Pakistan Drops the BGP Bomb

By Larry Seltzer  |  Posted 2008-02-26 Print this article Print

Opinion: In blocking content its government deemed offensive, Pakistan Telecom used an especially egregious form of Internet abuse.

A recent Newsweek cover story called Pakistan "the most dangerous country in the world." The writers don't even know the half of it.

A few days ago, YouTube's service was interrupted for a couple of hours over a political issue in Pakistan. Someone in the government was offended by a video on YouTube. They issued an order to Pakistan Telecom to remove Internet access to a specific YouTube video. That video is now offline from anywhere, for violating terms of use according to YouTube. (That fact could be another column; I heard it was another one of these Danish cartoon things, but back to the technical issues ...)

I'm guessing that ISPs in Pakistan have to peer with Pakistan Telecom; lots of countries work that way. You can see their peering list (at least a very recent one) here. So it's definitely a point at which one could control the country's Internet access, although this sort of ISP function doesn't have a handy "block this URL" function.

But when you only have a hammer, everything looks like a nail, I guess, and so Pakistan Telecom decided to follow the order by using routing functions. Networks like Pakistan Telecom, the ISPs they serve and the upstream providers elsewhere on the Internet to which they provide their customers access all have unique network identifiers called AS - or Autonomous System numbers - and AS names. Pakistan Telecom is AS17557 with the name "PKTELECOM-AS-AP Pakistan Telecom." These AS numbers are used by routers for basic functions, such as to announce what addresses they have in their networks. This whole system is known as the routing protocol BGP, or Border Gateway Protocol.

There is a trust model implicit in this system, making it subject to abuse, and Pakistan Telecom dealt with their problem by abusing it. It engaged in an attack known as BGP Injection. I'd like to thank Dave Rand of Trend Micro, who first brought the problem of BGP injection to my attention years ago. It's an attack with horrifying potential, and defenses against it are weak at best.

For a much better explanation of what Pakistan Telecom did, see this CircleID article. Essentially, PT told the world of Internet routing that it was the route to IP addresses for YouTube's service, and in fact they advertised it as the preferred route. Internet traffic all over the world started heading into Pakistan where there was, of course, no actual YouTube to show them videos of exploding Jello.

It looks like it took YouTube about 80 minutes to get the word out that its addresses had been hijacked, and providers began responding very quickly. The YouTube people seemed to be on the ball and the outage lasted anywhere from about 90 minutes to 2 hours, depending on what network you were on.

BGP Injection can be detected, if you're looking. It cannot be prevented. Imagine a rogue network in some relatively lawless part of the world advertising the IP addresses of Bank of America and put a fake site up on the appropriate server. Users would have a very hard time telling the difference. The address bar would say "" Network admins could tell that something had happened, but they would have to be looking for it. Not many companies look at their real-time BGP tables.

As Martin Brown, author of the CircleID piece says, it's trivial to perform this sort of attack. It's happened before, but not all that often (that we know of).

This case was certainly callous, but it's not the really worrisome form of BGP Injection. Could one of those really happen? Would a network operator actually be careless or malicious enough to do that? Of course they would. Just a matter of time.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel