Looks like it just went back to normal: cr1-sea-A>show ip bgp 208.65.153.253 BGP routing table entry for 208.65.153.0/24, version 41150187 Paths: (3 available, best #3) Flag: 0x8E0 Advertised to update-groups: 1 3 4 6 13 14 16 3356 3549 36561, (Received from a RR-client) 208.76.153.126 (metric 110) from 208.76.153.126 (208.76.153.126) Origin IGP, metric 0, localpref 50, valid, internal Community: 3356:3 3356:22 3356:86 3356:575 3356:666 3356:2011 3549:4142 3549:30840 11404:1000 11404:1030 2914 3549 36561, (Received from a RR-client) 208.76.153.125 (metric 310) from 208.76.153.125 (208.76.153.125) Origin IGP, metric 0, localpref 49, valid, internal Community: 2914:420 2914:2000 2914:3000 11404:1000 11404:1010 3491 3549 36561 63.216.14.137 from 63.216.14.137 (63.216.14.9) Origin IGP, localpref 51, valid, external, best Community: 3491:2000 3491:2003 3491:3549 11404:1000 11404:1020 cr1-sea-A> Probably worth noting that the performace at least from our perspective (via PCCW) is abysmal. As a side note, I know PCCW allows unfiltered route-announcement capability to a large number of their customers, our feed appears to be that way (or they apply RADB filters instantly which would be a bit impressive). John van Oppen Spectrum Networks LLC 206.973.8302 (Direct) 206.973.8300 (main office) -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Tomas L. Byrnes Sent: Sunday, February 24, 2008 12:50 PM To: Will Hargrave; nanog@merit.edu Subject: RE: YouTube IP Hijacking Pakistan is deliberately blocking Youtube. http://politics.slashdot.org/article.pl?sid=08/02/24/1628213 Maybe we should all block Pakistan.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Will Hargrave Sent: Sunday, February 24, 2008 12:39 PM To: nanog@nanog.org Subject: Re: YouTube IP Hijacking
Sargun Dhillon wrote:
So, it seems that youtube's ip block has been hijacked by a more specific prefix being advertised. This is a case of IP hijacking, not case of DNS poisoning, youtube engineers doing something stupid, etc. For people that don't know. The router will try to get the most specific prefix. This is by design, not by accident.
You are making the assumption of malice when the more likely cause is one of accident on the part of probably stressed NOC staff at 17557.
They probably have that /24 going to a gateway walled garden box which replies with a site saying 'we have banned this', and that /24 route is leaking outside of their AS via PCCW due to dodgy filters/communities.
Will