If they (or anyone else) want to give me free service to use as I
see fit (well, legally), I'll gladly accept their offer.
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
------------------------------------------------------------------------
*From: *"Tom Beecher" <beec...@beecher.cc>
*To: *"Matthew Petach" <mpet...@netflight.com>
*Cc: *nanog@nanog.org
*Sent: *Thursday, July 20, 2023 11:38:50 AM
*Subject: *Re: Cogent Abuse - Bogus Propagation of ASN 36471
In short--I'm having a hard time understanding how a non-paying
entity still has working connectivity and BGP sessions, which
makes me suspect there's a different side to this story we're
not hearing yet. ^_^;
I know Cogent has long offered very cheap transit prices, but this
seems very aggressive! :)
On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach
<mpet...@netflight.com> wrote:
On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman
<prohr...@stage2networks.com> wrote:
Ben,
Compromised as in a nefarious entity went into the router
and changed passwords and did whatever. Everything
advertised by that comprised router is bogus. The
compromised router is owned by OrgID: S2NL (now defunct).
AS 36471 belongs to KDSS-23
<https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>.
The compromised router does not belong to Kratos KDSS-23
<https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>,
and is causing routing problems. The compromised router
needs to be shut down. The owner of the compromised router
ceased business, and there isn't anyone around to address
this at S2NL. The only people that can resolve this is
Cogent. Cogent's defunct customer's router was compromised,
and is spewing out bogus advertisements.
Pete
Hi Pete,
This seems a bit confusing.
So, S2NL was a bill-paying customer of Cogent with a BGP
speaking router. _<< YES, and they used to own AS36471 and used
it for years>>_
They went out of business, and stopped paying their Cogent
bills. _<< YES >>_
Cogent, out of the goodness of their hearts, continued to let a
non-paying customer keep their connectivity up and active, and
continued to freely import prefixes across BGP neighbors from
this non-paying defunct customer. _<< YES, and in the mean time,
someone broke into that router and changed the password, so I
couldn't remotely shut down BGP >>_
Now, someone else has gained access to this non-paying, defunct
customer's router (which Cogent is still providing free
connectivity to, out of the goodness of their hearts), and is
generating RPKI-valid announcements from it, which have somehow
not caused a flurry of messages on the outages list about prefix
hijackings. _<<SORT OF, By ARIN registration, neither the AS nor
the prefixs coming from that router were valid because they
found their way into possession by other parties. >>_
The elements to your claim don't really seem to add up.
1) ISPs aren't famous for letting non-bill-paying customers stay
connected for very long past the grace period on their billing
cycle, let alone long after the company has gone belly-up. _<< I
disagree >>_
2) It's not impossible to generate RPKI-valid announcements from
a hijacked network, but it's very difficult to generate *bogus*
RPKI-valid announcements from a compromised router--that's the
whole point of RPKI, to be able to validate that the prefixes
being announced from an origin are indeed the ones that are
owned by that origin. _<< They were valid at one time. They no
longer are. I'm not sure when each prefix or the AS were
transfered to the new owners by ARIN >>__
_
__
Can you provide specific prefix and AS_PATH combinations being
originated by that router that are "bogus" and don't belong to
the router's ASN? _<< I don't see that AS in a public route
server any more. This is resolved. I should have taken a
screen shot, but I didn't. Look for 216.197.80.0/20 >>_
If, however, what you meant is that the router used to be ASN
XXXXX, and is now suddenly showing up as ASN 36471 _<< NO, it
was always AS36471, but that AS is no longer owned by S2NL >>_,
and Cogent happily changed their BGP neighbor statements to
match the new ASN _<< NO >>_, even though the entity no longer
exists and hasn't been paying their bills for some time, then
that would imply a level of complicity on Cogent's part that
would make them unlikely to respond to your abuse reports. That
would be a very strong allegation to make, and the necessary
level of documented proof of that level of malfeasance would be
substantial. _<< Neither Cogent nor S2NL were practicing
malevalence. S2NL was practicing incompetence. AS number was
transfered to a new entity by ARIN. Nobody home at S2NL to turn
down the router. Cogent wouldn't act on my requests because I
was taken off the list. New AS owner asked me to help. I'm not
too busy these days, so I obliged. Had no other option other
than posting to NANOG, and it worked. Cogent shut down the
compromised router and bogus advertisements vanished from the
public routing table. >> _
In short--I'm having a hard time understanding how a non-paying
entity still has working connectivity and BGP sessions, which
makes me suspect there's a different side to this story we're
not hearing yet. ^_^;
Thanks!
Matt