ThousandEyes data saw multiple instances where the network of Allegheny Technologies (AS396531) was inserted as a new next hop for altered BGP paths going to prefixes owned by AWS and Cloudflare.

ThousandEyes saw multiple, more specific /21 prefixes advertised that impacted legitimate /20 prefixes from @Cloudflare . For example, here is a view of a BGP path for 104.20.88.0/21, a more specific prefix introduced into the Internet’s routing table during the route leak event.

A more specific prefix is preferred by Internet routing over a less specific prefix, even if the latter is more legitimate. In this case, 104.20.88.0/21 was preferred over the legitimate but less specific prefix 104.20.80.0/20 advertised by Cloudflare.

The result was that traffic going to any services located in this block of Internet addresses followed the altered path that included the Allegheny Technologies network.

It appears likely that DQE is the original source of the route leak that was propagated through its downstream customer Allegheny to Verizon, which accepted the leaked routes and propagated them further.

Allegheny Technologies, a metals manufacturing enterprise, is the first ASN that we see the route leak advertised from. They are customers of both DQE (a regional transit provider) and Verizon.

The scope of routes involved is consistent with a route leak from a transit provider. The presence of more specific routes to Cloudflare as part of the route leak doesn’t appear to be malicious, and may have been due to route optimization employed by DQE.

[Update] Analysis of today’s incident is now live on the blog:

Register now for a live breakdown of today's incident, as seen in the ThousandEyes platform, happening this Friday, June 28, at 9am PT. [Webinar] Outage Analysis: BGP Routing Errors Ripple Across the Internet

@thousandeyes @ibigfoot7 - BGP exploit 😬