Re: Cogent Abuse - Bogus Propagation of ASN 36471

[Pete Rohrman <prohrman () stage2networks com>]

Martin,

It's my former employer's router.  It's more like a 4 hour day to get 
in/out of the city even though I'm only 20 miles from the PoP.  Top that 
off with a $90 parking bill.  Nobody is paying me to do that work.  
There are no more employees left in the company.

Pete
Stage2 "Survivor Island" Bronze Medal Winner


On 7/20/23 14:02, Martin Hannigan wrote:
> Pete, if all the data I see ties together like it looks aren't you 
> able to take the 15m taxi ride to 60 Hudson and recover the router or 
> shut it off? It's your router. Right?
>
>
> On Thu, Jul 20, 2023 at 11:10 AM Pete Rohrman 
> <prohrman () stage2networks com> wrote:
>
>     Ben,
>
>     Compromised as in a nefarious entity went into the router and
>     changed passwords and did whatever. Everything advertised by that
>     comprised router is bogus.  The compromised router is owned by
>     OrgID: S2NL (now defunct).  AS 36471 belongs to KDSS-23
>     <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>.
>     The compromised router does not belong to Kratos KDSS-23
>     <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>,
>     and is causing routing problems.  The compromised router needs to
>     be shut down.  The owner of the compromised router ceased
>     business, and there isn't anyone around to address this at S2NL. 
>     The only people that can resolve this is Cogent.   Cogent's
>     defunct customer's router was compromised, and is spewing out
>     bogus advertisements.
>
>     Pete
>
>     --
>     Pete
>     Stage2 "Survivor Island" Bronze Medal Winner
>
>
>     On 7/20/23 10:40, Ben Cox wrote:
> >     Can you confirm what you mean by compromised here?
> >
> >     The prefixes currently (as far as I can see from bgp.tools) originated are:
> >
> >     Prefix                   Description
> >     209.255.244.0/24  <http://209.255.244.0/24>  Windstream Communications LLC
> >     209.255.245.0/24  <http://209.255.245.0/24>  CONSOLIDATED TECHNOLOGIES INC 325 HUDSON
> >     209.255.246.0/24  <http://209.255.246.0/24>  Windstream Communications LLC
> >     209.255.247.0/24  <http://209.255.247.0/24>  CONSOLIDATED TECHNOLOGIES INC 325 HUDSON
> >     216.197.80.0/20  <http://216.197.80.0/20>  --
> >
> >     The 209.xx have valid RPKI certs, so they seem validish, but all have
> >     RADB IRR entries made bylightower.com  <http://lightower.com>  in 2015.
> >
> >     Do you mean that someone has impersonated AS36471 and set up a cogent
> >     port, and is now announcing your space? I'm confused
> >
> >     On Thu, Jul 20, 2023 at 3:32 PM Pete Rohrman
> >     <prohrman () stage2networks com>  <mailto:prohrman () stage2networks com>  wrote:
> > >     NANOG,
> > >
> > >     A customer of Cogent has a compromised router that is announcing
> > >     prefixes sourced from AS 36471.   Cogent is propagating that to the
> > >     world.  Problem is, those prefixes and AS don't belong to that customer
> > >     of Cogent - AS 36471 belongs to Kratos Defense & Security Solutions,
> > >     Inc. (see whois).
> > >
> > >     Requests to Cogent Support and Abuse go un-actioned.  Need a contact at
> > >     Cogent Abuse that can shut down that compromised router.  Anyone have a
> > >     good contact at Cogent Abuse Dept?
> > >
> > >     Cogent ticket: HD302928500
> > >
> > >     Pete
> > >
> > >     --
> > >     Pete
> > >     Stage2 "Survivor Island" Bronze Medal Winner