Animated visualization of Pakistan’s YouTube hijacking

Yesterday, Pakistan censored YouTube in such a way that YouTube became inaccessible to the greater Internet for a period of about two hours. It was a remarkable screw-up that necessitated mistakes being made on multiple levels.

The gist of the story is that Pakistan Telecom, a Pakistani telecommunications company, advertised a /24 route for YouTube in a botched attempt at censoring YouTube from within Pakistan at the request of Pakistani officials. Unfortunately, Pakistan Telecom’s upstream provider, PCCW, didn’t filter that route, and it superseded the less-specific /22 route YouTube already had with routers on most of the Internet. Within about two hours someone finally got through to PCCW and they disconnected Pakistan Telecom, making the bad route disappear. YouTube was thus accessible to the Internet once more.

Now you can see all of this insanity in a graphical fashion thanks to BGPlay, a graphical visualization of BGP routes in the form of a Java applet. Visit the site, click the “Start BGPlay” button, and type in 208.65.153.0/24 as the prefix. Then set the date range to 23/2/2008 to 25/2/2008 (European date notation). Then hit OK.

Settings to view YouTube hijacking

A graphical schematic will come up showing a cloud of numbers. These are the prefix numbers of various different routers that comprise the backbone of the Internet. The three main numbers to watch for are 36561, which is YouTube, 17557, which is Pakistan Telecom, and 3491, which is Beyond the Network America, a wholly-owned subsidiary of Hong Kong-based PCCW. Hit the Play button to begin the animation.

What you’re going to see is a succession of routes being established through BTN to Pakistan Telecom. This is the hijacking. Notice that it all unfolds within a period of two minutes, beginning at 2008-02-24 18:47 and ending at 2008-02-24 18:49. Here’s what it looks like at the height of the hijacking. Note that all routes are now pointing to Pakistan Telecom, and nothing can reach YouTube.

At the height of YouTube’s hijacking

Then, at 2008-02-24 20:07, BTN disconnects Pakistan Telecom, and by 2008-02-24 21:01, all of the routes are correctly pointing back to YouTube again. Here’s what the correct routing structure looks like post-hijacking. Note how most routes go through 3549, which is Global Crossing Ltd., presumably a correct upstream provider of YouTube’s connection.

The network graph after the hijacking ends

After seeing this animation, there should be no doubts left in anyone’s mind as to what happened. This visualization is based directly off of the Internet routing logs.

One Response to “Animated visualization of Pakistan’s YouTube hijacking”

  1. Darmok Says:

    Wow, that’s pretty impressive to see it like that.