HN Reader

There were BGP anomalies during the Venezuela blackout

941

449

> When BGP traffic is being sent from point A to point B, it can be rerouted through a point C. If you control point C, even for a few hours, you can theoretically collect vast amounts of intelligence that would be very useful for government entities. The CANTV AS8048 being prepended to the AS path 10 times means there the traffic would not prioritize this route through AS8048, perhaps that was the goal?

AS prepending is a relatively common method of traffic engineering to reduce traffic from a peer/provider. Looking at CANTV's (AS8048) announcements from outside that period shows they do this a lot.

Since this was detected as a BGP route leak, it looks like CANTV (AS8048) propagated routes from Telecom Italia Sparkle (AS6762) to GlobeNet Cabos Sumarinos Columbia (AS52320). This could have simply been a misconfiguration.

Nothing nefarious immediately jumps out to me here. I don't see any obvious attempts to hijack routes to Dayco Telecom (AS21980), which was the actual destination. The prepending would have made traffic less likely to transit over CANTV assuming there was any other route available.

The prepending done by CANTV does make it slightly easier to hijack traffic destined to it (though not really to Dayco), but that just appears to be something they just normally do.

This could be CANTV trying to force some users of GlobeNet to transit over them to Dayco I suppose, but leaving the prepending in would be an odd way of going about it. I suppose if you absolutely knew you were the shortest path length, there's no reason to remove the prepending, but a misconfiguration is usually the cause of these things.

1 month agoby Aloisius

I guess one of the interesting things I learnt off this article(1) was that 7% of DNS query types served by 1.1.1.1 are HTTPS and started wondering what HTTPS query type was as I had only heard of A, MX, AAAA, SPF etc...

Apparently that is part of implementing ECH (Encrypted Client Hello) in TLS 1.3 where the DNS hosts the public key of the server to fully encrypt the server name in a HTTPS request. Since Nginx and other popular web servers don't yet support it, I suspect the 7% of requests are mostly Cloudflare itself.

(1) https://radar.cloudflare.com/?ref=loworbitsecurity.com#dns-q...

1 month agoby narmiouh

This doesn't look like anything malicious, 8048 is just prepending these announcements to 52320.. If anything, it looks like 269832(MDS) had a couple hits to their tier 1 peers which caused these prepended announcements to become more visible to collectors.

1 month agoby binome

Was the OSRS economy affected by the strikes? I'm assuming they didn't disrupt internet access for most Venezuelan citizens but I have not looked into it yet.

1 month agoby DiggyJohnson

There were reports they had considered Christmas Day and New Year's Day. I wonder if it was far enough along that you could see similar BGP anomalies around those times.

1 month agoby subzidion

I wonder what kind of capabilities the US army didn't use during this operation.

1 month agoby kachapopopow

Does it mean that countries must not buy American telecom equipments? Snowden already revealed the intromission of the government in Cisco routers.

1 month agoby neves

Fascinating find and investigation. While there isn't a solid conclusion from it, glad it was written up, perhaps someone will be able to connect more dots with it.

1 month agoby holysoles

If you were not already entirely reliant on American tech before, this ought to convince you to put jump in with both feet. What could possibly go wrong?

1 month agoby cheema33

This is not unusual, CANTV has notoriously slow, expensive links, most ISPs in Venezuela would have it as a "backup" provider. If there is an outage of GlobeNet or TIM, it would cause those routes to disappear, leaving the CANTV routes up, which are heavily prepended to avoid routing through them on "normal" operations.

1 month agoby fobispo26

What would be the result of this? I think it would route data through Sparkle as a way of potentially spying on internet traffic without having compromised the network equipment within Venezuela, but I'm not familiar enough with network architecture to really understand what happened.

1 month agoby mywittyname

Alternative theory: Part of the operation caused power outages or disrupted some connections, the BGP anomalies were a result of that.

The data would make that more likely, because deliberately adding a longer route doesn't achieve much. It's not usually going to get any traffic.

1 month agoby t0mas88

For a length-15 ASpath to show up on the internet, a whole bunch of better routes need to disappear first, which seems to have happened here. But that disappearance is very likely unrelated to CANTV.

Furthermore, BGP routes can get "stuck", if some device doesn't handle a withdrawal correctly… this can lead to odd routes like the ones seen here. Especially combined with the long path length and disappearance of better routes.

1 month agoby eqvinox

There are two things that it's very important normies never learn much about: BGP and fractional reserve banking

1 month agoby bandrami

I wonder if this can be monitored on a global scale as a sort of predictor of “something gonna happen at country X”.

1 month agoby a1o

https://isbgpsafeyet.com

1 month agoby qwertydathug

Cyber-warfare capabilities on this level seem pretty horrific. What if you could simply turn off the power grid of Kyiv or Moscow in anticipation of a strike? That seems extremely disorientating. What if you could simply turn off the power grid indefinitely?

1 month agoby catigula

Is there a term for the distance between an acronym's first use and its definition?

1 month agoby fusslo

There are BGP anomalies every day.

1 month agoby fooker

Symbolic link to the Cloudflare RPKI status for CANTV.

[1]:https://radar.cloudflare.com/routing/as8048ref=loworbitsecur...

1 month agoby throwaway0x9AF4

1 month agoby pamcake

Look for the same with Greenland or Canada next :/

1 month agoby lawlessone

ELI5 for people not familiar in this domain?

1 month agoby bdcp

Solid OSINT methodology here. The 10x AS path prepending is the most interesting detail to me b/c typically you'd see prepending used to de-prioritize a route, which raises the question: was this about making traffic avoid CANTV, or was it a side effect of something else?

A few thoughts: - The affected prefixes (200.74.224.0/20 block → Dayco Telecom) hosting banks and ISPs feels significant. If you're doing pre-kinetic intelligence gathering, knowing the exact network topology and traffic patterns of critical infrastructure would be valuable. Even a few hours of passive collection through a controlled transit point could map out dependencies you'd want to understand before cutting power. - What's also notable is the transit path through Sparkle, which the author points out doesn't implement RPKI filtering. That's not an accident if you're planning something (you'd specifically choose providers with weaker validation). - The article stops short of drawing conclusions, which is the right call. BGP anomalies are common enough that correlation ≠ causation. But the timing and the specific infrastructure affected make this worth deeper analysis.

Would love to see someone with access to more complete BGP table dumps do a before/after comparison of routing stability for Venezuelan prefixes in that window.

1 month agoby 1zael

The only anomaly was military. As far as I can tell, Venezuela's AD was shut down, or told to shut down.

Didn't the US use Chinooks? They're supposed to be loud. And AD didn't take even one out.

If Venezuela as corrupt as most socialist countries, I have no doubt that someone in his inner circle gave him up.

Back in the days of our version of socialism we had Indian politicians selling out for $100K, leave alone $50M.

1 month agoby SanjayMehta

Some pretty spooky comments in this thread from accounts with pretty low comment histories too…

1 month agoby VanTheBrand

If the system eats its own analysts, the doctrine question becomes moot.

1 month agoby ianpenney

Typical cyber warfare techniques.

1 month agoby Ms-J

I assume that nuclear capability would rule out a target from this kind of snatch operation, and that this event will add pressure to proliferate.

1 month agoby delichon

1 month agoby freakynit

I never understood the (now decade old) argument of 'parts of the Internet cannot be shut down'

Clearly and empirically, BGP can shut off parts of the Internet, just as Trump wanted to do in 2015.

https://finance.yahoo.com/news/dear-donald-trump-no-you-1322...

1 month agoby 1970-01-01

Time for every country at threat from the US to invest in their own independent nuclear arsenal....

1 month agoby KnuthIsGod