Do you mind following up on Matthew’s request for details - really interested 
to see the threat model there and how the RPKI part played out?

On 20 Jul 2023, at 18:06, Pete Rohrman <prohr...@stage2networks.com> wrote:

 

All,

 


 

 

Cogent has shut down the compromised router.  This issue is resolved.  Thank 
you all for your help.

 


 

 


 

 


 
Pete 
 
 
Stage2 "Survivor Island" Bronze Medal Winner
 

 
 

 
 

 
 
On 7/20/23 12:59, Mike Hammett wrote:
 
 
If they (or anyone else) want to give me free service to use as I see fit 
(well, legally), I'll gladly accept their offer.
 
 

 
 -----
 Mike Hammett
 Intelligent Computing Solutions
 http://www.ics-il.com
 
 Midwest-IX
 http://www.midwest-ix.com
 
 
 
--------------------------------
 
From: "Tom Beecher" <beec...@beecher.cc>
 To: "Matthew Petach" <mpet...@netflight.com>
 Cc: nanog@nanog.org
 Sent: Thursday, July 20, 2023 11:38:50 AM
 Subject: Re: Cogent Abuse - Bogus Propagation of ASN 36471
 
 
 In short--I'm having a hard time understanding how a non-paying entity still 
has working connectivity and BGP sessions, which makes me suspect there's a 
different side to this story we're not hearing yet.   ^_^;
 

 
 
I know Cogent has long offered very cheap transit prices, but this seems very 
aggressive! :)  
 
 
 
 
On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach <mpet...@netflight.com 
<mailto:mpet...@netflight.com> > wrote:
 
 
 

 
 
 
 
On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman <prohr...@stage2networks.com 
<mailto:prohr...@stage2networks.com> > wrote:
 
 
 

Ben,

 

Compromised as in a nefarious entity went into the router and changed passwords 
and did whatever.  Everything advertised by that comprised router is bogus.  
The compromised router is owned by OrgID: S2NL (now defunct).  AS 36471 belongs 
to KDSS-23 <https://search.arin.net/rdap?query=KDSS-23&amp;searchFilter=entity> 
.  The compromised router does not belong to Kratos KDSS-23 
<https://search.arin.net/rdap?query=KDSS-23&amp;searchFilter=entity> , and is 
causing routing problems.  The compromised router needs to be shut down.  The 
owner of the compromised router ceased business, and there isn't anyone around 
to address this at S2NL.  The only people that can resolve this is Cogent.   
Cogent's defunct customer's router was compromised, and is spewing out bogus 
advertisements.  
 

 

Pete

 
 

 
 

 
 
Hi Pete,
 

 
 
This seems a bit confusing. 
 

 
 
So, S2NL was a bill-paying customer of Cogent with a BGP speaking router.
 
They went out of business, and stopped paying their Cogent bills.
 
Cogent, out of the goodness of their hearts, continued to let a non-paying 
customer keep their connectivity up and active, and continued to freely import 
prefixes across BGP neighbors from this non-paying defunct customer.
 
Now, someone else has gained access to this non-paying, defunct customer's 
router (which Cogent is still providing free connectivity to, out of the 
goodness of their hearts), and is generating RPKI-valid announcements from it, 
which have somehow not caused a flurry of messages on the outages list about 
prefix hijackings.
 

 
 
The elements to your claim don't really seem to add up.
 
1) ISPs aren't famous for letting non-bill-paying customers stay connected for 
very long past the grace period on their billing cycle, let alone long after 
the company has gone belly-up.
 
2) It's not impossible to generate RPKI-valid announcements from a hijacked 
network, but it's very difficult to generate *bogus* RPKI-valid announcements 
from a compromised router--that's the whole point of RPKI, to be able to 
validate that the prefixes being announced from an origin are indeed the ones 
that are owned by that origin.
 

 
 
Can you provide specific prefix and AS_PATH combinations being originated by 
that router that are "bogus" and don't belong to the router's ASN?

 

 
 
If, however, what you meant is that the router used to be ASN XXXXX, and is now 
suddenly showing up as ASN 36471, and Cogent happily changed their BGP neighbor 
statements to match the new ASN, even though the entity no longer exists and 
hasn't been paying their bills for some time, then that would imply a level of 
complicity on Cogent's part that would make them unlikely to respond to your 
abuse reports.  That would be a very strong allegation to make, and the 
necessary level of documented proof of that level of malfeasance would be 
substantial.
 

 
 
In short--I'm having a hard time understanding how a non-paying entity still 
has working connectivity and BGP sessions, which makes me suspect there's a 
different side to this story we're not hearing yet.   ^_^;
 

 
 
Thanks!
 

 
 
Matt
 

 
 

 
 

 
 

 
 
  
 
 
 
 
 
 
 
 

Reply via email to