Re: Cogent Abuse - Bogus Propagation of ASN 36471

[Tom Beecher <beecher () beecher cc>]

> In short--I'm having a hard time understanding how a non-paying entity
> still has working connectivity and BGP sessions, which makes me suspect
> there's a different side to this story we're not hearing yet.   ^_^;

I know Cogent has long offered very cheap transit prices, but this seems
very aggressive! :)

On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach <mpetach () netflight com>
wrote:

> On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman <prohrman () stage2networks com>
> wrote:
>
> > Ben,
> >
> > Compromised as in a nefarious entity went into the router and changed
> > passwords and did whatever.  Everything advertised by that comprised router
> > is bogus.  The compromised router is owned by OrgID: S2NL (now defunct).
> > AS 36471 belongs to KDSS-23
> > <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>.  The
> > compromised router does not belong to Kratos KDSS-23
> > <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>, and is
> > causing routing problems.  The compromised router needs to be shut down.
> > The owner of the compromised router ceased business, and there isn't anyone
> > around to address this at S2NL.  The only people that can resolve this is
> > Cogent.   Cogent's defunct customer's router was compromised, and is
> > spewing out bogus advertisements.
> >
> > Pete
>
>
> Hi Pete,
>
> This seems a bit confusing.
>
> So, S2NL was a bill-paying customer of Cogent with a BGP speaking router.
> They went out of business, and stopped paying their Cogent bills.
> Cogent, out of the goodness of their hearts, continued to let a non-paying
> customer keep their connectivity up and active, and continued to freely
> import prefixes across BGP neighbors from this non-paying defunct customer.
> Now, someone else has gained access to this non-paying, defunct customer's
> router (which Cogent is still providing free connectivity to, out of the
> goodness of their hearts), and is generating RPKI-valid announcements from
> it, which have somehow not caused a flurry of messages on the outages list
> about prefix hijackings.
>
> The elements to your claim don't really seem to add up.
> 1) ISPs aren't famous for letting non-bill-paying customers stay connected
> for very long past the grace period on their billing cycle, let alone long
> after the company has gone belly-up.
> 2) It's not impossible to generate RPKI-valid announcements from a
> hijacked network, but it's very difficult to generate *bogus* RPKI-valid
> announcements from a compromised router--that's the whole point of RPKI, to
> be able to validate that the prefixes being announced from an origin are
> indeed the ones that are owned by that origin.
>
> Can you provide specific prefix and AS_PATH combinations being originated
> by that router that are "bogus" and don't belong to the router's ASN?
>
> If, however, what you meant is that the router used to be ASN XXXXX, and
> is now suddenly showing up as ASN 36471, and Cogent happily changed their
> BGP neighbor statements to match the new ASN, even though the entity no
> longer exists and hasn't been paying their bills for some time, then that
> would imply a level of complicity on Cogent's part that would make them
> unlikely to respond to your abuse reports.  That would be a very strong
> allegation to make, and the necessary level of documented proof of that
> level of malfeasance would be substantial.
>
> In short--I'm having a hard time understanding how a non-paying entity
> still has working connectivity and BGP sessions, which makes me suspect
> there's a different side to this story we're not hearing yet.   ^_^;
>
> Thanks!
>
> Matt
>
>
>
>
>
>
> >