Cogent Abuse - Bogus Propagation of ASN 36471
NANOG, A customer of Cogent has a compromised router that is announcing prefixes sourced from AS 36471. Cogent is propagating that to the world. Problem is, those prefixes and AS don't belong to that customer of Cogent - AS 36471 belongs to Kratos Defense & Security Solutions, Inc. (see whois). Requests to Cogent Support and Abuse go un-actioned. Need a contact at Cogent Abuse that can shut down that compromised router. Anyone have a good contact at Cogent Abuse Dept? Cogent ticket: HD302928500 Pete -- Pete Stage2 "Survivor Island" Bronze Medal Winner
Can you confirm what you mean by compromised here? The prefixes currently (as far as I can see from bgp.tools) originated are: Prefix Description 209.255.244.0/24 Windstream Communications LLC 209.255.245.0/24 CONSOLIDATED TECHNOLOGIES INC 325 HUDSON 209.255.246.0/24 Windstream Communications LLC 209.255.247.0/24 CONSOLIDATED TECHNOLOGIES INC 325 HUDSON 216.197.80.0/20 -- The 209.xx have valid RPKI certs, so they seem validish, but all have RADB IRR entries made by lightower.com in 2015. Do you mean that someone has impersonated AS36471 and set up a cogent port, and is now announcing your space? I'm confused On Thu, Jul 20, 2023 at 3:32 PM Pete Rohrman <prohrman@stage2networks.com> wrote:
NANOG,
A customer of Cogent has a compromised router that is announcing prefixes sourced from AS 36471. Cogent is propagating that to the world. Problem is, those prefixes and AS don't belong to that customer of Cogent - AS 36471 belongs to Kratos Defense & Security Solutions, Inc. (see whois).
Requests to Cogent Support and Abuse go un-actioned. Need a contact at Cogent Abuse that can shut down that compromised router. Anyone have a good contact at Cogent Abuse Dept?
Cogent ticket: HD302928500
Pete
-- Pete Stage2 "Survivor Island" Bronze Medal Winner
Ben, Compromised as in a nefarious entity went into the router and changed passwords and did whatever. Everything advertised by that comprised router is bogus. The compromised router is owned by OrgID: S2NL (now defunct). AS 36471 belongs to KDSS-23 <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>. The compromised router does not belong to Kratos KDSS-23 <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>, and is causing routing problems. The compromised router needs to be shut down. The owner of the compromised router ceased business, and there isn't anyone around to address this at S2NL. The only people that can resolve this is Cogent. Cogent's defunct customer's router was compromised, and is spewing out bogus advertisements. Pete -- Pete Stage2 "Survivor Island" Bronze Medal Winner On 7/20/23 10:40, Ben Cox wrote:
Can you confirm what you mean by compromised here?
The prefixes currently (as far as I can see from bgp.tools) originated are:
Prefix Description 209.255.244.0/24 Windstream Communications LLC 209.255.245.0/24 CONSOLIDATED TECHNOLOGIES INC 325 HUDSON 209.255.246.0/24 Windstream Communications LLC 209.255.247.0/24 CONSOLIDATED TECHNOLOGIES INC 325 HUDSON 216.197.80.0/20 --
The 209.xx have valid RPKI certs, so they seem validish, but all have RADB IRR entries made by lightower.com in 2015.
Do you mean that someone has impersonated AS36471 and set up a cogent port, and is now announcing your space? I'm confused
On Thu, Jul 20, 2023 at 3:32 PM Pete Rohrman <prohrman@stage2networks.com> wrote:
NANOG,
A customer of Cogent has a compromised router that is announcing prefixes sourced from AS 36471. Cogent is propagating that to the world. Problem is, those prefixes and AS don't belong to that customer of Cogent - AS 36471 belongs to Kratos Defense & Security Solutions, Inc. (see whois).
Requests to Cogent Support and Abuse go un-actioned. Need a contact at Cogent Abuse that can shut down that compromised router. Anyone have a good contact at Cogent Abuse Dept?
Cogent ticket: HD302928500
Pete
-- Pete Stage2 "Survivor Island" Bronze Medal Winner
On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman <prohrman@stage2networks.com> wrote:
Ben,
Compromised as in a nefarious entity went into the router and changed passwords and did whatever. Everything advertised by that comprised router is bogus. The compromised router is owned by OrgID: S2NL (now defunct). AS 36471 belongs to KDSS-23 <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>. The compromised router does not belong to Kratos KDSS-23 <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>, and is causing routing problems. The compromised router needs to be shut down. The owner of the compromised router ceased business, and there isn't anyone around to address this at S2NL. The only people that can resolve this is Cogent. Cogent's defunct customer's router was compromised, and is spewing out bogus advertisements.
Pete
Hi Pete, This seems a bit confusing. So, S2NL was a bill-paying customer of Cogent with a BGP speaking router. They went out of business, and stopped paying their Cogent bills. Cogent, out of the goodness of their hearts, continued to let a non-paying customer keep their connectivity up and active, and continued to freely import prefixes across BGP neighbors from this non-paying defunct customer. Now, someone else has gained access to this non-paying, defunct customer's router (which Cogent is still providing free connectivity to, out of the goodness of their hearts), and is generating RPKI-valid announcements from it, which have somehow not caused a flurry of messages on the outages list about prefix hijackings. The elements to your claim don't really seem to add up. 1) ISPs aren't famous for letting non-bill-paying customers stay connected for very long past the grace period on their billing cycle, let alone long after the company has gone belly-up. 2) It's not impossible to generate RPKI-valid announcements from a hijacked network, but it's very difficult to generate *bogus* RPKI-valid announcements from a compromised router--that's the whole point of RPKI, to be able to validate that the prefixes being announced from an origin are indeed the ones that are owned by that origin. Can you provide specific prefix and AS_PATH combinations being originated by that router that are "bogus" and don't belong to the router's ASN? If, however, what you meant is that the router used to be ASN XXXXX, and is now suddenly showing up as ASN 36471, and Cogent happily changed their BGP neighbor statements to match the new ASN, even though the entity no longer exists and hasn't been paying their bills for some time, then that would imply a level of complicity on Cogent's part that would make them unlikely to respond to your abuse reports. That would be a very strong allegation to make, and the necessary level of documented proof of that level of malfeasance would be substantial. In short--I'm having a hard time understanding how a non-paying entity still has working connectivity and BGP sessions, which makes me suspect there's a different side to this story we're not hearing yet. ^_^; Thanks! Matt
In short--I'm having a hard time understanding how a non-paying entity still has working connectivity and BGP sessions, which makes me suspect there's a different side to this story we're not hearing yet. ^_^;
I know Cogent has long offered very cheap transit prices, but this seems very aggressive! :) On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach <mpetach@netflight.com> wrote:
On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman <prohrman@stage2networks.com> wrote:
Ben,
Compromised as in a nefarious entity went into the router and changed passwords and did whatever. Everything advertised by that comprised router is bogus. The compromised router is owned by OrgID: S2NL (now defunct). AS 36471 belongs to KDSS-23 <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>. The compromised router does not belong to Kratos KDSS-23 <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>, and is causing routing problems. The compromised router needs to be shut down. The owner of the compromised router ceased business, and there isn't anyone around to address this at S2NL. The only people that can resolve this is Cogent. Cogent's defunct customer's router was compromised, and is spewing out bogus advertisements.
Pete
Hi Pete,
This seems a bit confusing.
So, S2NL was a bill-paying customer of Cogent with a BGP speaking router. They went out of business, and stopped paying their Cogent bills. Cogent, out of the goodness of their hearts, continued to let a non-paying customer keep their connectivity up and active, and continued to freely import prefixes across BGP neighbors from this non-paying defunct customer. Now, someone else has gained access to this non-paying, defunct customer's router (which Cogent is still providing free connectivity to, out of the goodness of their hearts), and is generating RPKI-valid announcements from it, which have somehow not caused a flurry of messages on the outages list about prefix hijackings.
The elements to your claim don't really seem to add up. 1) ISPs aren't famous for letting non-bill-paying customers stay connected for very long past the grace period on their billing cycle, let alone long after the company has gone belly-up. 2) It's not impossible to generate RPKI-valid announcements from a hijacked network, but it's very difficult to generate *bogus* RPKI-valid announcements from a compromised router--that's the whole point of RPKI, to be able to validate that the prefixes being announced from an origin are indeed the ones that are owned by that origin.
Can you provide specific prefix and AS_PATH combinations being originated by that router that are "bogus" and don't belong to the router's ASN?
If, however, what you meant is that the router used to be ASN XXXXX, and is now suddenly showing up as ASN 36471, and Cogent happily changed their BGP neighbor statements to match the new ASN, even though the entity no longer exists and hasn't been paying their bills for some time, then that would imply a level of complicity on Cogent's part that would make them unlikely to respond to your abuse reports. That would be a very strong allegation to make, and the necessary level of documented proof of that level of malfeasance would be substantial.
In short--I'm having a hard time understanding how a non-paying entity still has working connectivity and BGP sessions, which makes me suspect there's a different side to this story we're not hearing yet. ^_^;
Thanks!
Matt
If they (or anyone else) want to give me free service to use as I see fit (well, legally), I'll gladly accept their offer. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Tom Beecher" <beecher@beecher.cc> To: "Matthew Petach" <mpetach@netflight.com> Cc: nanog@nanog.org Sent: Thursday, July 20, 2023 11:38:50 AM Subject: Re: Cogent Abuse - Bogus Propagation of ASN 36471 In short--I'm having a hard time understanding how a non-paying entity still has working connectivity and BGP sessions, which makes me suspect there's a different side to this story we're not hearing yet. ^_^; I know Cogent has long offered very cheap transit prices, but this seems very aggressive! :) On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach < mpetach@netflight.com > wrote: <blockquote> On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman < prohrman@stage2networks.com > wrote: <blockquote> Ben, Compromised as in a nefarious entity went into the router and changed passwords and did whatever. Everything advertised by that comprised router is bogus. The compromised router is owned by OrgID: S2NL (now defunct). AS 36471 belongs to KDSS-23 . The compromised router does not belong to Kratos KDSS-23 , and is causing routing problems. The compromised router needs to be shut down. The owner of the compromised router ceased business, and there isn't anyone around to address this at S2NL. The only people that can resolve this is Cogent. Cogent's defunct customer's router was compromised, and is spewing out bogus advertisements. Pete </blockquote> Hi Pete, This seems a bit confusing. So, S2NL was a bill-paying customer of Cogent with a BGP speaking router. They went out of business, and stopped paying their Cogent bills. Cogent, out of the goodness of their hearts, continued to let a non-paying customer keep their connectivity up and active, and continued to freely import prefixes across BGP neighbors from this non-paying defunct customer. Now, someone else has gained access to this non-paying, defunct customer's router (which Cogent is still providing free connectivity to, out of the goodness of their hearts), and is generating RPKI-valid announcements from it, which have somehow not caused a flurry of messages on the outages list about prefix hijackings. The elements to your claim don't really seem to add up. 1) ISPs aren't famous for letting non-bill-paying customers stay connected for very long past the grace period on their billing cycle, let alone long after the company has gone belly-up. 2) It's not impossible to generate RPKI-valid announcements from a hijacked network, but it's very difficult to generate *bogus* RPKI-valid announcements from a compromised router--that's the whole point of RPKI, to be able to validate that the prefixes being announced from an origin are indeed the ones that are owned by that origin. Can you provide specific prefix and AS_PATH combinations being originated by that router that are "bogus" and don't belong to the router's ASN? If, however, what you meant is that the router used to be ASN XXXXX, and is now suddenly showing up as ASN 36471, and Cogent happily changed their BGP neighbor statements to match the new ASN, even though the entity no longer exists and hasn't been paying their bills for some time, then that would imply a level of complicity on Cogent's part that would make them unlikely to respond to your abuse reports. That would be a very strong allegation to make, and the necessary level of documented proof of that level of malfeasance would be substantial. In short--I'm having a hard time understanding how a non-paying entity still has working connectivity and BGP sessions, which makes me suspect there's a different side to this story we're not hearing yet. ^_^; Thanks! Matt <blockquote> <blockquote> <blockquote> </blockquote> </blockquote> </blockquote> </blockquote>
All, Cogent has shut down the compromised router. This issue is resolved. Thank you all for your help. Pete Stage2 "Survivor Island" Bronze Medal Winner On 7/20/23 12:59, Mike Hammett wrote:
If they (or anyone else) want to give me free service to use as I see fit (well, legally), I'll gladly accept their offer.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest-IX http://www.midwest-ix.com
------------------------------------------------------------------------ *From: *"Tom Beecher" <beecher@beecher.cc> *To: *"Matthew Petach" <mpetach@netflight.com> *Cc: *nanog@nanog.org *Sent: *Thursday, July 20, 2023 11:38:50 AM *Subject: *Re: Cogent Abuse - Bogus Propagation of ASN 36471
In short--I'm having a hard time understanding how a non-paying entity still has working connectivity and BGP sessions, which makes me suspect there's a different side to this story we're not hearing yet. ^_^;
I know Cogent has long offered very cheap transit prices, but this seems very aggressive! :)
On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach <mpetach@netflight.com> wrote:
On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman <prohrman@stage2networks.com> wrote:
Ben,
Compromised as in a nefarious entity went into the router and changed passwords and did whatever. Everything advertised by that comprised router is bogus. The compromised router is owned by OrgID: S2NL (now defunct). AS 36471 belongs to KDSS-23 <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>. The compromised router does not belong to Kratos KDSS-23 <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>, and is causing routing problems. The compromised router needs to be shut down. The owner of the compromised router ceased business, and there isn't anyone around to address this at S2NL. The only people that can resolve this is Cogent. Cogent's defunct customer's router was compromised, and is spewing out bogus advertisements.
Pete
Hi Pete,
This seems a bit confusing.
So, S2NL was a bill-paying customer of Cogent with a BGP speaking router. They went out of business, and stopped paying their Cogent bills. Cogent, out of the goodness of their hearts, continued to let a non-paying customer keep their connectivity up and active, and continued to freely import prefixes across BGP neighbors from this non-paying defunct customer. Now, someone else has gained access to this non-paying, defunct customer's router (which Cogent is still providing free connectivity to, out of the goodness of their hearts), and is generating RPKI-valid announcements from it, which have somehow not caused a flurry of messages on the outages list about prefix hijackings.
The elements to your claim don't really seem to add up. 1) ISPs aren't famous for letting non-bill-paying customers stay connected for very long past the grace period on their billing cycle, let alone long after the company has gone belly-up. 2) It's not impossible to generate RPKI-valid announcements from a hijacked network, but it's very difficult to generate *bogus* RPKI-valid announcements from a compromised router--that's the whole point of RPKI, to be able to validate that the prefixes being announced from an origin are indeed the ones that are owned by that origin.
Can you provide specific prefix and AS_PATH combinations being originated by that router that are "bogus" and don't belong to the router's ASN?
If, however, what you meant is that the router used to be ASN XXXXX, and is now suddenly showing up as ASN 36471, and Cogent happily changed their BGP neighbor statements to match the new ASN, even though the entity no longer exists and hasn't been paying their bills for some time, then that would imply a level of complicity on Cogent's part that would make them unlikely to respond to your abuse reports. That would be a very strong allegation to make, and the necessary level of documented proof of that level of malfeasance would be substantial.
In short--I'm having a hard time understanding how a non-paying entity still has working connectivity and BGP sessions, which makes me suspect there's a different side to this story we're not hearing yet. ^_^;
Thanks!
Matt
Do you mind following up on Matthew’s request for details - really interested to see the threat model there and how the RPKI part played out? On 20 Jul 2023, at 18:06, Pete Rohrman <prohrman@stage2networks.com> wrote: All, Cogent has shut down the compromised router. This issue is resolved. Thank you all for your help. Pete Stage2 "Survivor Island" Bronze Medal Winner On 7/20/23 12:59, Mike Hammett wrote: If they (or anyone else) want to give me free service to use as I see fit (well, legally), I'll gladly accept their offer. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com -------------------------------- From: "Tom Beecher" <beecher@beecher.cc> To: "Matthew Petach" <mpetach@netflight.com> Cc: nanog@nanog.org Sent: Thursday, July 20, 2023 11:38:50 AM Subject: Re: Cogent Abuse - Bogus Propagation of ASN 36471 In short--I'm having a hard time understanding how a non-paying entity still has working connectivity and BGP sessions, which makes me suspect there's a different side to this story we're not hearing yet. ^_^; I know Cogent has long offered very cheap transit prices, but this seems very aggressive! :) On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach <mpetach@netflight.com <mailto:mpetach@netflight.com> > wrote: On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman <prohrman@stage2networks.com <mailto:prohrman@stage2networks.com> > wrote: Ben, Compromised as in a nefarious entity went into the router and changed passwords and did whatever. Everything advertised by that comprised router is bogus. The compromised router is owned by OrgID: S2NL (now defunct). AS 36471 belongs to KDSS-23 <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity> . The compromised router does not belong to Kratos KDSS-23 <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity> , and is causing routing problems. The compromised router needs to be shut down. The owner of the compromised router ceased business, and there isn't anyone around to address this at S2NL. The only people that can resolve this is Cogent. Cogent's defunct customer's router was compromised, and is spewing out bogus advertisements. Pete Hi Pete, This seems a bit confusing. So, S2NL was a bill-paying customer of Cogent with a BGP speaking router. They went out of business, and stopped paying their Cogent bills. Cogent, out of the goodness of their hearts, continued to let a non-paying customer keep their connectivity up and active, and continued to freely import prefixes across BGP neighbors from this non-paying defunct customer. Now, someone else has gained access to this non-paying, defunct customer's router (which Cogent is still providing free connectivity to, out of the goodness of their hearts), and is generating RPKI-valid announcements from it, which have somehow not caused a flurry of messages on the outages list about prefix hijackings. The elements to your claim don't really seem to add up. 1) ISPs aren't famous for letting non-bill-paying customers stay connected for very long past the grace period on their billing cycle, let alone long after the company has gone belly-up. 2) It's not impossible to generate RPKI-valid announcements from a hijacked network, but it's very difficult to generate *bogus* RPKI-valid announcements from a compromised router--that's the whole point of RPKI, to be able to validate that the prefixes being announced from an origin are indeed the ones that are owned by that origin. Can you provide specific prefix and AS_PATH combinations being originated by that router that are "bogus" and don't belong to the router's ASN? If, however, what you meant is that the router used to be ASN XXXXX, and is now suddenly showing up as ASN 36471, and Cogent happily changed their BGP neighbor statements to match the new ASN, even though the entity no longer exists and hasn't been paying their bills for some time, then that would imply a level of complicity on Cogent's part that would make them unlikely to respond to your abuse reports. That would be a very strong allegation to make, and the necessary level of documented proof of that level of malfeasance would be substantial. In short--I'm having a hard time understanding how a non-paying entity still has working connectivity and BGP sessions, which makes me suspect there's a different side to this story we're not hearing yet. ^_^; Thanks! Matt
Matt/Giorgio, See my answers inline to Matt's line of questioning below, but the basics are that those prefixes and AS number were owned by S2NL and used for years. After all the employees were let go (including me), this router in question was compromised, and the ssh and enable were changed. Don't know who did it. ARIN re-assigned the AS and prefixes to other parties. A few days ago, the new AS owner found me from an ARIN registration, and asked for my assistance to cease advertising AS36471. I opened tickets with Cogent to turn it down, to learn that I was removed from the ability to make such radical requests. I was just trying to be a good internet citizen by assisting in sorting this out. It's resolved now. Thank you for the help. Pete Stage2 "Survivor Island" Bronze Medal Winner On 7/20/23 13:33, Giorgio Bonfiglio wrote:
Do you mind following up on Matthew’s request for details - really interested to see the threat model there and how the RPKI part played out?
On 20 Jul 2023, at 18:06, Pete Rohrman <prohrman@stage2networks.com> wrote:
All,
Cogent has shut down the compromised router. This issue is resolved. Thank you all for your help.
Pete Stage2 "Survivor Island" Bronze Medal Winner
On 7/20/23 12:59, Mike Hammett wrote:
If they (or anyone else) want to give me free service to use as I see fit (well, legally), I'll gladly accept their offer.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest-IX http://www.midwest-ix.com
------------------------------------------------------------------------ *From: *"Tom Beecher" <beecher@beecher.cc> *To: *"Matthew Petach" <mpetach@netflight.com> *Cc: *nanog@nanog.org *Sent: *Thursday, July 20, 2023 11:38:50 AM *Subject: *Re: Cogent Abuse - Bogus Propagation of ASN 36471
In short--I'm having a hard time understanding how a non-paying entity still has working connectivity and BGP sessions, which makes me suspect there's a different side to this story we're not hearing yet. ^_^;
I know Cogent has long offered very cheap transit prices, but this seems very aggressive! :)
On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach <mpetach@netflight.com> wrote:
On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman <prohrman@stage2networks.com> wrote:
Ben,
Compromised as in a nefarious entity went into the router and changed passwords and did whatever. Everything advertised by that comprised router is bogus. The compromised router is owned by OrgID: S2NL (now defunct). AS 36471 belongs to KDSS-23 <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>. The compromised router does not belong to Kratos KDSS-23 <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>, and is causing routing problems. The compromised router needs to be shut down. The owner of the compromised router ceased business, and there isn't anyone around to address this at S2NL. The only people that can resolve this is Cogent. Cogent's defunct customer's router was compromised, and is spewing out bogus advertisements.
Pete
Hi Pete,
This seems a bit confusing.
So, S2NL was a bill-paying customer of Cogent with a BGP speaking router. _<< YES, and they used to own AS36471 and used it for years>>_ They went out of business, and stopped paying their Cogent bills. _<< YES >>_ Cogent, out of the goodness of their hearts, continued to let a non-paying customer keep their connectivity up and active, and continued to freely import prefixes across BGP neighbors from this non-paying defunct customer. _<< YES, and in the mean time, someone broke into that router and changed the password, so I couldn't remotely shut down BGP >>_ Now, someone else has gained access to this non-paying, defunct customer's router (which Cogent is still providing free connectivity to, out of the goodness of their hearts), and is generating RPKI-valid announcements from it, which have somehow not caused a flurry of messages on the outages list about prefix hijackings. _<<SORT OF, By ARIN registration, neither the AS nor the prefixs coming from that router were valid because they found their way into possession by other parties. >>_
The elements to your claim don't really seem to add up. 1) ISPs aren't famous for letting non-bill-paying customers stay connected for very long past the grace period on their billing cycle, let alone long after the company has gone belly-up. _<< I disagree >>_ 2) It's not impossible to generate RPKI-valid announcements from a hijacked network, but it's very difficult to generate *bogus* RPKI-valid announcements from a compromised router--that's the whole point of RPKI, to be able to validate that the prefixes being announced from an origin are indeed the ones that are owned by that origin. _<< They were valid at one time. They no longer are. I'm not sure when each prefix or the AS were transfered to the new owners by ARIN >>__ _ __
Can you provide specific prefix and AS_PATH combinations being originated by that router that are "bogus" and don't belong to the router's ASN? _<< I don't see that AS in a public route server any more. This is resolved. I should have taken a screen shot, but I didn't. Look for 216.197.80.0/20 >>_
If, however, what you meant is that the router used to be ASN XXXXX, and is now suddenly showing up as ASN 36471 _<< NO, it was always AS36471, but that AS is no longer owned by S2NL >>_, and Cogent happily changed their BGP neighbor statements to match the new ASN _<< NO >>_, even though the entity no longer exists and hasn't been paying their bills for some time, then that would imply a level of complicity on Cogent's part that would make them unlikely to respond to your abuse reports. That would be a very strong allegation to make, and the necessary level of documented proof of that level of malfeasance would be substantial. _<< Neither Cogent nor S2NL were practicing malevalence. S2NL was practicing incompetence. AS number was transfered to a new entity by ARIN. Nobody home at S2NL to turn down the router. Cogent wouldn't act on my requests because I was taken off the list. New AS owner asked me to help. I'm not too busy these days, so I obliged. Had no other option other than posting to NANOG, and it worked. Cogent shut down the compromised router and bogus advertisements vanished from the public routing table. >> _
In short--I'm having a hard time understanding how a non-paying entity still has working connectivity and BGP sessions, which makes me suspect there's a different side to this story we're not hearing yet. ^_^;
Thanks!
Matt
I've told all Cogent reps that have ever called me that I would never, under any circumstances, use their service. even if they provided it to me free of charge... Friends don't let friends use Cogent. -Mike On Thu, Jul 20, 2023 at 10:02 AM Mike Hammett <nanog@ics-il.net> wrote:
If they (or anyone else) want to give me free service to use as I see fit (well, legally), I'll gladly accept their offer.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest-IX http://www.midwest-ix.com
________________________________ From: "Tom Beecher" <beecher@beecher.cc> To: "Matthew Petach" <mpetach@netflight.com> Cc: nanog@nanog.org Sent: Thursday, July 20, 2023 11:38:50 AM Subject: Re: Cogent Abuse - Bogus Propagation of ASN 36471
In short--I'm having a hard time understanding how a non-paying entity still has working connectivity and BGP sessions, which makes me suspect there's a different side to this story we're not hearing yet. ^_^;
I know Cogent has long offered very cheap transit prices, but this seems very aggressive! :)
On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach <mpetach@netflight.com> wrote:
On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman <prohrman@stage2networks.com> wrote:
Ben,
Compromised as in a nefarious entity went into the router and changed passwords and did whatever. Everything advertised by that comprised router is bogus. The compromised router is owned by OrgID: S2NL (now defunct). AS 36471 belongs to KDSS-23. The compromised router does not belong to Kratos KDSS-23, and is causing routing problems. The compromised router needs to be shut down. The owner of the compromised router ceased business, and there isn't anyone around to address this at S2NL. The only people that can resolve this is Cogent. Cogent's defunct customer's router was compromised, and is spewing out bogus advertisements.
Pete
Hi Pete,
This seems a bit confusing.
So, S2NL was a bill-paying customer of Cogent with a BGP speaking router. They went out of business, and stopped paying their Cogent bills. Cogent, out of the goodness of their hearts, continued to let a non-paying customer keep their connectivity up and active, and continued to freely import prefixes across BGP neighbors from this non-paying defunct customer. Now, someone else has gained access to this non-paying, defunct customer's router (which Cogent is still providing free connectivity to, out of the goodness of their hearts), and is generating RPKI-valid announcements from it, which have somehow not caused a flurry of messages on the outages list about prefix hijackings.
The elements to your claim don't really seem to add up. 1) ISPs aren't famous for letting non-bill-paying customers stay connected for very long past the grace period on their billing cycle, let alone long after the company has gone belly-up. 2) It's not impossible to generate RPKI-valid announcements from a hijacked network, but it's very difficult to generate *bogus* RPKI-valid announcements from a compromised router--that's the whole point of RPKI, to be able to validate that the prefixes being announced from an origin are indeed the ones that are owned by that origin.
Can you provide specific prefix and AS_PATH combinations being originated by that router that are "bogus" and don't belong to the router's ASN?
If, however, what you meant is that the router used to be ASN XXXXX, and is now suddenly showing up as ASN 36471, and Cogent happily changed their BGP neighbor statements to match the new ASN, even though the entity no longer exists and hasn't been paying their bills for some time, then that would imply a level of complicity on Cogent's part that would make them unlikely to respond to your abuse reports. That would be a very strong allegation to make, and the necessary level of documented proof of that level of malfeasance would be substantial.
In short--I'm having a hard time understanding how a non-paying entity still has working connectivity and BGP sessions, which makes me suspect there's a different side to this story we're not hearing yet. ^_^;
Thanks!
Matt
-- Mike Lyon mike.lyon@gmail.com http://www.linkedin.com/in/mlyon
Heck, I can’t even get Cogent to keep my paid services functional; going on four weeks with an unusable 10gig point to point. From: NANOG <nanog-bounces+dhubbard=dino.hostasaurus.com@nanog.org> on behalf of Mike Hammett <nanog@ics-il.net> Date: Thursday, July 20, 2023 at 1:03 PM To: Tom Beecher <beecher@beecher.cc> Cc: nanog@nanog.org <nanog@nanog.org> Subject: Re: Cogent Abuse - Bogus Propagation of ASN 36471 If they (or anyone else) want to give me free service to use as I see fit (well, legally), I'll gladly accept their offer. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ________________________________ From: "Tom Beecher" <beecher@beecher.cc> To: "Matthew Petach" <mpetach@netflight.com> Cc: nanog@nanog.org Sent: Thursday, July 20, 2023 11:38:50 AM Subject: Re: Cogent Abuse - Bogus Propagation of ASN 36471 In short--I'm having a hard time understanding how a non-paying entity still has working connectivity and BGP sessions, which makes me suspect there's a different side to this story we're not hearing yet. ^_^; I know Cogent has long offered very cheap transit prices, but this seems very aggressive! :) On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach <mpetach@netflight.com<mailto:mpetach@netflight.com>> wrote: On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman <prohrman@stage2networks.com<mailto:prohrman@stage2networks.com>> wrote: Ben, Compromised as in a nefarious entity went into the router and changed passwords and did whatever. Everything advertised by that comprised router is bogus. The compromised router is owned by OrgID: S2NL (now defunct). AS 36471 belongs to KDSS-23<https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>. The compromised router does not belong to Kratos KDSS-23<https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>, and is causing routing problems. The compromised router needs to be shut down. The owner of the compromised router ceased business, and there isn't anyone around to address this at S2NL. The only people that can resolve this is Cogent. Cogent's defunct customer's router was compromised, and is spewing out bogus advertisements. Pete Hi Pete, This seems a bit confusing. So, S2NL was a bill-paying customer of Cogent with a BGP speaking router. They went out of business, and stopped paying their Cogent bills. Cogent, out of the goodness of their hearts, continued to let a non-paying customer keep their connectivity up and active, and continued to freely import prefixes across BGP neighbors from this non-paying defunct customer. Now, someone else has gained access to this non-paying, defunct customer's router (which Cogent is still providing free connectivity to, out of the goodness of their hearts), and is generating RPKI-valid announcements from it, which have somehow not caused a flurry of messages on the outages list about prefix hijackings. The elements to your claim don't really seem to add up. 1) ISPs aren't famous for letting non-bill-paying customers stay connected for very long past the grace period on their billing cycle, let alone long after the company has gone belly-up. 2) It's not impossible to generate RPKI-valid announcements from a hijacked network, but it's very difficult to generate *bogus* RPKI-valid announcements from a compromised router--that's the whole point of RPKI, to be able to validate that the prefixes being announced from an origin are indeed the ones that are owned by that origin. Can you provide specific prefix and AS_PATH combinations being originated by that router that are "bogus" and don't belong to the router's ASN? If, however, what you meant is that the router used to be ASN XXXXX, and is now suddenly showing up as ASN 36471, and Cogent happily changed their BGP neighbor statements to match the new ASN, even though the entity no longer exists and hasn't been paying their bills for some time, then that would imply a level of complicity on Cogent's part that would make them unlikely to respond to your abuse reports. That would be a very strong allegation to make, and the necessary level of documented proof of that level of malfeasance would be substantial. In short--I'm having a hard time understanding how a non-paying entity still has working connectivity and BGP sessions, which makes me suspect there's a different side to this story we're not hearing yet. ^_^; Thanks! Matt
On Thu, Jul 20, 2023 at 8:06 AM Pete Rohrman <prohrman@stage2networks.com> wrote:
On 7/20/23 10:40, Ben Cox wrote:
Can you confirm what you mean by compromised here? Compromised as in a nefarious entity went into the router and changed passwords and did whatever.
Hi Pete, I think Ben is asking you to "be more specific." The information you provided isn't really sufficient for someone who isn't you to differentiate between the routes you consider legitimate and and the ones you think bogus. If you would provide the output of two runs of "show ip bgp," one trimmed to show the routes you consider bogus and the other trimmed to show the routes you consider legitimate, it would likely answer Ben's questions. Routeviews has FRR instances you can log in to and fetch the text output of "show ip bgp" which are outside your network. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
Pete, if all the data I see ties together like it looks aren't you able to take the 15m taxi ride to 60 Hudson and recover the router or shut it off? It's your router. Right? On Thu, Jul 20, 2023 at 11:10 AM Pete Rohrman <prohrman@stage2networks.com> wrote:
Ben,
Compromised as in a nefarious entity went into the router and changed passwords and did whatever. Everything advertised by that comprised router is bogus. The compromised router is owned by OrgID: S2NL (now defunct). AS 36471 belongs to KDSS-23 <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>. The compromised router does not belong to Kratos KDSS-23 <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>, and is causing routing problems. The compromised router needs to be shut down. The owner of the compromised router ceased business, and there isn't anyone around to address this at S2NL. The only people that can resolve this is Cogent. Cogent's defunct customer's router was compromised, and is spewing out bogus advertisements.
Pete
-- Pete Stage2 "Survivor Island" Bronze Medal Winner
On 7/20/23 10:40, Ben Cox wrote:
Can you confirm what you mean by compromised here?
The prefixes currently (as far as I can see from bgp.tools) originated are:
Prefix Description209.255.244.0/24 Windstream Communications LLC209.255.245.0/24 CONSOLIDATED TECHNOLOGIES INC 325 HUDSON209.255.246.0/24 Windstream Communications LLC209.255.247.0/24 CONSOLIDATED TECHNOLOGIES INC 325 HUDSON216.197.80.0/20 --
The 209.xx have valid RPKI certs, so they seem validish, but all have RADB IRR entries made by lightower.com in 2015.
Do you mean that someone has impersonated AS36471 and set up a cogent port, and is now announcing your space? I'm confused
On Thu, Jul 20, 2023 at 3:32 PM Pete Rohrman<prohrman@stage2networks.com> <prohrman@stage2networks.com> wrote:
NANOG,
A customer of Cogent has a compromised router that is announcing prefixes sourced from AS 36471. Cogent is propagating that to the world. Problem is, those prefixes and AS don't belong to that customer of Cogent - AS 36471 belongs to Kratos Defense & Security Solutions, Inc. (see whois).
Requests to Cogent Support and Abuse go un-actioned. Need a contact at Cogent Abuse that can shut down that compromised router. Anyone have a good contact at Cogent Abuse Dept?
Cogent ticket: HD302928500
Pete
-- Pete Stage2 "Survivor Island" Bronze Medal Winner
On Thu, 20 Jul 2023, at 7:02 PM, Martin Hannigan wrote:
Pete, if all the data I see ties together like it looks aren't you able to take the 15m taxi ride to 60 Hudson and recover the router or shut it off? It's your router. Right?
I would assume if the company no longer exists, they won't be paying the DC bill, so they won't let him in. Though i'm surprised they've not cut the power... or if they are just lax, surely could be convinced to. Ian
On Thu, Jul 20, 2023 at 2:34 PM Ian Chilton <ian@ichilton.co.uk> wrote:
On Thu, 20 Jul 2023, at 7:02 PM, Martin Hannigan wrote:
Pete, if all the data I see ties together like it looks aren't you able to take the 15m taxi ride to 60 Hudson and recover the router or shut it off? It's your router. Right?
I would assume if the company no longer exists, they won't be paying the DC bill, so they won't let him in.
Though i'm surprised they've not cut the power... or if they are just lax, surely could be convinced to.
The ARIN ORG was updated recently and so was the domain name. https://apps.dos.ny.gov/publicInquiry/EntityDisplay I don't know what kind of routing problems this is causing, but someone with standing should be able to reach out to Cogent and get something done if needed. On the shiny object front, I can't resist. I ordered Cogent and liked it. Warm regards, -M<
Martin, It's my former employer's router. It's more like a 4 hour day to get in/out of the city even though I'm only 20 miles from the PoP. Top that off with a $90 parking bill. Nobody is paying me to do that work. There are no more employees left in the company. Pete Stage2 "Survivor Island" Bronze Medal Winner On 7/20/23 14:02, Martin Hannigan wrote:
Pete, if all the data I see ties together like it looks aren't you able to take the 15m taxi ride to 60 Hudson and recover the router or shut it off? It's your router. Right?
On Thu, Jul 20, 2023 at 11:10 AM Pete Rohrman <prohrman@stage2networks.com> wrote:
Ben,
Compromised as in a nefarious entity went into the router and changed passwords and did whatever. Everything advertised by that comprised router is bogus. The compromised router is owned by OrgID: S2NL (now defunct). AS 36471 belongs to KDSS-23 <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>. The compromised router does not belong to Kratos KDSS-23 <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>, and is causing routing problems. The compromised router needs to be shut down. The owner of the compromised router ceased business, and there isn't anyone around to address this at S2NL. The only people that can resolve this is Cogent. Cogent's defunct customer's router was compromised, and is spewing out bogus advertisements.
Pete
-- Pete Stage2 "Survivor Island" Bronze Medal Winner
On 7/20/23 10:40, Ben Cox wrote:
Can you confirm what you mean by compromised here?
The prefixes currently (as far as I can see from bgp.tools) originated are:
Prefix Description 209.255.244.0/24 <http://209.255.244.0/24> Windstream Communications LLC 209.255.245.0/24 <http://209.255.245.0/24> CONSOLIDATED TECHNOLOGIES INC 325 HUDSON 209.255.246.0/24 <http://209.255.246.0/24> Windstream Communications LLC 209.255.247.0/24 <http://209.255.247.0/24> CONSOLIDATED TECHNOLOGIES INC 325 HUDSON 216.197.80.0/20 <http://216.197.80.0/20> --
The 209.xx have valid RPKI certs, so they seem validish, but all have RADB IRR entries made bylightower.com <http://lightower.com> in 2015.
Do you mean that someone has impersonated AS36471 and set up a cogent port, and is now announcing your space? I'm confused
On Thu, Jul 20, 2023 at 3:32 PM Pete Rohrman <prohrman@stage2networks.com> <mailto:prohrman@stage2networks.com> wrote:
NANOG,
A customer of Cogent has a compromised router that is announcing prefixes sourced from AS 36471. Cogent is propagating that to the world. Problem is, those prefixes and AS don't belong to that customer of Cogent - AS 36471 belongs to Kratos Defense & Security Solutions, Inc. (see whois).
Requests to Cogent Support and Abuse go un-actioned. Need a contact at Cogent Abuse that can shut down that compromised router. Anyone have a good contact at Cogent Abuse Dept?
Cogent ticket: HD302928500
Pete
-- Pete Stage2 "Survivor Island" Bronze Medal Winner
I might note for those who are unfamiliar with it, that the "Kratos" entity is a major US defense contractor and manufacturer of advanced UAVs, so if this issue is not addressed it has a high likelihood of getting attention from some of the more clued-in folks in the federal government. https://en.wikipedia.org/wiki/Kratos_XQ-58_Valkyrie On Thu, Jul 20, 2023 at 7:31 AM Pete Rohrman <prohrman@stage2networks.com> wrote:
NANOG,
A customer of Cogent has a compromised router that is announcing prefixes sourced from AS 36471. Cogent is propagating that to the world. Problem is, those prefixes and AS don't belong to that customer of Cogent - AS 36471 belongs to Kratos Defense & Security Solutions, Inc. (see whois).
Requests to Cogent Support and Abuse go un-actioned. Need a contact at Cogent Abuse that can shut down that compromised router. Anyone have a good contact at Cogent Abuse Dept?
Cogent ticket: HD302928500
Pete
-- Pete Stage2 "Survivor Island" Bronze Medal Winner
Eric, That's one of the reasons why I jumped on this. I really don't have time to get "Droned". My only early warning system is store bought ADS-B, and those devices are exempt from 14 CFR 91.225 & 91.227. I wouldn't even see it coming. It's resolved now. With the good help of this list. I think I'm out of danger - for now. Pete Stage2 "Survivor Island" Bronze Medal Winner On 7/21/23 14:00, Eric Kuhnke wrote:
I might note for those who are unfamiliar with it, that the "Kratos" entity is a major US defense contractor and manufacturer of advanced UAVs, so if this issue is not addressed it has a high likelihood of getting attention from some of the more clued-in folks in the federal government.
https://en.wikipedia.org/wiki/Kratos_XQ-58_Valkyrie
On Thu, Jul 20, 2023 at 7:31 AM Pete Rohrman <prohrman@stage2networks.com> wrote:
NANOG,
A customer of Cogent has a compromised router that is announcing prefixes sourced from AS 36471. Cogent is propagating that to the world. Problem is, those prefixes and AS don't belong to that customer of Cogent - AS 36471 belongs to Kratos Defense & Security Solutions, Inc. (see whois).
Requests to Cogent Support and Abuse go un-actioned. Need a contact at Cogent Abuse that can shut down that compromised router. Anyone have a good contact at Cogent Abuse Dept?
Cogent ticket: HD302928500
Pete
-- Pete Stage2 "Survivor Island" Bronze Medal Winner
participants (12)
-
Ben Cox
-
David Hubbard
-
Eric Kuhnke
-
Giorgio Bonfiglio
-
Ian Chilton
-
Martin Hannigan
-
Matthew Petach
-
Mike Hammett
-
Mike Lyon
-
Pete Rohrman
-
Tom Beecher
-
William Herrin