Martin,
It's my former employer's router. It's more like a 4 hour day to get
in/out of the city even though I'm only 20 miles from the PoP. Top that
off with a $90 parking bill. Nobody is paying me to do that work.
There are no more employees left in the company.
Pete
Stage2 "Survivor Island" Bronze Medal Winner
On 7/20/23 14:02, Martin Hannigan wrote:
Pete, if all the data I see ties together like it looks aren't you
able to take the 15m taxi ride to 60 Hudson and recover the router or
shut it off? It's your router. Right?
On Thu, Jul 20, 2023 at 11:10 AM Pete Rohrman
<prohr...@stage2networks.com> wrote:
Ben,
Compromised as in a nefarious entity went into the router and
changed passwords and did whatever. Everything advertised by that
comprised router is bogus. The compromised router is owned by
OrgID: S2NL (now defunct). AS 36471 belongs to KDSS-23
<https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>.
The compromised router does not belong to Kratos KDSS-23
<https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>,
and is causing routing problems. The compromised router needs to
be shut down. The owner of the compromised router ceased
business, and there isn't anyone around to address this at S2NL.
The only people that can resolve this is Cogent. Cogent's
defunct customer's router was compromised, and is spewing out
bogus advertisements.
Pete
--
Pete
Stage2 "Survivor Island" Bronze Medal Winner
On 7/20/23 10:40, Ben Cox wrote:
Can you confirm what you mean by compromised here?
The prefixes currently (as far as I can see from bgp.tools) originated are:
Prefix Description
209.255.244.0/24 <http://209.255.244.0/24> Windstream Communications LLC
209.255.245.0/24 <http://209.255.245.0/24> CONSOLIDATED TECHNOLOGIES INC
325 HUDSON
209.255.246.0/24 <http://209.255.246.0/24> Windstream Communications LLC
209.255.247.0/24 <http://209.255.247.0/24> CONSOLIDATED TECHNOLOGIES INC
325 HUDSON
216.197.80.0/20 <http://216.197.80.0/20> --
The 209.xx have valid RPKI certs, so they seem validish, but all have
RADB IRR entries made bylightower.com <http://lightower.com> in 2015.
Do you mean that someone has impersonated AS36471 and set up a cogent
port, and is now announcing your space? I'm confused
On Thu, Jul 20, 2023 at 3:32 PM Pete Rohrman
<prohr...@stage2networks.com> <mailto:prohr...@stage2networks.com> wrote:
NANOG,
A customer of Cogent has a compromised router that is announcing
prefixes sourced from AS 36471. Cogent is propagating that to the
world. Problem is, those prefixes and AS don't belong to that customer
of Cogent - AS 36471 belongs to Kratos Defense & Security Solutions,
Inc. (see whois).
Requests to Cogent Support and Abuse go un-actioned. Need a contact at
Cogent Abuse that can shut down that compromised router. Anyone have a
good contact at Cogent Abuse Dept?
Cogent ticket: HD302928500
Pete
--
Pete
Stage2 "Survivor Island" Bronze Medal Winner
