Pakistan’s YouTube Showdown Highlights Larger Threat

We take for granted that what we put online will be available. But when YouTube went offline for the better part of a day, it highlighted the fundamental insecurity of Internet routing, according to researchers and Internet registry officials.

The problem is that routing depends on ISPs advertising which addresses they can reach, and theres no way to check their claims. Theres no way to ensure thats actually legitimate, says Danny McPherson, chief research officer at Arbor Networks, a member of the Internet Architecture Board and the author of several books on Internet routing.

In one sense, the YouTube episode was predictable. It happened five years to the month after The National Strategy to Secure Cyberspace report included these words: Propagation of false routing information in the Internet can deny service to small or large portions of the Internet. For example, false routes can create black holes that absorb traffic destined for a particular block of address space.

A black hole is exactly where YouTube went when Pakistan wanted to block access within its borders to an un-Islamic video on the site. Pakistani technicians injected false information into the routing system, claiming a shorter path to YouTube. Unfortunately, the false routing information wasnt explicitly limited to Pakistan and propagated through the entire Internet, resulting in everyones YouTube traffic ending up in the Black Hole of Pakistan for the better part of a day.

While that appears to have been an accident, the same could be done to sabotage Internet connections or to mount sophisticated criminal attacks against corporations or governments. For example, McPherson says false routing information could be used to redirect data to a criminal site to harvest account information.

The subparts of the Internet use a protocol called BGP (Border Gateway Protocol) to tell the rest of the Internet which IP addresses are reachable through them. But McPherson points out there is no way to formally verify that a routing is correct.

The entities making up the Internet can verify routings within their borders but not those from outside.

Theres a simple way to solve this problem: ISPs should filter routing announcements, says McPherson. Some ISPs do this, but not all, nor are they required to. Alternate approaches include establishing either a central registry for routing information or some kind of distributed authentication mechanism.

There have been several efforts to secure routing, including secure versions of BGP such as Secure BGP and Secure Origin BGP. Technologies are being batted around but not accepted, says Mark Kosters, CTO of the American Registry for Internet Numbers (ARIN), the Regional Internet Registry (RIR) that assigns IP addresses in North America.

ARIN is working with its Asian counterpart, APNIC (Asia Pacific Network Information Centre), and IETF (Internet Engineering Task Force) to develop certificate-based verification methods for tracing IP addresses. But that is some ways off.

Meanwhile, both Kosters and McPherson say there are several things companies can do:

Require your ISP to filter all its routing announcements. This will make sure that none of its customers announce routes to IP addresses they dont own. This should be part of your request for proposals and your bandwidth contracts.

Develop an interdomain policy for what IP addresses you can make public.

Monitor your ISPs routing structure.

And remember this warning from Kosters: The whole area of Internet routing is highly insecure.