There were reports they had considered Christmas Day and New Year's Day. I wonder if it was far enough along that you could see similar BGP anomalies around those times.
What would be the result of this? I think it would route data through Sparkle as a way of potentially spying on internet traffic without having compromised the network equipment within Venezuela, but I'm not familiar enough with network architecture to really understand what happened.
Canada has a strong army and can defend itself. Greenland on the other hand is not well defended and I doubt Denmark really cares (e.g., if they’re willing to send tens of thousands of troops to die for it) if it was occupied by China or Russia in the event of a war.
Greenland is a massive strategic liability for the US and Europe (although the EU still has its head in the sand they are starting to wake up some).
Frankly, the right move (before Trump did as Trump does, and fucked up our foreign relations) would have been to straight-up buy Greenland. The people of Greenland have the right under Danish law to vote for independence, and there's not that many of them. Paying individual people for the votes probably would have cost the US $10 billion, and then we could give them Puerto Rico-esque status.
Cyber-warfare capabilities on this level seem pretty horrific. What if you could simply turn off the power grid of Kyiv or Moscow in anticipation of a strike? That seems extremely disorientating. What if you could simply turn off the power grid indefinitely?
There are way worse things you could do, you could hide explosives in consumer electronics and infiltrate the supply lines to replace them. Then you could detonate them all simultaneously, indiscriminately murdering everyone around them as well. But of course only fascist barbarians would ever do or support that sort of thing.
> The newsletter suggests “BGP shenanigans” and posits that such a leak could be exploited to collect intelligence useful to government entities.
>
> While we can’t say with certainty what caused this route leak, our data suggests that its likely cause was more mundane.
Fascinating find and investigation. While there isn't a solid conclusion from it, glad it was written up, perhaps someone will be able to connect more dots with it.
If you were not already entirely reliant on American tech before, this ought to convince you to put jump in with both feet. What could possibly go wrong?
Was the OSRS economy affected by the strikes? I'm assuming they didn't disrupt internet access for most Venezuelan citizens but I have not looked into it yet.
My clanmates and I noticed that some of the more popular goldfarming hotspots were much less populated that day. Rev caves, Zalcano, etc. Not sure about impacts for the broader economy though. Maybe FlippingOldSchool will release a video analyzing the economic trends over the course of that week? Would be interesting for sure.
I run an OSRS market analysis/flipping site, and have been keeping an eye on the effects.
The short answer is that there hasn't been a ton of movement across the market at large, but since Saturday, bonds have been swinging up towards the all-time high they set last December. Can't say for certain that that movement is tied to VZ though.
This doesn't look like anything malicious, 8048 is just prepending these announcements to 52320.. If anything, it looks like 269832(MDS) had a couple hits to their tier 1 peers which caused these prepended announcements to become more visible to collectors.
I guess one of the interesting things I learnt off this article(1) was that 7% of DNS query types served by 1.1.1.1 are HTTPS and started wondering what HTTPS query type was as I had only heard of A, MX, AAAA, SPF etc...
Apparently that is part of implementing ECH (Encrypted Client Hello) in TLS 1.3 where the DNS hosts the public key of the server to fully encrypt the server name in a HTTPS request. Since Nginx and other popular web servers don't yet support it, I suspect the 7% of requests are mostly Cloudflare itself.
> When BGP traffic is being sent from point A to point B, it can be rerouted through a point C. If you control point C, even for a few hours, you can theoretically collect vast amounts of intelligence that would be very useful for government entities. The CANTV AS8048 being prepended to the AS path 10 times means there the traffic would not prioritize this route through AS8048, perhaps that was the goal?
AS prepending is a relatively common method of traffic engineering to reduce traffic from a peer/provider. Looking at CANTV's (AS8048) announcements from outside that period shows they do this a lot.
Since this was detected as a BGP route leak, it looks like CANTV (AS8048) propagated routes from Telecom Italia Sparkle (AS6762) to GlobeNet Cabos Sumarinos Columbia (AS52320). This could have simply been a misconfiguration.
Nothing nefarious immediately jumps out to me here. I don't see any obvious attempts to hijack routes to Dayco Telecom (AS21980), which was the actual destination. The prepending would have made traffic less likely to transit over CANTV assuming there was any other route available.
The prepending done by CANTV does make it slightly easier to hijack traffic destined to it (though not really to Dayco), but that just appears to be something they just normally do.
This could be CANTV trying to force some users of GlobeNet to transit over them to Dayco I suppose, but leaving the prepending in would be an odd way of going about it. I suppose if you absolutely knew you were the shortest path length, there's no reason to remove the prepending, but a misconfiguration is usually the cause of these things.
For a length-15 ASpath to show up on the internet, a whole bunch of better routes need to disappear first, which seems to have happened here. But that disappearance is very likely unrelated to CANTV.
Furthermore, BGP routes can get "stuck", if some device doesn't handle a withdrawal correctly… this can lead to odd routes like the ones seen here. Especially combined with the long path length and disappearance of better routes.
49 comments
[ 2.4 ms ] story [ 60.3 ms ] threadGreenland is a massive strategic liability for the US and Europe (although the EU still has its head in the sand they are starting to wake up some).
The data would make that more likely, because deliberately adding a longer route doesn't achieve much. It's not usually going to get any traffic.
> The newsletter suggests “BGP shenanigans” and posits that such a leak could be exploited to collect intelligence useful to government entities. > > While we can’t say with certainty what caused this route leak, our data suggests that its likely cause was more mundane.
The short answer is that there hasn't been a ton of movement across the market at large, but since Saturday, bonds have been swinging up towards the all-time high they set last December. Can't say for certain that that movement is tied to VZ though.
[1]:https://radar.cloudflare.com/routing/as8048ref=loworbitsecur...
Apparently that is part of implementing ECH (Encrypted Client Hello) in TLS 1.3 where the DNS hosts the public key of the server to fully encrypt the server name in a HTTPS request. Since Nginx and other popular web servers don't yet support it, I suspect the 7% of requests are mostly Cloudflare itself.
(1) https://radar.cloudflare.com/?ref=loworbitsecurity.com#dns-q...
AS prepending is a relatively common method of traffic engineering to reduce traffic from a peer/provider. Looking at CANTV's (AS8048) announcements from outside that period shows they do this a lot.
Since this was detected as a BGP route leak, it looks like CANTV (AS8048) propagated routes from Telecom Italia Sparkle (AS6762) to GlobeNet Cabos Sumarinos Columbia (AS52320). This could have simply been a misconfiguration.
Nothing nefarious immediately jumps out to me here. I don't see any obvious attempts to hijack routes to Dayco Telecom (AS21980), which was the actual destination. The prepending would have made traffic less likely to transit over CANTV assuming there was any other route available.
The prepending done by CANTV does make it slightly easier to hijack traffic destined to it (though not really to Dayco), but that just appears to be something they just normally do.
This could be CANTV trying to force some users of GlobeNet to transit over them to Dayco I suppose, but leaving the prepending in would be an odd way of going about it. I suppose if you absolutely knew you were the shortest path length, there's no reason to remove the prepending, but a misconfiguration is usually the cause of these things.
Furthermore, BGP routes can get "stuck", if some device doesn't handle a withdrawal correctly… this can lead to odd routes like the ones seen here. Especially combined with the long path length and disappearance of better routes.
Clearly and empirically, BGP can shut off parts of the Internet, just as Trump wanted to do in 2015.
https://finance.yahoo.com/news/dear-donald-trump-no-you-1322...