Analysis of Routing Incidents in LAC

18/03/2025

By Erika Vega and Guillermo Cicileo

The continued growth of the Internet ecosystem in Latin America and the Caribbean (LAC) has increased network interconnection but has also increased the region’s exposure to routing issues that affect the stability and security of online traffic. These incidents —which can have significant consequences for both users and service providers— underscore the importance of understanding their nature, causes, and possible solutions.

A report published on the LACNIC R&D website (available only in Spanish) analyzes routing incidents recorded in the LAC region from October 2023 to October 2024. The document explores the three main categories of routing incidents worldwide: route hijacks, route leaks, and bogon announcements.

The report also examines the security protocols and practices implemented to mitigate these issues, stressing the role of initiatives such as RPKI and MANRS. It provides a detailed analysis of some of the incidents that occurred in the region during the study period, which were considered relevant due to their impact and the way they were mitigated, as well as because they are clear examples of the three types of incidents addressed in the report. It also examines the measures adopted by Internet Exchange Points (IXPs).

Number of Reported Incidents

This section presents a detailed analysis of the number of routing incidents recorded in the region of Latin America and the Caribbean between October 2023 and October 2024, comparing them with global statistics. The goal is to provide a clear and quantifiable overview of the magnitude of the problem, breaking down the data by month and by country to allow the identification of specific trends and patterns across the region.

The data used in the study was gathered from multiple reliable sources, including the specialized MANRS Observatory and reports from organizations that monitor Internet routing security and stability.

The graph above shows that, globally, routing incidents were dominated by hijacks, which averaged 568 incidents per month. These peaked at 778 in October 2023 and again at 351 in July 2024.

The total number of monthly incidents ranged from 483 to 968, with the highest peaks occurring in the early months of the study period. As the year progressed, incidents gradually declined, possibly indicating a progressive improvement in the mitigation measures implemented over time.

The Latin American and the Caribbean routing incident landscape presents unique characteristics. Although the total number of incidents per country is relatively low compared to global figures, the chart shows significant spikes during certain periods, as well as in certain countries.

Route hijacks varied widely in the LAC region, with some countries reporting zero incidents in the more stable months, while others reached peaks of up to 141. However, an analysis of aggregated data for the region as a whole shows that not a single month passed without hijacking incidents. These findings underscore the need to continue promoting the adoption of mechanisms such as origin validation, as well as workshops and training activities for operators to explain possible actions for containing them.

Route leaks were less frequent, with a maximum of two incidents recorded in a single month in Venezuela and a total of five incidents over the course of a year in Mexico. Although their frequency is low, their impact can be significant, so affected operators would benefit from stricter controls when configuring routing policies to prevent unintentional leaks.

In turn, bogons were more prevalent than route leaks, with a considerable number of cases recorded in Brazil and Colombia. Furthermore, throughout the year, incidents were detected in at least 10 other countries in the region. This highlights the importance of improving controls in the management of access lists and prefix filters to prevent the spread of unassigned IP addresses, thus strengthening routing security and stability in the region.

As noted earlier in this section, the vast majority of the data presented was taken from the MANRS Observatory. However, it was also interesting to include data processed by other organizations such as Qrator, as it allowed comparing reported figures for the three types of incidents analyzed in this document. Additionally, a detailed analysis is presented of the top five countries in LAC with the highest number of reported incidents: Brazil, Argentina, Colombia, Mexico, and Peru.

For further details, refer to the full report (available in Spanish).

Additional reading:

Trust Anchor Key (TAK): Secure Key Rotation in RPKI

TOP 5 Countries with the Highest Number of Incidents in LAC

Below is a detailed analysis of the five countries with the highest number of routing incidents recorded in the Latin America and the Caribbean region during the period analyzed by the study:

Argentina recorded a total of 122 incidents, 66% of which were route hijacks and 34% bogons. This distribution suggests vulnerabilities in IP prefix filtering, highlighting the need to implement stricter controls in routing management.

Brazil reported the highest number of incidents in the region —a total of 1,220— and consolidated its position as the country with the most routing incidents in LAC. Of these, 85% were route hijacks, which may be directly related to the country’s low RPKI adoption rates (41% for IPv4 and 40.6% for IPv6).

Colombia recorded a total of 103 incidents, with 48.5% attributed to hijacks and 51.5% to bogons. In this case, the high proportion of bogons represents a distinctive pattern among the routing incidents reported in the region, suggesting operational and structural issues in routing management and the implementation of appropriate filters.

Mexico reported a total of 46 incidents, the majority of which were route hijacks. The presence of spikes in specific months suggests anomalous or targeted events. In Mexico, 10% of incidents were route leaks, unlike the other four countries in the top 5, which did not report any of this type of incident.

Peru recorded a total of 29 incidents, with route hijackings accounting for almost 90% of reported cases. In contrast, bogon occurrences were low, and no route leaks were detected during the period analyzed. This profile suggests that, while routing incidents are relatively less frequent in Peru compared to other countries, the high proportion of hijacks highlights the need to strengthen origin validation measures.

Causes and Factors of the Most Notable Incidents

This document presents a detailed analysis of the causes and factors that contributed to the occurrence of the routing incidents selected for this report as “the most notable.” The primary goal is to identify the technical, operational, and/or human elements that triggered these events, in order to gain a deeper understanding of their origin and thus devise strategies to prevent similar incidents in the future.

These three incidents were selected as the most notable due to their relevance within the context of routing in Latin America and the Caribbean during the study period, and because they are in line with the goals of this study. Each of the selected incidents corresponds to one of the three incident categories described in the previous section, as listed below:

• Route hijacks: Represented by the 9 July 2024 incident involving AS 263238, where routes were advertised that should not have been propagated, leading to significant operational disruptions.
• Route leaks: Illustrated by the 24 May 2024 incident, where a discrepancy between AS 22381 and 262589 resulted in improper prefix propagation, affecting both local and regional networks.
• Bogons and route hijacks: Represented by the 27 June 2024 incident related to the Cloudflare DNS service outage at 1.1.1.1.

Impact of the Most Notable Incidents

These events had a significant impact on connectivity in the LAC region, both in terms of scope (they affected local, regional, and global networks) and severity (they caused critical service disruptions). Examining these cases underscores how network routing anomalies in LAC can have repercussions beyond the region, reinforcing the importance of implementing best practices. The report analyzes the three incidents listed above.

Conclusions

The analysis identified time trends, regional patterns, and variations in the frequency of routing incidents in the Latin American and the Caribbean region.

The most significant incidents analyzed in this report highlight specific challenges, such as the lack of widespread RPKI adoption and the need to improve routing agreements between operators. An evaluation of these incidents provides key lessons for mitigating future events and strengthening routing security in the region.

These incidents reflect common challenges in routing management and network operations across Latin America and the Caribbean, including the lack of route validation, configuration errors, and inconsistent policies across different autonomous systems.

Additionally, the analyzed incidents provide a framework for assessing the role of Internet Exchange Points (IXPs) in mitigating and containing incidents. Because IXPs are key nodes in network interconnection, their role in these events provides valuable insight into how they contribute —or may contribute— to the stability of the regional routing ecosystem.

To reduce the recurrence of such incidents, it is essential to continue promoting technical training for network operators with the goal of preventing configuration errors and encouraging the adoption of routing best practices.

Addressing these issues will require a joint effort among network operators, Internet Exchange Points (IXPs), and initiatives such as MANRS to implement best practices that ensure the stability and resilience of the global routing system.

Acknowledgments:

We would like to thank the Global Cyber ​​Alliance team, especially Alejandro Fernández and Andrei Robachevsky; the Qrator team, particularly Ivan Potapov and Alexander Lyamin; and the Georgia Tech team, whose contributions were vital to the development of this study.

Click here to read the full report (available in Spanish).