Re: RESOLVED: Cogent Abuse - Bogus Propagation of ASN 36471

[Pete Rohrman <prohrman () stage2networks com>]

Matt/Giorgio,

See my answers inline to Matt's line of questioning below, but the 
basics are that those prefixes and AS number were owned by S2NL and used 
for years.  After all the employees were let go (including me), this 
router in question was compromised, and the ssh and enable were 
changed.  Don't know who did it.  ARIN re-assigned the AS and prefixes 
to other parties.  A few days ago, the new AS owner found me from an 
ARIN registration, and asked for my assistance to cease advertising 
AS36471.  I opened tickets with Cogent to turn it down, to learn that I 
was removed from the ability to make such radical requests.  I was just 
trying to be a good internet citizen by assisting in sorting this out.  
It's resolved now.  Thank you for the help.

Pete
Stage2 "Survivor Island" Bronze Medal Winner



On 7/20/23 13:33, Giorgio Bonfiglio wrote:
> Do you mind following up on Matthew’s request for details - really 
> interested to see the threat model there and how the RPKI part played out?
>
> > On 20 Jul 2023, at 18:06, Pete Rohrman <prohrman () stage2networks com> 
> > wrote:
> >
> > 
> >
> > All,
> >
> >
> > Cogent has shut down the compromised router.  This issue is 
> > resolved.  Thank you all for your help.
> >
> >
> >
> > Pete
> > Stage2 "Survivor Island" Bronze Medal Winner
> >
> >
> >
> > On 7/20/23 12:59, Mike Hammett wrote:
> > > If they (or anyone else) want to give me free service to use as I 
> > > see fit (well, legally), I'll gladly accept their offer.
> > >
> > >
> > >
> > > -----
> > > Mike Hammett
> > > Intelligent Computing Solutions
> > > http://www.ics-il.com
> > >
> > > Midwest-IX
> > > http://www.midwest-ix.com
> > >
> > > ------------------------------------------------------------------------
> > > *From: *"Tom Beecher" <beecher () beecher cc>
> > > *To: *"Matthew Petach" <mpetach () netflight com>
> > > *Cc: *nanog () nanog org
> > > *Sent: *Thursday, July 20, 2023 11:38:50 AM
> > > *Subject: *Re: Cogent Abuse - Bogus Propagation of ASN 36471
> > >
> > >     In short--I'm having a hard time understanding how a non-paying
> > >     entity still has working connectivity and BGP sessions, which
> > >     makes me suspect there's a different side to this story we're
> > >     not hearing yet.   ^_^;
> > >
> > >
> > > I know Cogent has long offered very cheap transit prices, but this 
> > > seems very aggressive! :)
> > >
> > > On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach 
> > > <mpetach () netflight com> wrote:
> > >
> > >
> > >
> > >     On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman
> > >     <prohrman () stage2networks com> wrote:
> > >
> > >         Ben,
> > >
> > >         Compromised as in a nefarious entity went into the router
> > >         and changed passwords and did whatever.  Everything
> > >         advertised by that comprised router is bogus.  The
> > >         compromised router is owned by OrgID: S2NL (now defunct). 
> > >         AS 36471 belongs to KDSS-23
> > >         <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>.
> > >         The compromised router does not belong to Kratos KDSS-23
> > >         <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>,
> > >         and is causing routing problems.  The compromised router
> > >         needs to be shut down. The owner of the compromised router
> > >         ceased business, and there isn't anyone around to address
> > >         this at S2NL.  The only people that can resolve this is
> > >         Cogent. Cogent's defunct customer's router was compromised,
> > >         and is spewing out bogus advertisements.
> > >
> > >         Pete
> > >
> > >
> > >
> > >     Hi Pete,
> > >
> > >     This seems a bit confusing.
> > >
> > >     So, S2NL was a bill-paying customer of Cogent with a BGP
> > >     speaking router. _<< YES, and they used to own AS36471 and used
> > >     it for years>>_
> > >     They went out of business, and stopped paying their Cogent
> > >     bills. _<< YES >>_
> > >     Cogent, out of the goodness of their hearts, continued to let a
> > >     non-paying customer keep their connectivity up and active, and
> > >     continued to freely import prefixes across BGP neighbors from
> > >     this non-paying defunct customer. _<< YES, and in the mean time,
> > >     someone broke into that router and changed the password, so I
> > >     couldn't remotely shut down BGP  >>_
> > >     Now, someone else has gained access to this non-paying, defunct
> > >     customer's router (which Cogent is still providing free
> > >     connectivity to, out of the goodness of their hearts), and is
> > >     generating RPKI-valid announcements from it, which have somehow
> > >     not caused a flurry of messages on the outages list about prefix
> > >     hijackings. _<<SORT OF, By ARIN registration, neither the AS nor
> > >     the prefixs coming from that router were valid because they
> > >     found their way into possession by other parties.  >>_
> > >
> > >     The elements to your claim don't really seem to add up.
> > >     1) ISPs aren't famous for letting non-bill-paying customers stay
> > >     connected for very long past the grace period on their billing
> > >     cycle, let alone long after the company has gone belly-up. _<< I
> > >     disagree >>_
> > >     2) It's not impossible to generate RPKI-valid announcements from
> > >     a hijacked network, but it's very difficult to generate *bogus*
> > >     RPKI-valid announcements from a compromised router--that's the
> > >     whole point of RPKI, to be able to validate that the prefixes
> > >     being announced from an origin are indeed the ones that are
> > >     owned by that origin. _<< They were valid at one time.  They no
> > >     longer are.  I'm not sure when each prefix or the AS were
> > >     transfered to the new owners by ARIN >>__
> > >     _
> > >     __
> > >
> > >     Can you provide specific prefix and AS_PATH combinations being
> > >     originated by that router that are "bogus" and don't belong to
> > >     the router's ASN? _<< I don't see that AS in a public route
> > >     server any more.  This is resolved.  I should have taken a
> > >     screen shot, but I didn't.  Look for 216.197.80.0/20 >>_
> > >
> > >     If, however, what you meant is that the router used to be ASN
> > >     XXXXX, and is now suddenly showing up as ASN 36471 _<< NO, it
> > >     was always AS36471, but that AS is no longer owned by S2NL >>_,
> > >     and Cogent happily changed their BGP neighbor statements to
> > >     match the new ASN _<< NO >>_, even though the entity no longer
> > >     exists and hasn't been paying their bills for some time, then
> > >     that would imply a level of complicity on Cogent's part that
> > >     would make them unlikely to respond to your abuse reports.  That
> > >     would be a very strong allegation to make, and the necessary
> > >     level of documented proof of that level of malfeasance would be
> > >     substantial. _<< Neither Cogent nor S2NL were practicing
> > >     malevalence.  S2NL was practicing incompetence.  AS number was
> > >     transfered to a new entity by ARIN.  Nobody home at S2NL to turn
> > >     down the router.  Cogent wouldn't act on my requests because I
> > >     was taken off the list.  New AS owner asked me to help.  I'm not
> > >     too busy these days, so I obliged.  Had no other option other
> > >     than posting to NANOG, and it worked.  Cogent shut down the
> > >     compromised router and bogus advertisements vanished from the
> > >     public routing table. >> _
> > >
> > >     In short--I'm having a hard time understanding how a non-paying
> > >     entity still has working connectivity and BGP sessions, which
> > >     makes me suspect there's a different side to this story we're
> > >     not hearing yet.  ^_^;
> > >
> > >     Thanks!
> > >
> > >     Matt