Summarizer

Network Route Leak Mechanics

BGP4MP data format analysis, AS path anomalies, prefix announcements, route withdrawal handling, stuck routes phenomena

← Back to There were BGP anomalies during the Venezuela blackout

While BGP route leaks can theoretically facilitate state-level intelligence gathering, analysts suggest that the CANTV incident was likely a benign misconfiguration rather than a coordinated hijack. The heavy use of AS prepending actually worked to deprioritize the path, indicating that the leak likely stemmed from a "loose" export policy that redistributed prefixes when superior routes became unavailable. Ultimately, the appearance of these anomalously long paths can often be attributed to "stuck" routes or routine traffic engineering rather than nefarious intent.

6 comments tagged with this topic

View on HN · Topics
> When BGP traffic is being sent from point A to point B, it can be rerouted through a point C. If you control point C, even for a few hours, you can theoretically collect vast amounts of intelligence that would be very useful for government entities. The CANTV AS8048 being prepended to the AS path 10 times means there the traffic would not prioritize this route through AS8048, perhaps that was the goal? AS prepending is a relatively common method of traffic engineering to reduce traffic from a peer/provider. Looking at CANTV's (AS8048) announcements from outside that period shows they do this a lot. Since this was detected as a BGP route leak, it looks like CANTV (AS8048) propagated routes from Telecom Italia Sparkle (AS6762) to GlobeNet Cabos Sumarinos Columbia (AS52320). This could have simply been a misconfiguration. Nothing nefarious immediately jumps out to me here. I don't see any obvious attempts to hijack routes to Dayco Telecom (AS21980), which was the actual destination. The prepending would have made traffic less likely to transit over CANTV assuming there was any other route available. The prepending done by CANTV does make it slightly easier to hijack traffic destined to it (though not really to Dayco), but that just appears to be something they just normally do. This could be CANTV trying to force some users of GlobeNet to transit over them to Dayco I suppose, but leaving the prepending in would be an odd way of going about it. I suppose if you absolutely knew you were the shortest path length, there's no reason to remove the prepending, but a misconfiguration is usually the cause of these things.
View on HN · Topics
CANTV (AS8048) is a correct upstream transit provider for Dayco (AS21980) as seen in both https://radar.cloudflare.com/routing/as21980#connectivity and https://bgp.tools/as/21980#upstreams What most likely happened, instead of a purposeful attempt to leak routes and MITM traffic, is CANTV had too loose of a routing export policy facing their upstream AS52320 neighbor, and accidentally redistributed the Dayco prefixes that they learned indirectly from Sparkle (AS6762) when the direct Dayco routes became unavailable to them. This is a pretty common mistake and would explain the leak events that were written about here.
View on HN · Topics
This doesn't look like anything malicious, 8048 is just prepending these announcements to 52320.. If anything, it looks like 269832(MDS) had a couple hits to their tier 1 peers which caused these prepended announcements to become more visible to collectors.
View on HN · Topics
For a length-15 ASpath to show up on the internet, a whole bunch of better routes need to disappear first, which seems to have happened here. But that disappearance is very likely unrelated to CANTV. Furthermore, BGP routes can get "stuck", if some device doesn't handle a withdrawal correctly… this can lead to odd routes like the ones seen here. Especially combined with the long path length and disappearance of better routes.
View on HN · Topics
Even by accident!
View on HN · Topics
or even by normal load from someone deciding to split a /8 prefix into /24's