A closer look at a BGP anomaly in Venezuela

This post analyzes a BGP route leak involving Venezuela's state-run ISP CANTV (AS8048), arguing the anomaly was likely due to poor routing policy rather than malicious intent.

• •AS8048 leaked routes from provider AS6762 (Sparkle) to AS52320 (GlobeNet), involving prefixes originated by AS21980 (Dayco Telecom), a customer of AS8048
• •The leaked routes were heavily AS-path prepended, making them less attractive — inconsistent with a deliberate man-in-the-middle attack
• •Eleven similar route leak events by AS8048 were recorded since December, suggesting a persistent misconfiguration rather than a one-time targeted action
• •The leaks occurred over 12 hours before U.S. military action in Venezuela, weakening the theory of a politically motivated BGP manipulation
• •RFC9234 and the Only-to-Customer (OTC) attribute are proposed as technical mitigations; RPKI ROV would not have prevented this path-based anomaly