Cogent Abuse - Bogus Propagation of ASN 36471

Thu Jul 20 16:38:50 UTC 2023

>
> In short--I'm having a hard time understanding how a non-paying entity
> still has working connectivity and BGP sessions, which makes me suspect
> there's a different side to this story we're not hearing yet.   ^_^;
>

I know Cogent has long offered very cheap transit prices, but this seems
very aggressive! :)

On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach <mpetach at netflight.com>
wrote:

>
>
> On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman <prohrman at stage2networks.com>
> wrote:
>
>> Ben,
>>
>> Compromised as in a nefarious entity went into the router and changed
>> passwords and did whatever.  Everything advertised by that comprised router
>> is bogus.  The compromised router is owned by OrgID: S2NL (now defunct).
>> AS 36471 belongs to KDSS-23
>> <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>.  The
>> compromised router does not belong to Kratos KDSS-23
>> <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>, and is
>> causing routing problems.  The compromised router needs to be shut down.
>> The owner of the compromised router ceased business, and there isn't anyone
>> around to address this at S2NL.  The only people that can resolve this is
>> Cogent.   Cogent's defunct customer's router was compromised, and is
>> spewing out bogus advertisements.
>>
>> Pete
>>
>
>
> Hi Pete,
>
> This seems a bit confusing.
>
> So, S2NL was a bill-paying customer of Cogent with a BGP speaking router.
> They went out of business, and stopped paying their Cogent bills.
> Cogent, out of the goodness of their hearts, continued to let a non-paying
> customer keep their connectivity up and active, and continued to freely
> import prefixes across BGP neighbors from this non-paying defunct customer.
> Now, someone else has gained access to this non-paying, defunct customer's
> router (which Cogent is still providing free connectivity to, out of the
> goodness of their hearts), and is generating RPKI-valid announcements from
> it, which have somehow not caused a flurry of messages on the outages list
> about prefix hijackings.
>
> The elements to your claim don't really seem to add up.
> 1) ISPs aren't famous for letting non-bill-paying customers stay connected
> for very long past the grace period on their billing cycle, let alone long
> after the company has gone belly-up.
> 2) It's not impossible to generate RPKI-valid announcements from a
> hijacked network, but it's very difficult to generate *bogus* RPKI-valid
> announcements from a compromised router--that's the whole point of RPKI, to
> be able to validate that the prefixes being announced from an origin are
> indeed the ones that are owned by that origin.
>
> Can you provide specific prefix and AS_PATH combinations being originated
> by that router that are "bogus" and don't belong to the router's ASN?
>
> If, however, what you meant is that the router used to be ASN XXXXX, and
> is now suddenly showing up as ASN 36471, and Cogent happily changed their
> BGP neighbor statements to match the new ASN, even though the entity no
> longer exists and hasn't been paying their bills for some time, then that
> would imply a level of complicity on Cogent's part that would make them
> unlikely to respond to your abuse reports.  That would be a very strong
> allegation to make, and the necessary level of documented proof of that
> level of malfeasance would be substantial.
>
> In short--I'm having a hard time understanding how a non-paying entity
> still has working connectivity and BGP sessions, which makes me suspect
> there's a different side to this story we're not hearing yet.   ^_^;
>
> Thanks!
>
> Matt
>
>
>
>
>
>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20230720/772e6900/attachment.html>