TL;DR
Cloudflare Radar and independent researchers observed a BGP route leak on January 2, 2026 that involved AS8048 (CANTV) redistributing prefixes originated by AS21980 (Dayco Telecom). The pattern of similar route leaks since December suggests configuration or policy errors at the ISP rather than clear malicious activity.
What happened
On January 2, Cloudflare Radar flagged a routing anomaly in Venezuela in which AS8048 (CANTV) propagated routes belonging to AS21980 (Dayco Telecom) beyond their expected scope. The leaked paths show routes pulled from AS6762 (Sparkle) and then advertised toward AS52320 (V.tal/GlobeNet), a classic Type 1 hairpin-style route leak. Many of the affected prefixes sit inside the 200.74.224.0/20 block and appeared in multiple separate announcements roughly hourly between 15:30 and 17:45 UTC. Analysis of AS relationships using BGPKIT’s monocle tool and route-collector observations indicates AS8048 functions as a provider for AS21980. The leaked advertisements also included extensive AS prepending of AS8048, which would generally make those paths less attractive to other networks. Similar incidents from AS8048 occurred repeatedly since early December, and researchers say the evidence points toward loose export/import routing policies or convergence issues rather than a definitive, intentional interception campaign.
Why it matters
- Route leaks can reroute traffic inefficiently and create outages or latency even when not malicious.
- Repeated leaks from a single ISP suggest persistent configuration or policy weaknesses that pose ongoing operational risk.
- Incomplete deployment of origin validation (RPKI/ROV) reduces an operator’s ability to block illegitimate origin announcements.
- Standards and attributes such as RFC9234 and Only-to-Customer (OTC) can help prevent these policy-based leaks when broadly implemented.
Key facts
- Cloudflare Radar detected the leak events on January 2, 2026.
- The leaker AS was AS8048 (CANTV), and the affected prefixes were originated by AS21980 (Dayco Telecom).
- Impacted prefixes were part of the 200.74.224.0/20 subnet.
- Path analysis showed routes taken from AS6762 (Sparkle) and redistributed to AS52320 (V.tal/GlobeNet).
- Monocle as2rel output and collector data indicate AS8048 is the upstream provider for AS21980, with a 9.9% 'connected' visibility in the sample.
- Many leaked advertisements included heavy AS8048 prepending, which usually reduces path preference.
- The January 2 announcements occurred in multiple bursts roughly an hour apart between 15:30 and 17:45 UTC.
- There were eleven similar route leak events attributed to AS8048 since the beginning of December.
- Observers noted AS6762 may have an incomplete deployment of RPKI Route Origin Validation (ROV).
What to watch next
- Whether AS8048 (CANTV) adjusts its export/import BGP policies or prefix filters to stop recurring leaks — not confirmed in the source.
- Broader adoption of RFC9234 / Only-to-Customer attributes among regional operators to reduce policy-driven leaks — not confirmed in the source.
- Any follow-up route leaks from AS8048 or the same prefix space in the coming days and weeks as operators converge on fixes — not confirmed in the source.
Quick glossary
- BGP (Border Gateway Protocol): The routing protocol that networks use to exchange reachability information across the global Internet, allowing Autonomous Systems to advertise which IP prefixes they can serve.
- Route leak: When a network advertises routing information beyond its intended scope, violating expected customer-provider or peer-peer propagation rules and potentially causing suboptimal or unexpected paths.
- Autonomous System (AS): A collection of IP networks operated by one or more network operators under a single routing policy, identified by a unique AS number.
- RPKI / Route Origin Validation (ROV): A cryptographic system that lets operators verify which AS is authorized to originate a given IP prefix, helping to prevent origin hijacks.
- AS prepending: The practice of repeating an AS number multiple times in a BGP path announcement to make that path less preferred by other networks.
Reader FAQ
Was this leak deliberate or malicious?
Not confirmed in the source; analysts argue configuration or policy errors are a more likely explanation based on the data.
Could the leak have been used to intercept traffic?
Not confirmed in the source; the observed heavy AS prepending would typically make the leaked paths less attractive for interception purposes.
Is this connected to the U.S. capture of Nicolás Maduro?
The source notes the leaks began over twelve hours before the reported capture and finds no reason to believe the events are related.
How common are these kinds of leaks from AS8048?
The source reports eleven similar route leak events involving AS8048 since the start of December.
A closer look at a BGP anomaly in Venezuela 2026-01-06 Bryton Herdes 8 min read As news unfolds surrounding the U.S. capture and arrest of Venezuelan leader Nicolás Maduro, a…
Sources
- A closer look at a BGP anomaly in Venezuela
- There were BGP anomalies during the Venezuela blackout
- Spy Games or Glitch? The Truth Behind Venezuela's BGP …
Related posts
- Google sues SerpApi, alleging unlawful scraping that bypasses protections
- Cloudflare disputes claims BGP anomalies signalled US cyber strike on Venezuela
- Study: Linux kernel bugs lurk 2.1 years on average; some persist 20+ years