Summarizer

OSINT Methodology

Public BGP datasets, bgpdump tools, RIPE data analysis, Cloudflare Radar usage, investigative techniques

← Back to There were BGP anomalies during the Venezuela blackout

The discussion highlights the intersection of BGP routing analysis and geopolitical OSINT, debating whether recent anomalies in Venezuelan network traffic represent accidental route leaks or deliberate "pre-kinetic" intelligence gathering. While some contributors argue that loose export policies and common configuration errors explain the shifts, others find the 10x AS path prepending and the specific timing—occurring just hours before physical infrastructure failures—too suspicious to ignore. Beyond routing, the analysis explores how DNS query patterns and RPKI filtering gaps can be leveraged as predictive indicators for geopolitical events or to map out the dependencies of critical infrastructure. Ultimately, these perspectives suggest that while BGP anomalies are frequently benign, their correlation with regional tensions makes them a potent, albeit complex, tool for modern investigative monitoring.

13 comments tagged with this topic

View on HN · Topics
CANTV (AS8048) is a correct upstream transit provider for Dayco (AS21980) as seen in both https://radar.cloudflare.com/routing/as21980#connectivity and https://bgp.tools/as/21980#upstreams What most likely happened, instead of a purposeful attempt to leak routes and MITM traffic, is CANTV had too loose of a routing export policy facing their upstream AS52320 neighbor, and accidentally redistributed the Dayco prefixes that they learned indirectly from Sparkle (AS6762) when the direct Dayco routes became unavailable to them. This is a pretty common mistake and would explain the leak events that were written about here.
View on HN · Topics
I guess one of the interesting things I learnt off this article(1) was that 7% of DNS query types served by 1.1.1.1 are HTTPS and started wondering what HTTPS query type was as I had only heard of A, MX, AAAA, SPF etc... Apparently that is part of implementing ECH (Encrypted Client Hello) in TLS 1.3 where the DNS hosts the public key of the server to fully encrypt the server name in a HTTPS request. Since Nginx and other popular web servers don't yet support it, I suspect the 7% of requests are mostly Cloudflare itself. (1) https://radar.cloudflare.com/?ref=loworbitsecurity.com#dns-q...
View on HN · Topics
There’s an odd skew in that data which is saying the *third* most popular TLD is ‘.st’ which is… unexpected. The biggest service I can find using that TLD is `play.st` so maybe PlayStation clients are early adopters of DNS-over-HTTPS via 1.1.1.1.
View on HN · Topics
There were reports they had considered Christmas Day and New Year's Day. I wonder if it was far enough along that you could see similar BGP anomalies around those times.
View on HN · Topics
Not from the cloudflare dashboard, you can zoom out. The night of the attack doesnt even really stand out as abnormal when zooming out that far.
View on HN · Topics
So you're saying I can't set an alert for these conditions and use the timing to place a quick bet on the geopolitical polymarket du-jour? https://finance.yahoo.com/news/one-polymarket-user-made-more...
View on HN · Topics
Yeah, I was thinking it definitely needs to be correlated to geopolitical tensions in some way. Polymarket data might be helpful in this case- and provides incentives for putting this kind of data together.
View on HN · Topics
Fascinating find and investigation. While there isn't a solid conclusion from it, glad it was written up, perhaps someone will be able to connect more dots with it.
View on HN · Topics
The BGP anomalies were 24-hours~ before the power outage, so I'm not sure I follow what you're arguing.
View on HN · Topics
I think what the other commenter is saying is that the BGP changes happened 12 hours before any of the power loss/bomb drop, so that eliminates your primary cause.
View on HN · Topics
I wonder if this can be monitored on a global scale as a sort of predictor of “something gonna happen at country X”.
View on HN · Topics
Solid OSINT methodology here. The 10x AS path prepending is the most interesting detail to me b/c typically you'd see prepending used to de-prioritize a route, which raises the question: was this about making traffic avoid CANTV, or was it a side effect of something else? A few thoughts: - The affected prefixes (200.74.224.0/20 block → Dayco Telecom) hosting banks and ISPs feels significant. If you're doing pre-kinetic intelligence gathering, knowing the exact network topology and traffic patterns of critical infrastructure would be valuable. Even a few hours of passive collection through a controlled transit point could map out dependencies you'd want to understand before cutting power. - What's also notable is the transit path through Sparkle, which the author points out doesn't implement RPKI filtering. That's not an accident if you're planning something (you'd specifically choose providers with weaker validation). - The article stops short of drawing conclusions, which is the right call. BGP anomalies are common enough that correlation ≠ causation. But the timing and the specific infrastructure affected make this worth deeper analysis. Would love to see someone with access to more complete BGP table dumps do a before/after comparison of routing stability for Venezuelan prefixes in that window.
View on HN · Topics
Symbolic link to the Cloudflare RPKI status for CANTV. [1]: https://radar.cloudflare.com/routing/as8048ref=loworbitsecur...