Cogent Abuse - Bogus Propagation of ASN 36471
Pete Rohrman
prohrman at stage2networks.com
Thu Jul 20 20:45:38 UTC 2023
Martin,
It's my former employer's router. It's more like a 4 hour day to get
in/out of the city even though I'm only 20 miles from the PoP. Top that
off with a $90 parking bill. Nobody is paying me to do that work.
There are no more employees left in the company.
Pete
Stage2 "Survivor Island" Bronze Medal Winner
On 7/20/23 14:02, Martin Hannigan wrote:
>
> Pete, if all the data I see ties together like it looks aren't you
> able to take the 15m taxi ride to 60 Hudson and recover the router or
> shut it off? It's your router. Right?
>
>
> On Thu, Jul 20, 2023 at 11:10 AM Pete Rohrman
> <prohrman at stage2networks.com> wrote:
>
> Ben,
>
> Compromised as in a nefarious entity went into the router and
> changed passwords and did whatever. Everything advertised by that
> comprised router is bogus. The compromised router is owned by
> OrgID: S2NL (now defunct). AS 36471 belongs to KDSS-23
> <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>.
> The compromised router does not belong to Kratos KDSS-23
> <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>,
> and is causing routing problems. The compromised router needs to
> be shut down. The owner of the compromised router ceased
> business, and there isn't anyone around to address this at S2NL.
> The only people that can resolve this is Cogent. Cogent's
> defunct customer's router was compromised, and is spewing out
> bogus advertisements.
>
> Pete
>
> --
> Pete
> Stage2 "Survivor Island" Bronze Medal Winner
>
>
> On 7/20/23 10:40, Ben Cox wrote:
>> Can you confirm what you mean by compromised here?
>>
>> The prefixes currently (as far as I can see from bgp.tools) originated are:
>>
>> Prefix Description
>> 209.255.244.0/24 <http://209.255.244.0/24> Windstream Communications LLC
>> 209.255.245.0/24 <http://209.255.245.0/24> CONSOLIDATED TECHNOLOGIES INC 325 HUDSON
>> 209.255.246.0/24 <http://209.255.246.0/24> Windstream Communications LLC
>> 209.255.247.0/24 <http://209.255.247.0/24> CONSOLIDATED TECHNOLOGIES INC 325 HUDSON
>> 216.197.80.0/20 <http://216.197.80.0/20> --
>>
>> The 209.xx have valid RPKI certs, so they seem validish, but all have
>> RADB IRR entries made bylightower.com <http://lightower.com> in 2015.
>>
>> Do you mean that someone has impersonated AS36471 and set up a cogent
>> port, and is now announcing your space? I'm confused
>>
>> On Thu, Jul 20, 2023 at 3:32 PM Pete Rohrman
>> <prohrman at stage2networks.com> <mailto:prohrman at stage2networks.com> wrote:
>>> NANOG,
>>>
>>> A customer of Cogent has a compromised router that is announcing
>>> prefixes sourced from AS 36471. Cogent is propagating that to the
>>> world. Problem is, those prefixes and AS don't belong to that customer
>>> of Cogent - AS 36471 belongs to Kratos Defense & Security Solutions,
>>> Inc. (see whois).
>>>
>>> Requests to Cogent Support and Abuse go un-actioned. Need a contact at
>>> Cogent Abuse that can shut down that compromised router. Anyone have a
>>> good contact at Cogent Abuse Dept?
>>>
>>> Cogent ticket: HD302928500
>>>
>>> Pete
>>>
>>> --
>>> Pete
>>> Stage2 "Survivor Island" Bronze Medal Winner
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20230720/622c154a/attachment.html>
More information about the NANOG
mailing list