TL;DR
Security researcher analysis of public routing datasets found unusual BGP activity around the Venezuelan blackout. Cloudflare Radar flagged a route leak involving CANTV (AS8048) and several transit providers; raw MRT data revealed the specific prefixes and atypical AS paths.
What happened
While reviewing public routing telemetry following the blackout in Venezuela, the author investigated BGP routing for the state carrier CANTV (AS8048). Cloudflare Radar recorded a route leak on January 2 that involved eight prefixes being announced with Sparkle and GlobeNet visible in the AS path. The Cloudflare view did not include the precise prefixes, so the researcher pulled MRT dumps from ris.ripe.net and processed them with bgpdump to extract the raw BGP updates. That data shows announcements for eight prefixes from the 200.74.224.0/20 block (including /23 and /24 subnets) and AS paths that repeatedly include AS8048 many times. The AS path anomalies and a prior spike in announcements alongside a drop in announced address space were noted. The author also points out that Sparkle appears on an industry site as not implementing certain BGP security measures such as RPKI filtering.
Why it matters
- BGP route leaks can alter how traffic reaches networks, potentially affecting reachability and resilience.
- Repeated or manipulated AS paths are unusual and can complicate routing decisions and troubleshooting.
- Transit providers that do not implement RPKI filtering increase the risk surface for accidental or intentional routing leaks.
- Public routing datasets (Cloudflare Radar, RIS MRT) allowed independent reconstruction of the events, highlighting the value of open telemetry.
Key facts
- Date of noted activity: January 2, 2026 (entries show 01/02/26 timestamps).
- Targeted network: CANTV, ASN 8048 (Venezuela's state telecom).
- Cloudflare Radar reported a route leak affecting eight prefixes for AS8048.
- Extracted prefixes all fall inside the 200.74.224.0/20 block (examples include 200.74.226.0/24, 200.74.228.0/23, 200.74.230.0/23, 200.74.232.0/24, 200.74.233.0/24, 200.74.234.0/24).
- Raw MRT entries show AS paths that include AS8048 repeated multiple times (the author notes ten repetitions in some paths).
- Observed next-hops and origin ASes in the MRT extracts include addresses such as 187.16.222.45 (AS263237) and 187.16.208.144 (AS24482).
- Cloudflare's route-leak view did not include the specific prefixes; they were recovered from RIS MRT data using bgpdump.
- The author observed a spike in BGP announcements and a sharp drop in announced IP address space in Cloudflare's metrics prior to the event.
What to watch next
- Monitor Cloudflare Radar and RIS MRT feeds for continued anomalies involving AS8048 and the 200.74.224.0/20 block.
- Check isbgpsafeyet and similar services for the security posture (RPKI filtering) of transit providers listed in the AS paths, such as Sparkle.
- not confirmed in the source: Investigation linking these BGP anomalies directly to the power blackout or to specific infrastructure outages.
- not confirmed in the source: Any attribution of the route leak to deliberate hostile action rather than misconfiguration or operational error.
Quick glossary
- BGP (Border Gateway Protocol): The protocol that networks use to exchange routing information and decide paths that internet traffic takes between autonomous systems.
- Autonomous System Number (ASN): A unique identifier assigned to a network operator or autonomous system that advertises routing information to other networks.
- IP prefix: A contiguous block of IP addresses announced into the global routing table, typically written as an address with a mask (for example, 200.74.230.0/23).
- RPKI (Resource Public Key Infrastructure): A system that lets IP prefix holders cryptographically attest which AS is authorized to announce their prefixes; used to reduce certain types of BGP hijacks and leaks.
- Route leak: An event where routing announcements are propagated in a way that exposes or redirects IP prefixes through unexpected or unauthorized AS paths, often due to misconfiguration or policy errors.
Reader FAQ
Did the BGP anomalies cause the Venezuela blackout?
not confirmed in the source
Which prefixes were involved in the reported leak?
The extracted MRT data lists prefixes within 200.74.224.0/20, including 200.74.226.0/24, 200.74.228.0/23, 200.74.230.0/23, 200.74.232.0/24, 200.74.233.0/24, and 200.74.234.0/24.
Which networks appeared in the AS paths?
Public MRT output showed ASes including 8048 (CANTV), 52320, 24482, 263237 and transit systems such as Sparkle and GlobeNet appearing in the AS paths.
Is there evidence of malicious intent behind the leak?
not confirmed in the source
radar Radar #16: Week of 01/05/2026 Jan 5, 2026 — Graham Radar #16: Week of 01/05/2026 The Low Orbit Security Radar is a weekly security newsletter from an offensive practitioner's…
Sources
- There were BGP anomalies during the Venezuela blackout
- BGP leak highlights the fragility of the Internet with real …
- Rostelecom's Route Hijack Highlights Need for BGP Security
- A Brief History of the Internet's Biggest BGP Incidents
Related posts
- Tailsnitch: open-source security auditor for Tailscale configurations
- Pentagon Seeks to Demote Senator Mark Kelly Over Video Labeled ‘Seditious’
- Cybercrime Crew Nets Subpoena After Falling Into Resecurity Honeypot