nanog mailing list archives

Re: Cogent Abuse - Bogus Propagation of ASN 36471

From: Mike Lyon <mike.lyon () gmail com>
Date: Thu, 20 Jul 2023 10:04:11 -0700

I've told all Cogent reps that have ever called me that I would never,
under any circumstances, use their service. even if they provided it
to me free of charge...

Friends don't let friends use Cogent.

-Mike

On Thu, Jul 20, 2023 at 10:02 AM Mike Hammett <nanog () ics-il net> wrote:


If they (or anyone else) want to give me free service to use as I see fit (well, legally), I'll gladly accept their 
offer.



-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com

________________________________
From: "Tom Beecher" <beecher () beecher cc>
To: "Matthew Petach" <mpetach () netflight com>
Cc: nanog () nanog org
Sent: Thursday, July 20, 2023 11:38:50 AM
Subject: Re: Cogent Abuse - Bogus Propagation of ASN 36471

In short--I'm having a hard time understanding how a non-paying entity still has working connectivity and BGP 
sessions, which makes me suspect there's a different side to this story we're not hearing yet.   ^_^;



I know Cogent has long offered very cheap transit prices, but this seems very aggressive! :)

On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach <mpetach () netflight com> wrote:




On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman <prohrman () stage2networks com> wrote:


Ben,

Compromised as in a nefarious entity went into the router and changed passwords and did whatever.  Everything 
advertised by that comprised router is bogus.  The compromised router is owned by OrgID: S2NL (now defunct).  AS 
36471 belongs to KDSS-23.  The compromised router does not belong to Kratos KDSS-23, and is causing routing 
problems.  The compromised router needs to be shut down.  The owner of the compromised router ceased business, and 
there isn't anyone around to address this at S2NL.  The only people that can resolve this is Cogent.   Cogent's 
defunct customer's router was compromised, and is spewing out bogus advertisements.

Pete




Hi Pete,

This seems a bit confusing.

So, S2NL was a bill-paying customer of Cogent with a BGP speaking router.
They went out of business, and stopped paying their Cogent bills.
Cogent, out of the goodness of their hearts, continued to let a non-paying customer keep their connectivity up and 
active, and continued to freely import prefixes across BGP neighbors from this non-paying defunct customer.
Now, someone else has gained access to this non-paying, defunct customer's router (which Cogent is still providing 
free connectivity to, out of the goodness of their hearts), and is generating RPKI-valid announcements from it, 
which have somehow not caused a flurry of messages on the outages list about prefix hijackings.

The elements to your claim don't really seem to add up.
1) ISPs aren't famous for letting non-bill-paying customers stay connected for very long past the grace period on 
their billing cycle, let alone long after the company has gone belly-up.
2) It's not impossible to generate RPKI-valid announcements from a hijacked network, but it's very difficult to 
generate *bogus* RPKI-valid announcements from a compromised router--that's the whole point of RPKI, to be able to 
validate that the prefixes being announced from an origin are indeed the ones that are owned by that origin.

Can you provide specific prefix and AS_PATH combinations being originated by that router that are "bogus" and don't 
belong to the router's ASN?

If, however, what you meant is that the router used to be ASN XXXXX, and is now suddenly showing up as ASN 36471, 
and Cogent happily changed their BGP neighbor statements to match the new ASN, even though the entity no longer 
exists and hasn't been paying their bills for some time, then that would imply a level of complicity on Cogent's 
part that would make them unlikely to respond to your abuse reports.  That would be a very strong allegation to 
make, and the necessary level of documented proof of that level of malfeasance would be substantial.

In short--I'm having a hard time understanding how a non-paying entity still has working connectivity and BGP 
sessions, which makes me suspect there's a different side to this story we're not hearing yet.   ^_^;

Thanks!

Matt



-- 
Mike Lyon
mike.lyon () gmail com
http://www.linkedin.com/in/mlyon

Current thread:

Cogent Abuse - Bogus Propagation of ASN 36471 Pete Rohrman (Jul 20)
- Re: Cogent Abuse - Bogus Propagation of ASN 36471 Ben Cox via NANOG (Jul 20)
  - Re: Cogent Abuse - Bogus Propagation of ASN 36471 Pete Rohrman (Jul 20)
    - Re: Cogent Abuse - Bogus Propagation of ASN 36471 Matthew Petach (Jul 20)
    - Re: Cogent Abuse - Bogus Propagation of ASN 36471 Tom Beecher (Jul 20)
    - Re: Cogent Abuse - Bogus Propagation of ASN 36471 Mike Hammett (Jul 20)
    - RESOLVED: Cogent Abuse - Bogus Propagation of ASN 36471 Pete Rohrman (Jul 20)
    - Message not available
    - Re: RESOLVED: Cogent Abuse - Bogus Propagation of ASN 36471 Giorgio Bonfiglio via NANOG (Jul 20)
    - Re: RESOLVED: Cogent Abuse - Bogus Propagation of ASN 36471 Pete Rohrman (Jul 20)
    - Re: Cogent Abuse - Bogus Propagation of ASN 36471 Mike Lyon (Jul 20)
    - Re: Cogent Abuse - Bogus Propagation of ASN 36471 David Hubbard (Jul 20)
    - Re: Cogent Abuse - Bogus Propagation of ASN 36471 William Herrin (Jul 20)
    - Re: Cogent Abuse - Bogus Propagation of ASN 36471 Martin Hannigan (Jul 20)
    - Re: Cogent Abuse - Bogus Propagation of ASN 36471 Ian Chilton (Jul 20)
    - Re: Cogent Abuse - Bogus Propagation of ASN 36471 Martin Hannigan (Jul 20)
    - Re: Cogent Abuse - Bogus Propagation of ASN 36471 Pete Rohrman (Jul 20)
- Re: Cogent Abuse - Bogus Propagation of ASN 36471 Eric Kuhnke (Jul 21)
  - Re: Cogent Abuse - Bogus Propagation of ASN 36471 Pete Rohrman (Jul 21)
- <Possible follow-ups>
- Re: Cogent Abuse - Bogus Propagation of ASN 36471 Jared Brown (Jul 20)