Pakistan Drops the BGP Bomb

Opinion: In blocking content its government deemed offensive, Pakistan Telecom used an especially egregious form of Internet abuse.

A recent Newsweek cover story called Pakistan "the most dangerous country in the world." The writers don't even know the half of it.

A few days ago, YouTube's service was interrupted for a couple of hours over a political issue in Pakistan. Someone in the government was offended by a video on YouTube. They issued an order to Pakistan Telecom to remove Internet access to a specific YouTube video. That video is now offline from anywhere, for violating terms of use according to YouTube. (That fact could be another column; I heard it was another one of these Danish cartoon things, but back to the technical issues ...)

I'm guessing that ISPs in Pakistan have to peer with Pakistan Telecom; lots of countries work that way. You can see their peering list (at least a very recent one) here. So it's definitely a point at which one could control the country's Internet access, although this sort of ISP function doesn't have a handy "block this URL" function.

But when you only have a hammer, everything looks like a nail, I guess, and so Pakistan Telecom decided to follow the order by using routing functions. Networks like Pakistan Telecom, the ISPs they serve and the upstream providers elsewhere on the Internet to which they provide their customers access all have unique network identifiers called AS - or Autonomous System numbers - and AS names. Pakistan Telecom is AS17557 with the name "PKTELECOM-AS-AP Pakistan Telecom." These AS numbers are used by routers for basic functions, such as to announce what addresses they have in their networks. This whole system is known as the routing protocol BGP, or Border Gateway Protocol.

There is a trust model implicit in this system, making it subject to abuse, and Pakistan Telecom dealt with their problem by abusing it. It engaged in an attack known as BGP Injection. I'd like to thank Dave Rand of Trend Micro, who first brought the problem of BGP injection to my attention years ago. It's an attack with horrifying potential, and defenses against it are weak at best.

For a much better explanation of what Pakistan Telecom did, see this CircleID article. Essentially, PT told the world of Internet routing that it was the route to IP addresses for YouTube's service, and in fact they advertised it as the preferred route. Internet traffic all over the world started heading into Pakistan where there was, of course, no actual YouTube to show them videos of exploding Jello.

It looks like it took YouTube about 80 minutes to get the word out that its addresses had been hijacked, and providers began responding very quickly. The YouTube people seemed to be on the ball and the outage lasted anywhere from about 90 minutes to 2 hours, depending on what network you were on.

BGP Injection can be detected, if you're looking. It cannot be prevented. Imagine a rogue network in some relatively lawless part of the world advertising the IP addresses of Bank of America and put a fake site up on the appropriate server. Users would have a very hard time telling the difference. The address bar would say "www.bankofamerica.com." Network admins could tell that something had happened, but they would have to be looking for it. Not many companies look at their real-time BGP tables.

As Martin Brown, author of the CircleID piece says, it's trivial to perform this sort of attack. It's happened before, but not all that often (that we know of).

This case was certainly callous, but it's not the really worrisome form of BGP Injection. Could one of those really happen? Would a network operator actually be careless or malicious enough to do that? Of course they would. Just a matter of time.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.