access to an IP address. The SP in questions – Pakistan Telecom (AS 17557) – looks to have tried to do a BGP Shunt. When they did the BGP Shunt, they had two major mistakes:
- They did not add BGP Communities no-advertise and an extra BGP filter that can be used for a egress Murphy Prefix Filter.
- They did not have a Murphy’s Law prefix filter on their egress advertisements to their upstreams.
The consequence – 18.104.22.168/24 being leaked out to the Internet. That in turn had a consequence of all traffic to 22.214.171.124/24 going to AS 17557.
Action Plan for the Community – We need better documentation of how BGP Shunt is suppose to work. The problem is not the technique, nor is it clue. The problem is that we – the industry – do a poor job in communicating and empowering our peers through out the world how things really work. As a consequence, we get problems like this leak of YouTube’s routes.
Next – on the immediate problem thread – we have the upstream to AS 17557’s response. Here you have all this traffic heading down towards AS 17557, people calling their NOC, complaints coming from all over, so what do they do? PCCW (AS 3491) does not do the logical action – add to their ingress prefix filter on AS 17557 a simple line to filter out 126.96.36.199/24. No, instead, they unplug the customer.
Action Plan for the Community – Transit NSPs need to ingress filter the prefixes coming from their customers. This would allow them a tool to specific stop problems like this leak, with out unplugging them.
So, while the community start exploring the sBGP vs soBGP debate or how organizations should be using RADB tools, lets now loose sight of some quick simple tools which would help to mitigate this problem.
Now for the second problem ….. it is front page news that you can inject BGP prefixes from one side of the Internet and impact the entire Internet. Back in 2002, I was not drastically worried about this issue. Principle #3 of the current seven principles of the miscreant economy puts a behavioral check on the threat of using BGP prefix injection as a tool to massively disrupt the Internet (and the global IP NGN). Today, I’m worried. We have people out in the world who are increasing their skills. It would be feasible for a small group of people to grab a range of BGP speaking routers which have been violated and owned (i.e. someone as broken into them) to advertise BGP prefixes from all over the Internet. The result would not take out the Internet – but it would cause massive disruption. Massive disruption of the telecommunications system exacerbates a crisis – which is what you want if you want your terrorist attack to have a more impactions.
In other words, the press coverage of this BGP prefix leak is shining light on an attack vector which can cause some serious havoc during a period where people will need the Internet the most.