Cogent Abuse - Bogus Propagation of ASN 36471

• Previous message (by thread): Cogent Abuse - Bogus Propagation of ASN 36471
• Next message (by thread): Cogent Abuse - Bogus Propagation of ASN 36471
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman <prohrman at stage2networks.com>
wrote:

> Ben,
>
> Compromised as in a nefarious entity went into the router and changed
> passwords and did whatever.  Everything advertised by that comprised router
> is bogus.  The compromised router is owned by OrgID: S2NL (now defunct).
> AS 36471 belongs to KDSS-23
> <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>.  The
> compromised router does not belong to Kratos KDSS-23
> <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>, and is
> causing routing problems.  The compromised router needs to be shut down.
> The owner of the compromised router ceased business, and there isn't anyone
> around to address this at S2NL.  The only people that can resolve this is
> Cogent.   Cogent's defunct customer's router was compromised, and is
> spewing out bogus advertisements.
>
> Pete
>


Hi Pete,

This seems a bit confusing.

So, S2NL was a bill-paying customer of Cogent with a BGP speaking router.
They went out of business, and stopped paying their Cogent bills.
Cogent, out of the goodness of their hearts, continued to let a non-paying
customer keep their connectivity up and active, and continued to freely
import prefixes across BGP neighbors from this non-paying defunct customer.
Now, someone else has gained access to this non-paying, defunct customer's
router (which Cogent is still providing free connectivity to, out of the
goodness of their hearts), and is generating RPKI-valid announcements from
it, which have somehow not caused a flurry of messages on the outages list
about prefix hijackings.

The elements to your claim don't really seem to add up.
1) ISPs aren't famous for letting non-bill-paying customers stay connected
for very long past the grace period on their billing cycle, let alone long
after the company has gone belly-up.
2) It's not impossible to generate RPKI-valid announcements from a hijacked
network, but it's very difficult to generate *bogus* RPKI-valid
announcements from a compromised router--that's the whole point of RPKI, to
be able to validate that the prefixes being announced from an origin are
indeed the ones that are owned by that origin.

Can you provide specific prefix and AS_PATH combinations being originated
by that router that are "bogus" and don't belong to the router's ASN?

If, however, what you meant is that the router used to be ASN XXXXX, and is
now suddenly showing up as ASN 36471, and Cogent happily changed their BGP
neighbor statements to match the new ASN, even though the entity no longer
exists and hasn't been paying their bills for some time, then that would
imply a level of complicity on Cogent's part that would make them unlikely
to respond to your abuse reports.  That would be a very strong allegation
to make, and the necessary level of documented proof of that level of
malfeasance would be substantial.

In short--I'm having a hard time understanding how a non-paying entity
still has working connectivity and BGP sessions, which makes me suspect
there's a different side to this story we're not hearing yet.   ^_^;

Thanks!

Matt






>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20230720/5deb71e6/attachment.html>

• Previous message (by thread): Cogent Abuse - Bogus Propagation of ASN 36471
• Next message (by thread): Cogent Abuse - Bogus Propagation of ASN 36471
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]