nanog mailing list archives
Re: Cogent Abuse - Bogus Propagation of ASN 36471
From: Martin Hannigan <hannigan () gmail com>
Date: Thu, 20 Jul 2023 14:02:13 -0400
Pete, if all the data I see ties together like it looks aren't you able to take the 15m taxi ride to 60 Hudson and recover the router or shut it off? It's your router. Right? On Thu, Jul 20, 2023 at 11:10 AM Pete Rohrman <prohrman () stage2networks com> wrote:
Ben, Compromised as in a nefarious entity went into the router and changed passwords and did whatever. Everything advertised by that comprised router is bogus. The compromised router is owned by OrgID: S2NL (now defunct). AS 36471 belongs to KDSS-23 <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>. The compromised router does not belong to Kratos KDSS-23 <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>, and is causing routing problems. The compromised router needs to be shut down. The owner of the compromised router ceased business, and there isn't anyone around to address this at S2NL. The only people that can resolve this is Cogent. Cogent's defunct customer's router was compromised, and is spewing out bogus advertisements. Pete -- Pete Stage2 "Survivor Island" Bronze Medal Winner On 7/20/23 10:40, Ben Cox wrote: Can you confirm what you mean by compromised here? The prefixes currently (as far as I can see from bgp.tools) originated are: Prefix Description209.255.244.0/24 Windstream Communications LLC209.255.245.0/24 CONSOLIDATED TECHNOLOGIES INC 325 HUDSON209.255.246.0/24 Windstream Communications LLC209.255.247.0/24 CONSOLIDATED TECHNOLOGIES INC 325 HUDSON216.197.80.0/20 -- The 209.xx have valid RPKI certs, so they seem validish, but all have RADB IRR entries made by lightower.com in 2015. Do you mean that someone has impersonated AS36471 and set up a cogent port, and is now announcing your space? I'm confused On Thu, Jul 20, 2023 at 3:32 PM Pete Rohrman<prohrman () stage2networks com> <prohrman () stage2networks com> wrote: NANOG, A customer of Cogent has a compromised router that is announcing prefixes sourced from AS 36471. Cogent is propagating that to the world. Problem is, those prefixes and AS don't belong to that customer of Cogent - AS 36471 belongs to Kratos Defense & Security Solutions, Inc. (see whois). Requests to Cogent Support and Abuse go un-actioned. Need a contact at Cogent Abuse that can shut down that compromised router. Anyone have a good contact at Cogent Abuse Dept? Cogent ticket: HD302928500 Pete -- Pete Stage2 "Survivor Island" Bronze Medal Winner
Current thread:
- Re: Cogent Abuse - Bogus Propagation of ASN 36471, (continued)
- Re: Cogent Abuse - Bogus Propagation of ASN 36471 Pete Rohrman (Jul 20)
- Re: Cogent Abuse - Bogus Propagation of ASN 36471 Matthew Petach (Jul 20)
- Re: Cogent Abuse - Bogus Propagation of ASN 36471 Tom Beecher (Jul 20)
- Re: Cogent Abuse - Bogus Propagation of ASN 36471 Mike Hammett (Jul 20)
- RESOLVED: Cogent Abuse - Bogus Propagation of ASN 36471 Pete Rohrman (Jul 20)
- Message not available
- Re: RESOLVED: Cogent Abuse - Bogus Propagation of ASN 36471 Giorgio Bonfiglio via NANOG (Jul 20)
- Re: RESOLVED: Cogent Abuse - Bogus Propagation of ASN 36471 Pete Rohrman (Jul 20)
- Re: Cogent Abuse - Bogus Propagation of ASN 36471 Pete Rohrman (Jul 20)
- Re: Cogent Abuse - Bogus Propagation of ASN 36471 Mike Lyon (Jul 20)
- Re: Cogent Abuse - Bogus Propagation of ASN 36471 David Hubbard (Jul 20)
- Re: Cogent Abuse - Bogus Propagation of ASN 36471 William Herrin (Jul 20)
- Re: Cogent Abuse - Bogus Propagation of ASN 36471 Martin Hannigan (Jul 20)
- Re: Cogent Abuse - Bogus Propagation of ASN 36471 Ian Chilton (Jul 20)
- Re: Cogent Abuse - Bogus Propagation of ASN 36471 Martin Hannigan (Jul 20)
- Re: Cogent Abuse - Bogus Propagation of ASN 36471 Pete Rohrman (Jul 20)
- Re: Cogent Abuse - Bogus Propagation of ASN 36471 Pete Rohrman (Jul 21)