RESOLVED: Cogent Abuse - Bogus Propagation of ASN 36471

Pete Rohrman prohrman at stage2networks.com
Thu Jul 20 17:04:09 UTC 2023 

All,


Cogent has shut down the compromised router.  This issue is resolved.  
Thank you all for your help.



Pete
Stage2 "Survivor Island" Bronze Medal Winner



On 7/20/23 12:59, Mike Hammett wrote:
> If they (or anyone else) want to give me free service to use as I see 
> fit (well, legally), I'll gladly accept their offer.
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> ------------------------------------------------------------------------
> *From: *"Tom Beecher" <beecher at beecher.cc>
> *To: *"Matthew Petach" <mpetach at netflight.com>
> *Cc: *nanog at nanog.org
> *Sent: *Thursday, July 20, 2023 11:38:50 AM
> *Subject: *Re: Cogent Abuse - Bogus Propagation of ASN 36471
>
>     In short--I'm having a hard time understanding how a non-paying
>     entity still has working connectivity and BGP sessions, which
>     makes me suspect there's a different side to this story we're not
>     hearing yet.   ^_^;
>
>
> I know Cogent has long offered very cheap transit prices, but this 
> seems very aggressive! :)
>
> On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach 
> <mpetach at netflight.com> wrote:
>
>
>
>     On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman
>     <prohrman at stage2networks.com> wrote:
>
>         Ben,
>
>         Compromised as in a nefarious entity went into the router and
>         changed passwords and did whatever.  Everything advertised by
>         that comprised router is bogus.  The compromised router is
>         owned by OrgID: S2NL (now defunct). AS 36471 belongs to
>         KDSS-23
>         <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>.
>         The compromised router does not belong to Kratos KDSS-23
>         <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>,
>         and is causing routing problems.  The compromised router needs
>         to be shut down.  The owner of the compromised router ceased
>         business, and there isn't anyone around to address this at
>         S2NL.  The only people that can resolve this is Cogent.  
>         Cogent's defunct customer's router was compromised, and is
>         spewing out bogus advertisements.
>
>         Pete
>
>
>
>     Hi Pete,
>
>     This seems a bit confusing.
>
>     So, S2NL was a bill-paying customer of Cogent with a BGP speaking
>     router.
>     They went out of business, and stopped paying their Cogent bills.
>     Cogent, out of the goodness of their hearts, continued to let a
>     non-paying customer keep their connectivity up and active, and
>     continued to freely import prefixes across BGP neighbors from this
>     non-paying defunct customer.
>     Now, someone else has gained access to this non-paying, defunct
>     customer's router (which Cogent is still providing free
>     connectivity to, out of the goodness of their hearts), and is
>     generating RPKI-valid announcements from it, which have somehow
>     not caused a flurry of messages on the outages list about prefix
>     hijackings.
>
>     The elements to your claim don't really seem to add up.
>     1) ISPs aren't famous for letting non-bill-paying customers stay
>     connected for very long past the grace period on their billing
>     cycle, let alone long after the company has gone belly-up.
>     2) It's not impossible to generate RPKI-valid announcements from a
>     hijacked network, but it's very difficult to generate *bogus*
>     RPKI-valid announcements from a compromised router--that's the
>     whole point of RPKI, to be able to validate that the prefixes
>     being announced from an origin are indeed the ones that are owned
>     by that origin.
>
>     Can you provide specific prefix and AS_PATH combinations being
>     originated by that router that are "bogus" and don't belong to the
>     router's ASN?
>
>     If, however, what you meant is that the router used to be ASN
>     XXXXX, and is now suddenly showing up as ASN 36471, and Cogent
>     happily changed their BGP neighbor statements to match the new
>     ASN, even though the entity no longer exists and hasn't been
>     paying their bills for some time, then that would imply a level of
>     complicity on Cogent's part that would make them unlikely to
>     respond to your abuse reports.  That would be a very strong
>     allegation to make, and the necessary level of documented proof of
>     that level of malfeasance would be substantial.
>
>     In short--I'm having a hard time understanding how a non-paying
>     entity still has working connectivity and BGP sessions, which
>     makes me suspect there's a different side to this story we're not
>     hearing yet.   ^_^;
>
>     Thanks!
>
>     Matt
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20230720/8413435c/attachment.html>

More information about the NANOG mailing list