Pakistan's YouTube Censorship Triggers Worldwide Outage
February 26, 2008
The Pakistan Telecommunication Authority’s deputy director for enforcement sent a memo announcing the ban to major ISPs on Feb. 22. The PTA asked Pakistani ISPs to block access to three IP addresses that are associated with YouTube’s site. The ISPs could have used one of several methods to block access to the IP addresses, said Danny McPherson, chief research officer at security provider Arbor Networks.For a couple of hours on Sunday, access to YouTube worldwide was cut, the result of the Pakistani government’s banning YouTube in their country.Access to YouTube elsewhere was restored after two hours or so, but the question on everyone’s minds is, can this happen again?
Why the Ban?
Reports say the Pakistan Telecommunication Authority (PTA) imposed the ban for two reasons: Controversial Danish cartoons of the Prophet Muhammad were posted on YouTube, and the site carried a trailer for a forthcoming film by Dutch politician Geert Wilders portraying Islam as a fascist religion prone to inciting violence against women and homosexuals.The cartoons caused a furor among Muslims worldwide when they were printed in a Danish newspaper in 2005 — riots led to at least 50 deaths and attacks on three Danish embassies. Earlier this month, they were reprinted by several Danish newspapers in response to a recently uncovered plot to murder the cartoonist.The PTA urged Pakistani Internet users to write YouTube requesting the offending materials be removed. It has told Pakistan ‘s 70-odd Internet service providers that YouTube will be banned until further notice. The PTA’s deputy director for enforcement sent memo announcing the ban to major ISPs on Feb. 22.
The Technical Details
The PTA asked Pakistani ISPs to block access to three IP addresses that are associated with YouTube’s site.The ISPs could have used one of several methods to block access to the IP addresses, Danny McPherson, chief research officer at network infrastructure security provider Arbor Networks, as quoted by TechNewsWorld.They could have deployed access-control lists on all their router interfaces leading to those addresses; route the three IP addresses to a null, the ISP equivalent of a black hole on the network; or basically have all packets that were being sent to or from those three IP addresses automatically discarded by the network.The second option requires the ISPs to add static routes to every router in their networks. However, the effect of that is to tell the world that traffic to those three IP addresses should be sent to the ISPs instead of to YouTube.This, in essence, is what happened. The fact that today anyone connected to the Internet could potentially go out and announce reachability for anyone else in the Internet space is a huge problem.
A Complicated Problem
YouTube is working to prevent similar problems recurring. “We are investigating and working with others in the Internet community to prevent this from happening again,” states YouTube spokesperson Kathleen Fitzgerald.
Will that work? Probably not.
There’s no authoritative source on the Internet for who owns what address space where you could do real-time address changes.What about the Internet Routing Registry, with which ISPs register Internet addresses? “The problem is that, when your customers get new address spaces, you may not update that,” McPherson said. “You don’t have automated updates, no one does any filtering, and it’s this huge vulnerability.”Part of the problem is that the Border Gateway Protocol, which Internet service providers use BGP to inform each other which IP address goes where, is not robust. BGP works by maintaining a table of IP networks or “prefixes,” which designate network reachability among autonomous systems. It makes routing decisions based on path, network policies and rule sets.BGP was developed in an attempt to prevent anyone from, essentially, hijacking someone else’s IP addresses, as happened to YouTube, but it has a lot of holes. Remember, basically the Internet’s simply a bunch of loosely connected networks run by different administrators.