Cogent Abuse - Bogus Propagation of ASN 36471

• Previous message (by thread): Cogent Abuse - Bogus Propagation of ASN 36471
• Next message (by thread): Cogent Abuse - Bogus Propagation of ASN 36471
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ben,

Compromised as in a nefarious entity went into the router and changed 
passwords and did whatever.  Everything advertised by that comprised 
router is bogus.  The compromised router is owned by OrgID: S2NL (now 
defunct).  AS 36471 belongs to KDSS-23 
<https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>. The 
compromised router does not belong to Kratos KDSS-23 
<https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>, and is 
causing routing problems.  The compromised router needs to be shut 
down.  The owner of the compromised router ceased business, and there 
isn't anyone around to address this at S2NL. The only people that can 
resolve this is Cogent.   Cogent's defunct customer's router was 
compromised, and is spewing out bogus advertisements.

Pete


--
Pete
Stage2 "Survivor Island" Bronze Medal Winner


On 7/20/23 10:40, Ben Cox wrote:
> Can you confirm what you mean by compromised here?
>
> The prefixes currently (as far as I can see from bgp.tools) originated are:
>
> Prefix                   Description
> 209.255.244.0/24 Windstream Communications LLC
> 209.255.245.0/24 CONSOLIDATED TECHNOLOGIES INC 325 HUDSON
> 209.255.246.0/24 Windstream Communications LLC
> 209.255.247.0/24 CONSOLIDATED TECHNOLOGIES INC 325 HUDSON
> 216.197.80.0/20 --
>
> The 209.xx have valid RPKI certs, so they seem validish, but all have
> RADB IRR entries made by lightower.com in 2015.
>
> Do you mean that someone has impersonated AS36471 and set up a cogent
> port, and is now announcing your space? I'm confused
>
> On Thu, Jul 20, 2023 at 3:32 PM Pete Rohrman
> <prohrman at stage2networks.com>  wrote:
>> NANOG,
>>
>> A customer of Cogent has a compromised router that is announcing
>> prefixes sourced from AS 36471.   Cogent is propagating that to the
>> world.  Problem is, those prefixes and AS don't belong to that customer
>> of Cogent - AS 36471 belongs to Kratos Defense & Security Solutions,
>> Inc. (see whois).
>>
>> Requests to Cogent Support and Abuse go un-actioned.  Need a contact at
>> Cogent Abuse that can shut down that compromised router.  Anyone have a
>> good contact at Cogent Abuse Dept?
>>
>> Cogent ticket: HD302928500
>>
>> Pete
>>
>> --
>> Pete
>> Stage2 "Survivor Island" Bronze Medal Winner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20230720/b155b16c/attachment.html>

• Previous message (by thread): Cogent Abuse - Bogus Propagation of ASN 36471
• Next message (by thread): Cogent Abuse - Bogus Propagation of ASN 36471
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]