> When BGP traffic is being sent from point A to point B, it can be rerouted through a point C. If you control point C, even for a few hours, you can theoretically collect vast amounts of intelligence that would be very useful for government entities. The CANTV AS8048 being prepended to the AS path 10 times means there the traffic would not prioritize this route through AS8048, perhaps that was the goal?
AS prepending is a relatively common method of traffic engineering to reduce traffic from a peer/provider. Looking at CANTV's (AS8048) announcements from outside that period shows they do this a lot.
Since this was detected as a BGP route leak, it looks like CANTV (AS8048) propagated routes from Telecom Italia Sparkle (AS6762) to GlobeNet Cabos Sumarinos Columbia (AS52320). This could have simply been a misconfiguration.
Nothing nefarious immediately jumps out to me here. I don't see any obvious attempts to hijack routes to Dayco Telecom (AS21980), which was the actual destination. The prepending would have made traffic less likely to transit over CANTV assuming there was any other route available.
The prepending done by CANTV does make it slightly easier to hijack traffic destined to it (though not really to Dayco), but that just appears to be something they just normally do.
This could be CANTV trying to force some users of GlobeNet to transit over them to Dayco I suppose, but leaving the prepending in would be an odd way of going about it. I suppose if you absolutely knew you were the shortest path length, there's no reason to remove the prepending, but a misconfiguration is usually the cause of these things.
What most likely happened, instead of a purposeful attempt to leak routes and MITM traffic, is CANTV had too loose of a routing export policy facing their upstream AS52320 neighbor, and accidentally redistributed the Dayco prefixes that they learned indirectly from Sparkle (AS6762) when the direct Dayco routes became unavailable to them.
This is a pretty common mistake and would explain the leak events that were written about here.
I guess one of the interesting things I learnt off this article(1) was that 7% of DNS query types served by 1.1.1.1 are HTTPS and started wondering what HTTPS query type was as I had only heard of A, MX, AAAA, SPF etc...
Apparently that is part of implementing ECH (Encrypted Client Hello) in TLS 1.3 where the DNS hosts the public key of the server to fully encrypt the server name in a HTTPS request. Since Nginx and other popular web servers don't yet support it, I suspect the 7% of requests are mostly Cloudflare itself.
It’s also how browsers detect a website supports HTTP3. Browsers will request it just to check if they should connect to an https:// URL via HTTP3 (though they generally don’t block on it - they fallback to HTTP1/2 if it takes too long).
There’s an odd skew in that data which is saying the *third* most popular TLD is ‘.st’ which is… unexpected. The biggest service I can find using that TLD is `play.st` so maybe PlayStation clients are early adopters of DNS-over-HTTPS via 1.1.1.1.
This doesn't look like anything malicious, 8048 is just prepending these announcements to 52320.. If anything, it looks like 269832(MDS) had a couple hits to their tier 1 peers which caused these prepended announcements to become more visible to collectors.
Was the OSRS economy affected by the strikes? I'm assuming they didn't disrupt internet access for most Venezuelan citizens but I have not looked into it yet.
I run an OSRS market analysis/flipping site, and have been keeping an eye on the effects.
The short answer is that there hasn't been a ton of movement across the market at large, but since Saturday, bonds have been swinging up towards the all-time high they set last December. Can't say for certain that that movement is tied to VZ though.
My clanmates and I noticed that some of the more popular goldfarming hotspots were much less populated that day. Rev caves, Zalcano, etc. Not sure about impacts for the broader economy though. Maybe FlippingOldSchool will release a video analyzing the economic trends over the course of that week? Would be interesting for sure.
There were reports they had considered Christmas Day and New Year's Day. I wonder if it was far enough along that you could see similar BGP anomalies around those times.
Let’s be honest, that was a crazy operation. I wonder whether they really secured all chances of success, or just winged it with chances of not depositing the leader, and him being able to summon his diplomatic relations into 50 countries declaring war to the USA.
While on their way out, if the USA could set everything back to IPv6, that would be nice.
Fascinating find and investigation. While there isn't a solid conclusion from it, glad it was written up, perhaps someone will be able to connect more dots with it.
If you were not already entirely reliant on American tech before, this ought to convince you to put jump in with both feet. What could possibly go wrong?
There is not really any reason to conclude that "american tech" was responsible for this attack. If anything, given all the sanctions Venezuela was under and how friendly they are with china, i would be surprised if they were using american tech in their infrastructure.
[Of course i agree with the broader point of dont become dependent on the technology of your geopolitical enemies]
Technology is notoriously expensive to develop and manufacture. One must either have native capacity (and thus, the wealth) to do so, or must get it from someone else.
Other Western/US-aligned countries might have the ability to do so, albeit at geopolitical and economic cost, because the only thing you're likely to gain from kicking the US out of your tech stack and infrastructure is a tech stack and infrastructure free of the US. Meanwhile American companies will be developing new features and ways of doing things that add economic value. So at best, a wash economically. Maybe the geopolitical implications are enticing enough.
Places like Venezuela? Nah. They'll be trading the ability of Americans to jack with their tech infrastructure for the ability of the PRC, Non-US Western nations, or Russia to jack with their tech stack.
The geopolitics of technology are a lot like a $#1+ sandwich: the more bread you have, the less of someone else's $#1+ you have to eat.
This is not unusual, CANTV has notoriously slow, expensive links, most ISPs in Venezuela would have it as a "backup" provider. If there is an outage of GlobeNet or TIM, it would cause those routes to disappear, leaving the CANTV routes up, which are heavily prepended to avoid routing through them on "normal" operations.
What would be the result of this? I think it would route data through Sparkle as a way of potentially spying on internet traffic without having compromised the network equipment within Venezuela, but I'm not familiar enough with network architecture to really understand what happened.
Maybe there would be some benefit in just dropping some packets. For example to WhatsApp, Telegram, Gmail servers. Could add a communication delay that could be critical and denies people a fairly reliable fallback communication method.
> The newsletter suggests “BGP shenanigans” and posits that such a leak could be exploited to collect intelligence useful to government entities.
>
> While we can’t say with certainty what caused this route leak, our data suggests that its likely cause was more mundane.
For a length-15 ASpath to show up on the internet, a whole bunch of better routes need to disappear first, which seems to have happened here. But that disappearance is very likely unrelated to CANTV.
Furthermore, BGP routes can get "stuck", if some device doesn't handle a withdrawal correctly… this can lead to odd routes like the ones seen here. Especially combined with the long path length and disappearance of better routes.
Cyber-warfare capabilities on this level seem pretty horrific. What if you could simply turn off the power grid of Kyiv or Moscow in anticipation of a strike? That seems extremely disorientating. What if you could simply turn off the power grid indefinitely?
Russia attacks Ukrainian power grid on a weekly basis. Not only with cyber-attacks but with actual bombs. Over Christmas 750k homes in Kyiv were without power or heating. This is not a hypothetical it's daily reality for millions of people in Ukraine.
Something like this more or less happened during the initial Israeli strike on Iran ?
From what I remember reading, they were able to gain air dominance not because Iranian air-defense was bad, but because it was put almost completely out of service for a brief period of time by people on the ground - be it through sabotage, cyber-warfare, drone attacks from inside, allowing the Israeli jets to annihilate them.
> The US Navy used sea-launched Tomahawk missiles with Kit-2 warheads, involving reels of carbon fibers, in Iraq as part of Operation Desert Storm during the Gulf War in 1991, where it disabled about 85% of the electricity supply. The US Air Force used the CBU-94, dropped by F-117 Nighthawks, during the NATO bombing of Yugoslavia on 2 May 1999, where it disabled more than 70% national grid electricity supply.
I would not, however, take "Trump said something" as indicative of much. "It was dark, the lights of Caracas were largely turned off due to a certain expertise that we have, it was dark, and it was deadly" is both visibly untrue from the video evidence available, and is the precise sort of off-the-cuff low-fact statement he's prone to.
There are way worse things you could do, you could hide explosives in consumer electronics and infiltrate the supply lines to replace them. Then you could detonate them all simultaneously, indiscriminately murdering everyone around them as well. But of course only fascist barbarians would ever do or support that sort of thing.
Canada has a strong army and can defend itself. Greenland on the other hand is not well defended and I doubt Denmark really cares (e.g., if they’re willing to send tens of thousands of troops to die for it) if it was occupied by China or Russia in the event of a war.
Greenland is a massive strategic liability for the US and Europe (although the EU still has its head in the sand they are starting to wake up some).
Not sure why this got downvoted; we're threatening it again, credibly enough that the Danish PM is telling them to shut up.
Yesterday:
> Adding to the alarm, Katie Miller, a right-wing podcast host and the wife of Trump adviser Stephen Miller, posted an image of Greenland superimposed with the American flag and the caption "SOON!"
When BGP traffic is being sent from point A to point B, it can be rerouted through a point C. If you control point C, even for a few hours, you can theoretically collect vast amounts of intelligence that would be very useful for government entities.
Solid OSINT methodology here. The 10x AS path prepending is the most interesting detail to me b/c typically you'd see prepending used to de-prioritize a route, which raises the question: was this about making traffic avoid CANTV, or was it a side effect of something else?
A few thoughts:
- The affected prefixes (200.74.224.0/20 block → Dayco Telecom) hosting banks and ISPs feels significant. If you're doing pre-kinetic intelligence gathering, knowing the exact network topology and traffic patterns of critical infrastructure would be valuable. Even a few hours of passive collection through a controlled transit point could map out dependencies you'd want to understand before cutting power.
- What's also notable is the transit path through Sparkle, which the author points out doesn't implement RPKI filtering. That's not an accident if you're planning something (you'd specifically choose providers with weaker validation).
- The article stops short of drawing conclusions, which is the right call. BGP anomalies are common enough that correlation ≠ causation. But the timing and the specific infrastructure affected make this worth deeper analysis.
Would love to see someone with access to more complete BGP table dumps do a before/after comparison of routing stability for Venezuelan prefixes in that window.
Counterpoint is that Ukraine, Qaddafi, and Assad already demonstrated the significance of maintaining certain capabilities. Vzla didn't have those capabilities before, much less publicly depreciate them.
The reporting suggests there was some kind of deal struck between the US and elements of the VZ administration, and even nuclear capability doesn't prevent that
It will increase the desire for nukes, but also increase the hesitation to seek them now that credibility and capability (particularly what modern intelligence is capable of) are demonstrated. Hard to say how this nets off.
>I assume that nuclear capability would rule out a target from this kind of snatch operation
Why would it?
1. "Nuclear capability" is not binary. The available delivery mechanisms and the defensive capabilities of your adversary matter a lot.
2. MAD constrains both sides. It's unlikely that an unpopular Head of State getting kidnapped would warrant a nuclear first strike especially against a country like (Trump's) America, which would not hesitate to glass your whole country in response.
3. It's extremely risky to "try" a nuke, because even if it's shot down, does it mean your enemy treats it as a nuclear strike and responds as if it had landed? That's a very different equation from conventional missiles. E.g. Iran sends barrages of missiles because they expect most of them to be shot down. It's probably not calculating a scenario where all of them land and Israel now wants like-for-like revenge.
the popular conspiracy theory among Russian opposition is that Maduro exit was negotiated, so he will do small time at a Fed club and would preserve significant amount of his money (at least couple hundreds of millions), and after completing the time will end up with his money in Russia/Belarussia.
We can see that nobody was going to resist the operation in Venezuela, so it doesn't really matter that Venezuela doesn't have nukes. Using nukes isn't just a matter of pressing a button, it involves a lot of people and processes - thus any significant opposition inside the force or just widespread sabotage will make it unusable.
You have to assume everyone is willing to die over every single thing short of obliteration.
So what's the scenario then? Venezuela has nukes. The US abducts Maduro. Venezuela launches its nukes, everyone dies on both sides. Please, explain that laughable premise. Everyone in Venezuela dies for Maduro? Go on, explain it, I'll wait.
Back in reality: Venezuela has nukes. The US abducts Maduro. Venezuela shakes its fists at the sky, threatens nuclear hell fire. Nothing happens. Why? The remaining leadership of Venezuela does not in fact want to die for Maduro.
That's like arguing against the police arresting criminals because it will incentivize them to acquire weapons.
The only consistent action for the US to take, given they - and much of the world - do not consider Maduro the legitimate President of Venezuela, was to remove him from power.
Some comments were deferred for faster rendering.
Aloisius|1 month ago
AS prepending is a relatively common method of traffic engineering to reduce traffic from a peer/provider. Looking at CANTV's (AS8048) announcements from outside that period shows they do this a lot.
Since this was detected as a BGP route leak, it looks like CANTV (AS8048) propagated routes from Telecom Italia Sparkle (AS6762) to GlobeNet Cabos Sumarinos Columbia (AS52320). This could have simply been a misconfiguration.
Nothing nefarious immediately jumps out to me here. I don't see any obvious attempts to hijack routes to Dayco Telecom (AS21980), which was the actual destination. The prepending would have made traffic less likely to transit over CANTV assuming there was any other route available.
The prepending done by CANTV does make it slightly easier to hijack traffic destined to it (though not really to Dayco), but that just appears to be something they just normally do.
This could be CANTV trying to force some users of GlobeNet to transit over them to Dayco I suppose, but leaving the prepending in would be an odd way of going about it. I suppose if you absolutely knew you were the shortest path length, there's no reason to remove the prepending, but a misconfiguration is usually the cause of these things.
next_hopself|1 month ago
What most likely happened, instead of a purposeful attempt to leak routes and MITM traffic, is CANTV had too loose of a routing export policy facing their upstream AS52320 neighbor, and accidentally redistributed the Dayco prefixes that they learned indirectly from Sparkle (AS6762) when the direct Dayco routes became unavailable to them.
This is a pretty common mistake and would explain the leak events that were written about here.
topranks|1 month ago
narmiouh|1 month ago
Apparently that is part of implementing ECH (Encrypted Client Hello) in TLS 1.3 where the DNS hosts the public key of the server to fully encrypt the server name in a HTTPS request. Since Nginx and other popular web servers don't yet support it, I suspect the 7% of requests are mostly Cloudflare itself.
(1) https://radar.cloudflare.com/?ref=loworbitsecurity.com#dns-q...
johncolanduoni|1 month ago
bembo|1 month ago
rhplus|1 month ago
johnisgood|1 month ago
miladyincontrol|1 month ago
phalangion|1 month ago
topranks|1 month ago
binome|1 month ago
DiggyJohnson|1 month ago
static_motion|1 month ago
wswope|1 month ago
The short answer is that there hasn't been a ton of movement across the market at large, but since Saturday, bonds have been swinging up towards the all-time high they set last December. Can't say for certain that that movement is tied to VZ though.
FumblingBear|1 month ago
d-moon|1 month ago
manacit|1 month ago
subzidion|1 month ago
bakies|1 month ago
kachapopopow|1 month ago
Thaxll|1 month ago
eastbound|1 month ago
While on their way out, if the USA could set everything back to IPv6, that would be nice.
neves|1 month ago
wtcactus|1 month ago
holysoles|1 month ago
cheema33|1 month ago
bawolff|1 month ago
[Of course i agree with the broader point of dont become dependent on the technology of your geopolitical enemies]
lenerdenator|1 month ago
Technology is notoriously expensive to develop and manufacture. One must either have native capacity (and thus, the wealth) to do so, or must get it from someone else.
Other Western/US-aligned countries might have the ability to do so, albeit at geopolitical and economic cost, because the only thing you're likely to gain from kicking the US out of your tech stack and infrastructure is a tech stack and infrastructure free of the US. Meanwhile American companies will be developing new features and ways of doing things that add economic value. So at best, a wash economically. Maybe the geopolitical implications are enticing enough.
Places like Venezuela? Nah. They'll be trading the ability of Americans to jack with their tech infrastructure for the ability of the PRC, Non-US Western nations, or Russia to jack with their tech stack.
The geopolitics of technology are a lot like a $#1+ sandwich: the more bread you have, the less of someone else's $#1+ you have to eat.
_carbyau_|1 month ago
fobispo26|1 month ago
mywittyname|1 month ago
7952|1 month ago
Aloisius|1 month ago
I'm not sure why the author singled out Telecom Italia Sparkle.
t0mas88|1 month ago
The data would make that more likely, because deliberately adding a longer route doesn't achieve much. It's not usually going to get any traffic.
Someone1234|1 month ago
t0mas88|1 month ago
> The newsletter suggests “BGP shenanigans” and posits that such a leak could be exploited to collect intelligence useful to government entities. > > While we can’t say with certainty what caused this route leak, our data suggests that its likely cause was more mundane.
eqvinox|1 month ago
Furthermore, BGP routes can get "stuck", if some device doesn't handle a withdrawal correctly… this can lead to odd routes like the ones seen here. Especially combined with the long path length and disappearance of better routes.
bandrami|1 month ago
jokoon|1 month ago
[deleted]
a1o|1 month ago
unknown|1 month ago
[deleted]
qwertydathug|1 month ago
catigula|1 month ago
Throwaway123129|1 month ago
TheAlchemist|1 month ago
From what I remember reading, they were able to gain air dominance not because Iranian air-defense was bad, but because it was put almost completely out of service for a brief period of time by people on the ground - be it through sabotage, cyber-warfare, drone attacks from inside, allowing the Israeli jets to annihilate them.
ceejayoz|1 month ago
I expect every major world power has a plan to (attempt to) do precisely that to their enemies.
https://en.wikipedia.org/wiki/Graphite_bomb
> The US Navy used sea-launched Tomahawk missiles with Kit-2 warheads, involving reels of carbon fibers, in Iraq as part of Operation Desert Storm during the Gulf War in 1991, where it disabled about 85% of the electricity supply. The US Air Force used the CBU-94, dropped by F-117 Nighthawks, during the NATO bombing of Yugoslavia on 2 May 1999, where it disabled more than 70% national grid electricity supply.
I would not, however, take "Trump said something" as indicative of much. "It was dark, the lights of Caracas were largely turned off due to a certain expertise that we have, it was dark, and it was deadly" is both visibly untrue from the video evidence available, and is the precise sort of off-the-cuff low-fact statement he's prone to.
bakies|1 month ago
9cb14c1ec0|1 month ago
TZubiri|1 month ago
victorbjorklund|1 month ago
lyu07282|1 month ago
fusslo|1 month ago
fooker|1 month ago
throwaway0x9AF4|1 month ago
[1]:https://radar.cloudflare.com/routing/as8048ref=loworbitsecur...
notlisted|1 month ago
pamcake|1 month ago
unknown|1 month ago
[deleted]
unknown|1 month ago
[deleted]
lawlessone|1 month ago
agumonkey|1 month ago
MaxHoppersGhost|1 month ago
Greenland is a massive strategic liability for the US and Europe (although the EU still has its head in the sand they are starting to wake up some).
ceejayoz|1 month ago
Yesterday:
> Adding to the alarm, Katie Miller, a right-wing podcast host and the wife of Trump adviser Stephen Miller, posted an image of Greenland superimposed with the American flag and the caption "SOON!"
https://www.nbcnews.com/world/greenland/trump-venezuela-atta...
bdcp|1 month ago
_def|1 month ago
1zael|1 month ago
A few thoughts: - The affected prefixes (200.74.224.0/20 block → Dayco Telecom) hosting banks and ISPs feels significant. If you're doing pre-kinetic intelligence gathering, knowing the exact network topology and traffic patterns of critical infrastructure would be valuable. Even a few hours of passive collection through a controlled transit point could map out dependencies you'd want to understand before cutting power. - What's also notable is the transit path through Sparkle, which the author points out doesn't implement RPKI filtering. That's not an accident if you're planning something (you'd specifically choose providers with weaker validation). - The article stops short of drawing conclusions, which is the right call. BGP anomalies are common enough that correlation ≠ causation. But the timing and the specific infrastructure affected make this worth deeper analysis.
Would love to see someone with access to more complete BGP table dumps do a before/after comparison of routing stability for Venezuelan prefixes in that window.
codefeenix|1 month ago
SanjayMehta|1 month ago
Didn't the US use Chinooks? They're supposed to be loud. And AD didn't take even one out.
If Venezuela as corrupt as most socialist countries, I have no doubt that someone in his inner circle gave him up.
Back in the days of our version of socialism we had Indian politicians selling out for $100K, leave alone $50M.
VanTheBrand|1 month ago
unknown|1 month ago
[deleted]
unknown|1 month ago
[deleted]
ianpenney|1 month ago
Ms-J|1 month ago
delichon|1 month ago
erxam|1 month ago
For the longest time I thought they'd gone too far, but now we're the clowns putting on a show.
bawolff|1 month ago
It would probably rule out the type of decapitation strike the US did, but bgp hijacking is way way below on the escalation ladder.
adolph|1 month ago
esseph|1 month ago
I think this is a situation where even if Venezuela had nukes, this still would have happened.
bandrami|1 month ago
energy123|1 month ago
roncesvalles|1 month ago
Why would it?
1. "Nuclear capability" is not binary. The available delivery mechanisms and the defensive capabilities of your adversary matter a lot.
2. MAD constrains both sides. It's unlikely that an unpopular Head of State getting kidnapped would warrant a nuclear first strike especially against a country like (Trump's) America, which would not hesitate to glass your whole country in response.
3. It's extremely risky to "try" a nuke, because even if it's shot down, does it mean your enemy treats it as a nuclear strike and responds as if it had landed? That's a very different equation from conventional missiles. E.g. Iran sends barrages of missiles because they expect most of them to be shot down. It's probably not calculating a scenario where all of them land and Israel now wants like-for-like revenge.
unknown|1 month ago
[deleted]
lingrush4|1 month ago
moralestapia|1 month ago
Try, https://news.ycombinator.com/item?id=46473348.
unknown|1 month ago
[deleted]
trhway|1 month ago
We can see that nobody was going to resist the operation in Venezuela, so it doesn't really matter that Venezuela doesn't have nukes. Using nukes isn't just a matter of pressing a button, it involves a lot of people and processes - thus any significant opposition inside the force or just widespread sabotage will make it unusable.
adventured|1 month ago
You have to assume everyone is willing to die over every single thing short of obliteration.
So what's the scenario then? Venezuela has nukes. The US abducts Maduro. Venezuela launches its nukes, everyone dies on both sides. Please, explain that laughable premise. Everyone in Venezuela dies for Maduro? Go on, explain it, I'll wait.
Back in reality: Venezuela has nukes. The US abducts Maduro. Venezuela shakes its fists at the sky, threatens nuclear hell fire. Nothing happens. Why? The remaining leadership of Venezuela does not in fact want to die for Maduro.
gradus_ad|1 month ago
The only consistent action for the US to take, given they - and much of the world - do not consider Maduro the legitimate President of Venezuela, was to remove him from power.
maximgeorge|1 month ago
[deleted]
PythonPeak|1 month ago
[deleted]
internet_points|1 month ago
[deleted]
renewiltord|1 month ago
[deleted]
freakynit|1 month ago
notachatbot123|1 month ago
1970-01-01|1 month ago
Clearly and empirically, BGP can shut off parts of the Internet, just as Trump wanted to do in 2015.
https://finance.yahoo.com/news/dear-donald-trump-no-you-1322...
KnuthIsGod|1 month ago