Net Weakness Seen in YouTube Outage

That Pakistan's state-owned telco was able to cut the social network from the global Web highlights security problems in how the Internet is managed

by Declan McCullagh

After receiving a censorship order from the telecommunications ministry directing that YouTube.com be blocked, Pakistan Telecom went even further. By accident or design, the company broadcast instructions worldwide claiming to be the legitimate destination for anyone trying to reach YouTube's range of Internet addresses.

The security weakness lies in why those false instructions, which took YouTube offline for two hours on Sunday, were believed by routers around the globe. That's because Hong Kong-based PCCW, which provides the Internet link to Pakistan Telecom, did not stop the misleading broadcast--which is what most large providers in the United States and Europe do.

This is not a new problem. A network provider in Turkey once pretended to be the entire Internet, snarling traffic and making many Web sites unreachable. Con Edison accidentally hijacked the Internet addresses for Panix customers including Martha Stuart Living Omnimedia and the New York Daily News. Problems with errant broadcasts go back as far as 1997.

It's also not an infrequent problem. An automatically-updated list of suspicious broadcasts created by Josh Karlin of the University of New Mexico shows apparent mischief--in the form of dubious claims to be the true destination for certain Internet addresses--taking place on an hourly basis.

So why hasn't anyone done something about it? False broadcasts can amount to a denial-of-service attack and, if done with malicious intent, can send unsuspecting users to a fake bank, merchant, or credit card site.

To understand why this is both a serious Internet vulnerability and also difficult to fix requires delving into the technical details a little.

How to pretend to be YouTube.com

When you type a domain like "news.com" into your Web browser, it uses the Domain Name System to cough up a numeric Internet address, which in our case is 216.239.113.101. That IP address is handed to your router, which uses a table of addresses to figure out the next hop toward the news.com server.

Network providers--called autonomous systems, or ASs--broadcast the ranges of IP addresses to which they'll provide access. One of the functions of the Internet Corporation for Assigned Names and Numbers is managing the master list of AS numbers, which it does by allocating large blocks of 1,000 or so at a time to regional address registries.

Kim Davies, ICANN's manager of route zone services, says ICANN isn't able to revoke the AS number of a misbehaving network provider. "It's best to think of them as similar to post codes or ZIP codes," Davies said. "We maintain a registry of them to ensure that they aren't conflicting."

If the address information provided by AS is reliable, all is well. But if an AS makes a false broadcast, because of a configuration mistake or for malicious reasons, all hell can break loose.