Related, non-causal event: BGP origin hijack of 1.1.1.0/24 exposed by withdrawal of routes from Cloudflare. This was not a cause of the service failure, but an unrelated issue that was suddenly visible as that prefix was withdrawn by Cloudflare.

I'm a bit uneducated here - why was the other 1.1.1.0/24 announcement previously suppressed? Did it just express a high enough cost that no one took it on compared to the CF announcement?

CF had their route covered by RPKI, which at a high level uses certs to formalize delegation of IP address space.

What caused this specific behavior is the dilemma of backwards comparability when it comes to BGP security. We area long ways off from all routes being covered by rpki, (just 56% of v4 routes according to https://rpki-monitor.antd.nist.gov/ROV ) so invalid routes tend to be treated as less preferred, not rejected by BGP speakers that support RPKI.

And because people highlighted it on social media at the time of the outage, many thought that the bogus route was the cause of the problem.

So someone just started advertising the prefix when it was up for grabs? That’s pretty funny

No they were already doing that, the global withdrawal of the legitimate route just exposed it.

How is there absolutely no further comment about that in their RCA? That seems like a pretty major thing...