Summarizer

> When BGP traffic is being sent from point A to point B, it can be rerouted through a point C. If you control point C, even for a few hours, you can theoretically collect vast amounts of intelligence that would be very useful for government entities. The CANTV AS8048 being prepended to the AS path 10 times means there the traffic would not prioritize this route through AS8048, perhaps that was the goal? AS prepending is a relatively common method of traffic engineering to reduce traffic from a peer/provider. Looking at CANTV's (AS8048) announcements from outside that period shows they do this a lot. Since this was detected as a BGP route leak, it looks like CANTV (AS8048) propagated routes from Telecom Italia Sparkle (AS6762) to GlobeNet Cabos Sumarinos Columbia (AS52320). This could have simply been a misconfiguration. Nothing nefarious immediately jumps out to me here. I don't see any obvious attempts to hijack routes to Dayco Telecom (AS21980), which was the actual destination. The prepending would have made traffic less likely to transit over CANTV assuming there was any other route available. The prepending done by CANTV does make it slightly easier to hijack traffic destined to it (though not really to Dayco), but that just appears to be something they just normally do. This could be CANTV trying to force some users of GlobeNet to transit over them to Dayco I suppose, but leaving the prepending in would be an odd way of going about it. I suppose if you absolutely knew you were the shortest path length, there's no reason to remove the prepending, but a misconfiguration is usually the cause of these things.

From bgp hijacking? Almost certainly not. It would probably rule out the type of decapitation strike the US did, but bgp hijacking is way way below on the escalation ladder.

This doesn't look like anything malicious, 8048 is just prepending these announcements to 52320.. If anything, it looks like 269832(MDS) had a couple hits to their tier 1 peers which caused these prepended announcements to become more visible to collectors.

There were reports they had considered Christmas Day and New Year's Day. I wonder if it was far enough along that you could see similar BGP anomalies around those times.

For a length-15 ASpath to show up on the internet, a whole bunch of better routes need to disappear first, which seems to have happened here. But that disappearance is very likely unrelated to CANTV. Furthermore, BGP routes can get "stuck", if some device doesn't handle a withdrawal correctly… this can lead to odd routes like the ones seen here. Especially combined with the long path length and disappearance of better routes.

I wonder if this can be monitored on a global scale as a sort of predictor of “something gonna happen at country X”.

What would be the result of this? I think it would route data through Sparkle as a way of potentially spying on internet traffic without having compromised the network equipment within Venezuela, but I'm not familiar enough with network architecture to really understand what happened.

Maybe there would be some benefit in just dropping some packets. For example to WhatsApp, Telegram, Gmail servers. Could add a communication delay that could be critical and denies people a fairly reliable fallback communication method.

The effect of this would be traffic from GlobeNet destined for Dayco would transit over CANTV's network for a period. I'm not sure why the author singled out Telecom Italia Sparkle.

BGP is so unsecure that almost anyone can create chaos.

Even by accident!

or even by normal load from someone deciding to split a /8 prefix into /24's

Most BGP peers have router filters in place. It's not 1996 anymore. I remember the days of logging into a Cisco connected to a Sprint T1 and seeing a coworker had fat fingered a spammer's route, sending it to null0. Oops. How did that happen?

There are BGP anomalies every day.

Alternative theory: Part of the operation caused power outages or disrupted some connections, the BGP anomalies were a result of that. The data would make that more likely, because deliberately adding a longer route doesn't achieve much. It's not usually going to get any traffic.

The BGP anomalies were 24-hours~ before the power outage, so I'm not sure I follow what you're arguing.

What I mean is that cause and effect here could be different then the author thinks. We see some route changes, but those changes make no sense on their own since they wouldn't capture any traffic. That makes it more probable that BGP was not the attack, but that some other action caused this BGP anomalie as a side effect. For example, maybe some misconfiguration caused these routes to be published because another route was lost. Which could very well be the actual cyber attack, or the effect of jamming, or breaking some undersea cable, or turning off the power to some place.

I think what the other commenter is saying is that the BGP changes happened 12 hours before any of the power loss/bomb drop, so that eliminates your primary cause.

I never understood the (now decade old) argument of 'parts of the Internet cannot be shut down' Clearly and empirically, BGP can shut off parts of the Internet, just as Trump wanted to do in 2015. https://finance.yahoo.com/news/dear-donald-trump-no-you-1322...

Symbolic link to the Cloudflare RPKI status for CANTV. [1]: https://radar.cloudflare.com/routing/as8048ref=loworbitsecur...