RESOLVED: Cogent Abuse - Bogus Propagation of ASN 36471
Pete Rohrman
prohrman at stage2networks.com
Thu Jul 20 17:04:09 UTC 2023
All,
Cogent has shut down the compromised router. This issue is resolved.
Thank you all for your help.
Pete
Stage2 "Survivor Island" Bronze Medal Winner
On 7/20/23 12:59, Mike Hammett wrote:
> If they (or anyone else) want to give me free service to use as I see
> fit (well, legally), I'll gladly accept their offer.
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> ------------------------------------------------------------------------
> *From: *"Tom Beecher" <beecher at beecher.cc>
> *To: *"Matthew Petach" <mpetach at netflight.com>
> *Cc: *nanog at nanog.org
> *Sent: *Thursday, July 20, 2023 11:38:50 AM
> *Subject: *Re: Cogent Abuse - Bogus Propagation of ASN 36471
>
> In short--I'm having a hard time understanding how a non-paying
> entity still has working connectivity and BGP sessions, which
> makes me suspect there's a different side to this story we're not
> hearing yet. ^_^;
>
>
> I know Cogent has long offered very cheap transit prices, but this
> seems very aggressive! :)
>
> On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach
> <mpetach at netflight.com> wrote:
>
>
>
> On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman
> <prohrman at stage2networks.com> wrote:
>
> Ben,
>
> Compromised as in a nefarious entity went into the router and
> changed passwords and did whatever. Everything advertised by
> that comprised router is bogus. The compromised router is
> owned by OrgID: S2NL (now defunct). AS 36471 belongs to
> KDSS-23
> <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>.
> The compromised router does not belong to Kratos KDSS-23
> <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>,
> and is causing routing problems. The compromised router needs
> to be shut down. The owner of the compromised router ceased
> business, and there isn't anyone around to address this at
> S2NL. The only people that can resolve this is Cogent.
> Cogent's defunct customer's router was compromised, and is
> spewing out bogus advertisements.
>
> Pete
>
>
>
> Hi Pete,
>
> This seems a bit confusing.
>
> So, S2NL was a bill-paying customer of Cogent with a BGP speaking
> router.
> They went out of business, and stopped paying their Cogent bills.
> Cogent, out of the goodness of their hearts, continued to let a
> non-paying customer keep their connectivity up and active, and
> continued to freely import prefixes across BGP neighbors from this
> non-paying defunct customer.
> Now, someone else has gained access to this non-paying, defunct
> customer's router (which Cogent is still providing free
> connectivity to, out of the goodness of their hearts), and is
> generating RPKI-valid announcements from it, which have somehow
> not caused a flurry of messages on the outages list about prefix
> hijackings.
>
> The elements to your claim don't really seem to add up.
> 1) ISPs aren't famous for letting non-bill-paying customers stay
> connected for very long past the grace period on their billing
> cycle, let alone long after the company has gone belly-up.
> 2) It's not impossible to generate RPKI-valid announcements from a
> hijacked network, but it's very difficult to generate *bogus*
> RPKI-valid announcements from a compromised router--that's the
> whole point of RPKI, to be able to validate that the prefixes
> being announced from an origin are indeed the ones that are owned
> by that origin.
>
> Can you provide specific prefix and AS_PATH combinations being
> originated by that router that are "bogus" and don't belong to the
> router's ASN?
>
> If, however, what you meant is that the router used to be ASN
> XXXXX, and is now suddenly showing up as ASN 36471, and Cogent
> happily changed their BGP neighbor statements to match the new
> ASN, even though the entity no longer exists and hasn't been
> paying their bills for some time, then that would imply a level of
> complicity on Cogent's part that would make them unlikely to
> respond to your abuse reports. That would be a very strong
> allegation to make, and the necessary level of documented proof of
> that level of malfeasance would be substantial.
>
> In short--I'm having a hard time understanding how a non-paying
> entity still has working connectivity and BGP sessions, which
> makes me suspect there's a different side to this story we're not
> hearing yet. ^_^;
>
> Thanks!
>
> Matt
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20230720/8413435c/attachment.html>
More information about the NANOG
mailing list