I'm very interested on how WANs (and even the ultimate WAN - the internets) work. Border Gateway Protocol is one of the areas I know little about but would love to have a chance to explore. With the in mind I wanted to write about three interesting events that happened over the last year that highlight some of the inner workings of the Internet.
- Pakistan's YouTube takedown happened when Pakistan's government ordered it blocked because of offensive material, apparently a video depicting the cartoons about Muhammad that had been posted in a Danish newspaper. Some reports have said the video featured several minutes of a film made by Dutch politician Geert Wilders, an outspoken critic of Islam.
A spokesman for the Pakistani embassy said on Monday that the order to block access to YouTube came from the highest levels of the government. It would have been passed along to Pakistan's Electronic Media Regulatory Authority and then to Pakistan's telecom authority, the spokesman said, which in turn would have issued the formal order to the Internet providers.
Pakistan Telecom responded by broadcasting the false claim that it was the correct route for 256 addresses in YouTube's 22.214.171.124 network space. Because that was a more specific destination than the true broadcast from YouTube saying it was home to 1,024 computers, within a few minutes traffic started flowing to the wrong place.
A timeline created by Renesys, which provides real-time monitoring services, says that it took about 15 seconds for large Pacific-rim providers to direct YouTube.com traffic to the Pakistan ISP, and about 45 seconds for the central routers on much of the rest of the Internet to follow suit.
YouTube took countermeasures within minutes, first trying to reclaim its network by narrowing its 1,024 broadcast to 256 addresses. Eleven minutes later, YouTube added an even more specific additional broadcast claiming just 64 addresses--which, under the Border Gateway Protocol, is more specific and therefore should overrule the Pakistani one. Over two hours after the initial false broadcast, Pakistan Telecom finally stopped.
How could this have been prevented? First, Pakistan Telecom shouldn't have broadcast to the entire world that it was hosting YouTube's IP addresses. Second, Hong Kong-based PCCW could have recognized the broadcast as false and filtered it out.
- Digg's Torrent-server attack started with a SYN flood aimed at Revision3's BitTorrent tracker clogged the company's tubes and brought down all of its web services. The traffic logs indicated that the network was getting slammed by over 8,000 packets every second. Revision3 tracked the source of the packets and discovered that the attack originated from MediaDefender - a company that provides Bittorrent poisoning services to big media. TWiT on 2nd June has very good coverage of the events, particularly Jim Louderback's insights.
- Amazon's recent DDOS attack happened on 6th June - Amazon.com was taken down by a distributed denial-of-service attack that struck the Web site's load-balancing system. The DDoS attack bypassed AWS services like Amazon's S3, striking directly at the heart of Amazon's business. It's unclear how Amazon fought off the attack, which struck roughly at 10:20 AM.
The interesting thing about these three incidents is that they don't conform to the traditional hacker-led attack. In the case of YouTube it was big-government, in the case of Revision3 it was big-media and in the case of Amazon it was big-money trying to 'short' their stock. No doubt that none of the perpetrators will ever have to answer for their misdeeds.