Re: AWS hosted sites like slack unreachable

[Pete Rohrman]

Margi,

I ran into that years ago with AWS.  I had a service provider clearing 
calls for me, and they were hosted on AWS.   Kept pushing my service 
provider to open tickets with AWS. The issue would resolve for a day, 
then return, etc.  There was no permanent resolution offered by 
AWS.  The issue kept re-emerging.  I wasn't a paying customer of AWS, so 
I had to find another solution.


The solution that I was forced to use was to set up a proxy on another 
network.  I built a virtual server (I used DigitalOcean), set it up to 
proxy that specific traffic, and I had to bounce all the traffic off of 
that proxy to get in/out of AWS.


Keep that solution in your back pocket if you don't get this cleared up.

Good Luck,


Pete
Stage2 "Survivor Island" Bronze Medal Winner


On 7/20/23 17:31, Daniel Marks via NANOG wrote:
You didn’t specify anything that would be useful to narrow down the 
issue (i.e. location, asn, error codes, etc) - We had a somewhat 
similar issue at DET-IX with routes to us-east-1 and us-east-2 seeing 
a lot of packet loss, but AWS eventually just de-peered the exchange 
entirely since it was an issue with their equipment.


On Jul 20, 2023, at 5:17 PM, Margi Varia via NANOG  
wrote:


Hi Nanog,

We are seeing this weird issue in one part of the network. Customers 
in one public subnet are not able to reach certain websites suddenly 
which are hosted in AWS likeslack.com ,bill.com 
..


We changed the subnet to new one and issue resolved, after 48 hours, 
we have the same issue again. We are not AWS customer, so can't call 
them, but what are our options?


Thanks,
Margi

Re: AWS hosted sites like slack unreachable

[Glenn Kelley]

We have seen this in our consulting business with a large number of
smaller ISPs both FISP and WISPS

Often it is due to traffic leaving the network they believe to be an attack.

If you let them know the Network Blocks, ASN, etc in an email to
ab...@amazonaws.com they are very responsive.

I would suggest running a simple netflow  and see what might be going
outbound to them as well.  There is a good chance you will see an
outlier or two in the netflow should it be an abuse issue.

I hope that helps
Glenn S. Kelley,
I am a Connectivity.Engineer
Text and Voice Direct:  740-206-9624


a Division of CreatingNet.Works
IMPORTANT: The contents of this email and any attachments are
confidential. They are intended for the named recipient(s) only. If
you have received this email by mistake, please notify Glenn Kelley,
the sender, immediately and do not disclose the contents to anyone or
make copies thereof.

On Thu, Jul 20, 2023 at 5:32 PM Daniel Marks via NANOG  wrote:
>
> You didn’t specify anything that would be useful to narrow down the issue 
> (i.e. location, asn, error codes, etc) - We had a somewhat similar issue at 
> DET-IX with routes to us-east-1 and us-east-2 seeing a lot of packet loss, 
> but AWS eventually just de-peered the exchange entirely since it was an issue 
> with their equipment.
>
> On Jul 20, 2023, at 5:17 PM, Margi Varia via NANOG  wrote:
>
> Hi Nanog,
>
> We are seeing this weird issue in one part of the network. Customers in one 
> public subnet are not able to reach certain websites suddenly which are 
> hosted in AWS like slack.com, bill.com..
>
> We changed the subnet to new one and issue resolved, after 48 hours, we have 
> the same issue again. We are not AWS customer, so can't call them, but what 
> are our options?
>
> Thanks,
> Margi
>
>

Re: AWS hosted sites like slack unreachable

[Daniel Marks via NANOG]

You didn’t specify anything that would be useful to narrow down the issue (i.e. 
location, asn, error codes, etc) - We had a somewhat similar issue at DET-IX 
with routes to us-east-1 and us-east-2 seeing a lot of packet loss, but AWS 
eventually just de-peered the exchange entirely since it was an issue with 
their equipment.

> On Jul 20, 2023, at 5:17 PM, Margi Varia via NANOG  wrote:
> 
> Hi Nanog,
> 
> We are seeing this weird issue in one part of the network. Customers in one 
> public subnet are not able to reach certain websites suddenly which are 
> hosted in AWS like slack.com , bill.com 
> ..
> 
> We changed the subnet to new one and issue resolved, after 48 hours, we have 
> the same issue again. We are not AWS customer, so can't call them, but what 
> are our options? 
> 
> Thanks,
> Margi



smime.p7s
Description: S/MIME cryptographic signature

Re: RESOLVED: Cogent Abuse - Bogus Propagation of ASN 36471

[Pete Rohrman]

Matt/Giorgio,

See my answers inline to Matt's line of questioning below, but the 
basics are that those prefixes and AS number were owned by S2NL and used 
for years.  After all the employees were let go (including me), this 
router in question was compromised, and the ssh and enable were 
changed.  Don't know who did it.  ARIN re-assigned the AS and prefixes 
to other parties.  A few days ago, the new AS owner found me from an 
ARIN registration, and asked for my assistance to cease advertising 
AS36471.  I opened tickets with Cogent to turn it down, to learn that I 
was removed from the ability to make such radical requests.  I was just 
trying to be a good internet citizen by assisting in sorting this out.  
It's resolved now.  Thank you for the help.


Pete
Stage2 "Survivor Island" Bronze Medal Winner



On 7/20/23 13:33, Giorgio Bonfiglio wrote:
Do you mind following up on Matthew’s request for details - really 
interested to see the threat model there and how the RPKI part played out?


On 20 Jul 2023, at 18:06, Pete Rohrman  
wrote:




All,


Cogent has shut down the compromised router.  This issue is 
resolved.  Thank you all for your help.




Pete
Stage2 "Survivor Island" Bronze Medal Winner



On 7/20/23 12:59, Mike Hammett wrote:
If they (or anyone else) want to give me free service to use as I 
see fit (well, legally), I'll gladly accept their offer.




-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com


*From: *"Tom Beecher" 
*To: *"Matthew Petach" 
*Cc: *nanog@nanog.org
*Sent: *Thursday, July 20, 2023 11:38:50 AM
*Subject: *Re: Cogent Abuse - Bogus Propagation of ASN 36471

In short--I'm having a hard time understanding how a non-paying
entity still has working connectivity and BGP sessions, which
makes me suspect there's a different side to this story we're
not hearing yet.   ^_^;


I know Cogent has long offered very cheap transit prices, but this 
seems very aggressive! :)


On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach 
 wrote:




On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman
 wrote:

Ben,

Compromised as in a nefarious entity went into the router
and changed passwords and did whatever.  Everything
advertised by that comprised router is bogus.  The
compromised router is owned by OrgID: S2NL (now defunct). 
AS 36471 belongs to KDSS-23
.
The compromised router does not belong to Kratos KDSS-23
,
and is causing routing problems.  The compromised router
needs to be shut down. The owner of the compromised router
ceased business, and there isn't anyone around to address
this at S2NL.  The only people that can resolve this is
Cogent. Cogent's defunct customer's router was compromised,
and is spewing out bogus advertisements.

Pete



Hi Pete,

This seems a bit confusing.

So, S2NL was a bill-paying customer of Cogent with a BGP
speaking router. _<< YES, and they used to own AS36471 and used
it for years>>_
They went out of business, and stopped paying their Cogent
bills. _<< YES >>_
Cogent, out of the goodness of their hearts, continued to let a
non-paying customer keep their connectivity up and active, and
continued to freely import prefixes across BGP neighbors from
this non-paying defunct customer. _<< YES, and in the mean time,
someone broke into that router and changed the password, so I
couldn't remotely shut down BGP  >>_
Now, someone else has gained access to this non-paying, defunct
customer's router (which Cogent is still providing free
connectivity to, out of the goodness of their hearts), and is
generating RPKI-valid announcements from it, which have somehow
not caused a flurry of messages on the outages list about prefix
hijackings. _<>_

The elements to your claim don't really seem to add up.
1) ISPs aren't famous for letting non-bill-paying customers stay
connected for very long past the grace period on their billing
cycle, let alone long after the company has gone belly-up. _<< I
disagree >>_
2) It's not impossible to generate RPKI-valid announcements from
a hijacked network, but it's very difficult to generate *bogus*
RPKI-valid announcements from a compromised router--that's the
whole point of RPKI, to be able to validate that the prefixes
being announced from an origin are indeed the ones that are
owned by that origin. _<< They were valid at one time.  They no
longer are.  I'm not sure when each prefix or the AS were
transfered to the new owners by ARIN >>__
_
__

Can you provide specific prefix and AS_PATH combinations being
originated by that 

AWS hosted sites like slack unreachable

[Margi Varia via NANOG]

Hi Nanog,

We are seeing this weird issue in one part of the network. Customers in one 
public subnet are not able to reach certain websites suddenly which are hosted 
in AWS like slack.com, bill.com..

We changed the subnet to new one and issue resolved, after 48 hours, we have 
the same issue again. We are not AWS customer, so can't call them, but what are 
our options?

Thanks,
Margi

Re: Cogent Abuse - Bogus Propagation of ASN 36471

[Jared Brown]

On Thu Jul 20 Mike Hammet wrote:
> If they (or anyone else) want to give me free service to use as I see fit 
> (well, legally), I'll gladly accept their offer.

I once had free IP transit from Cogent for about a year after I told them to 
shove it.

Not that it did me much good.


- Jared

Re: Cogent Abuse - Bogus Propagation of ASN 36471

[Pete Rohrman]

Martin,

It's my former employer's router.  It's more like a 4 hour day to get 
in/out of the city even though I'm only 20 miles from the PoP.  Top that 
off with a $90 parking bill.  Nobody is paying me to do that work.  
There are no more employees left in the company.


Pete
Stage2 "Survivor Island" Bronze Medal Winner


On 7/20/23 14:02, Martin Hannigan wrote:


Pete, if all the data I see ties together like it looks aren't you 
able to take the 15m taxi ride to 60 Hudson and recover the router or 
shut it off? It's your router. Right?



On Thu, Jul 20, 2023 at 11:10 AM Pete Rohrman 
 wrote:


Ben,

Compromised as in a nefarious entity went into the router and
changed passwords and did whatever. Everything advertised by that
comprised router is bogus.  The compromised router is owned by
OrgID: S2NL (now defunct).  AS 36471 belongs to KDSS-23
.
The compromised router does not belong to Kratos KDSS-23
,
and is causing routing problems.  The compromised router needs to
be shut down.  The owner of the compromised router ceased
business, and there isn't anyone around to address this at S2NL. 
The only people that can resolve this is Cogent.   Cogent's
defunct customer's router was compromised, and is spewing out
bogus advertisements.

Pete

--
Pete
Stage2 "Survivor Island" Bronze Medal Winner


On 7/20/23 10:40, Ben Cox wrote:

Can you confirm what you mean by compromised here?

The prefixes currently (as far as I can see from bgp.tools) originated are:

Prefix   Description
209.255.244.0/24    Windstream Communications LLC
209.255.245.0/24    CONSOLIDATED TECHNOLOGIES INC 
325 HUDSON
209.255.246.0/24    Windstream Communications LLC
209.255.247.0/24    CONSOLIDATED TECHNOLOGIES INC 
325 HUDSON
216.197.80.0/20    --

The 209.xx have valid RPKI certs, so they seem validish, but all have
RADB IRR entries made bylightower.com    in 2015.

Do you mean that someone has impersonated AS36471 and set up a cogent
port, and is now announcing your space? I'm confused

On Thu, Jul 20, 2023 at 3:32 PM Pete Rohrman
    wrote:

NANOG,

A customer of Cogent has a compromised router that is announcing
prefixes sourced from AS 36471.   Cogent is propagating that to the
world.  Problem is, those prefixes and AS don't belong to that customer
of Cogent - AS 36471 belongs to Kratos Defense & Security Solutions,
Inc. (see whois).

Requests to Cogent Support and Abuse go un-actioned.  Need a contact at
Cogent Abuse that can shut down that compromised router.  Anyone have a
good contact at Cogent Abuse Dept?

Cogent ticket: HD302928500

Pete

--
Pete
Stage2 "Survivor Island" Bronze Medal Winner

[NANOG-announce] N88 YouTube Video of the Week + Kendra Pignotti Shares Her Detoured Path into a Career in Tech

[Nanog News]

*N88 YouTube Video of the Week *
*Check out our Most Viewed NANOG 88 Video of the Week *

*"The Proper Way To Prepare For A Network Engineering Job Interview With A
Tech Giant" with Kam Agahian.*

*Why it's worth your time:* Part 2 of a popular previous talk at NANOG 76.
Agahian covers the main network engineering areas used by tech giants and
the proper way to prepare for interviews, including a list of soft skill
mistakes almost all engineers tend to make

Watch our most viewed video from our NANOG 88 playlist now.

*VIEW NOW  *


*A (Tech) Road Less Taken*
*Kendra Pignotti Shares Her Detoured Path into a Career in Tech*

Why it's worth your time: Find a mentor, get to know Pignotti's career
story, get inspired or learn more about a community member.

*"I said, okay, what's next? What is the next big thing that the world
can't live without? And it was glaringly obvious that the next big thing,
bigger than the Industrial Revolution, was the Internet."*

*READ MORE *

Say Cheese! Check out NANOG 88 Pictures
*Have you Seen the NANOG 88 Photo Album Yet? *

*Take a walk down memory lane. *Download your favorite candid moments and
make your NANOG 88 photo album.

*VIEW ALBUM* 
___
NANOG-announce mailing list
NANOG-announce@nanog.org
https://mailman.nanog.org/mailman/listinfo/nanog-announce

N88 YouTube Video of the Week + Kendra Pignotti Shares Her Detoured Path into a Career in Tech

[Nanog News]

*N88 YouTube Video of the Week *
*Check out our Most Viewed NANOG 88 Video of the Week *

*"The Proper Way To Prepare For A Network Engineering Job Interview With A
Tech Giant" with Kam Agahian.*

*Why it's worth your time:* Part 2 of a popular previous talk at NANOG 76.
Agahian covers the main network engineering areas used by tech giants and
the proper way to prepare for interviews, including a list of soft skill
mistakes almost all engineers tend to make

Watch our most viewed video from our NANOG 88 playlist now.

*VIEW NOW  *


*A (Tech) Road Less Taken*
*Kendra Pignotti Shares Her Detoured Path into a Career in Tech*

Why it's worth your time: Find a mentor, get to know Pignotti's career
story, get inspired or learn more about a community member.

*"I said, okay, what's next? What is the next big thing that the world
can't live without? And it was glaringly obvious that the next big thing,
bigger than the Industrial Revolution, was the Internet."*

*READ MORE *

Say Cheese! Check out NANOG 88 Pictures
*Have you Seen the NANOG 88 Photo Album Yet? *

*Take a walk down memory lane. *Download your favorite candid moments and
make your NANOG 88 photo album.

*VIEW ALBUM* 

Re: Cogent Abuse - Bogus Propagation of ASN 36471

[Martin Hannigan]

On Thu, Jul 20, 2023 at 2:34 PM Ian Chilton  wrote:

> On Thu, 20 Jul 2023, at 7:02 PM, Martin Hannigan wrote:
>
> Pete, if all the data I see ties together like it looks aren't you able to
> take the 15m taxi ride to 60 Hudson and recover the router or shut it off?
> It's your router. Right?
>
>
> I would assume if the company no longer exists, they won't be paying the
> DC bill, so they won't let him in.
>
> Though i'm surprised they've not cut the power... or if they are just lax,
> surely could be convinced to.
>

The ARIN ORG was updated recently and so was the domain name.
https://apps.dos.ny.gov/publicInquiry/EntityDisplay

I don't know what kind of routing problems this is causing, but someone
with standing should be able to reach out to Cogent and get something done
if needed.

On the shiny object front, I can't resist. I ordered Cogent and liked it.

Warm regards,

-M<

Re: Cogent Abuse - Bogus Propagation of ASN 36471

[Ian Chilton]

On Thu, 20 Jul 2023, at 7:02 PM, Martin Hannigan wrote:
> Pete, if all the data I see ties together like it looks aren't you able to 
> take the 15m taxi ride to 60 Hudson and recover the router or shut it off? 
> It's your router. Right?

I would assume if the company no longer exists, they won't be paying the DC 
bill, so they won't let him in.

Though i'm surprised they've not cut the power... or if they are just lax, 
surely could be convinced to.

Ian

Re: Cogent Abuse - Bogus Propagation of ASN 36471

[Martin Hannigan]

Pete, if all the data I see ties together like it looks aren't you able to
take the 15m taxi ride to 60 Hudson and recover the router or shut it off?
It's your router. Right?


On Thu, Jul 20, 2023 at 11:10 AM Pete Rohrman 
wrote:

> Ben,
>
> Compromised as in a nefarious entity went into the router and changed
> passwords and did whatever.  Everything advertised by that comprised router
> is bogus.  The compromised router is owned by OrgID: S2NL (now defunct).
> AS 36471 belongs to KDSS-23
> .  The
> compromised router does not belong to Kratos KDSS-23
> , and is
> causing routing problems.  The compromised router needs to be shut down.
> The owner of the compromised router ceased business, and there isn't anyone
> around to address this at S2NL.  The only people that can resolve this is
> Cogent.   Cogent's defunct customer's router was compromised, and is
> spewing out bogus advertisements.
>
> Pete
>
> --
> Pete
> Stage2 "Survivor Island" Bronze Medal Winner
>
>
>
> On 7/20/23 10:40, Ben Cox wrote:
>
> Can you confirm what you mean by compromised here?
>
> The prefixes currently (as far as I can see from bgp.tools) originated are:
>
> Prefix   Description209.255.244.0/24 Windstream 
> Communications LLC209.255.245.0/24 CONSOLIDATED TECHNOLOGIES INC 325 
> HUDSON209.255.246.0/24 Windstream Communications LLC209.255.247.0/24 
> CONSOLIDATED TECHNOLOGIES INC 325 HUDSON216.197.80.0/20 --
>
> The 209.xx have valid RPKI certs, so they seem validish, but all have
> RADB IRR entries made by lightower.com in 2015.
>
> Do you mean that someone has impersonated AS36471 and set up a cogent
> port, and is now announcing your space? I'm confused
>
> On Thu, Jul 20, 2023 at 3:32 PM Pete Rohrman 
>  wrote:
>
> NANOG,
>
> A customer of Cogent has a compromised router that is announcing
> prefixes sourced from AS 36471.   Cogent is propagating that to the
> world.  Problem is, those prefixes and AS don't belong to that customer
> of Cogent - AS 36471 belongs to Kratos Defense & Security Solutions,
> Inc. (see whois).
>
> Requests to Cogent Support and Abuse go un-actioned.  Need a contact at
> Cogent Abuse that can shut down that compromised router.  Anyone have a
> good contact at Cogent Abuse Dept?
>
> Cogent ticket: HD302928500
>
> Pete
>
> --
> Pete
> Stage2 "Survivor Island" Bronze Medal Winner
>
>

Re: RESOLVED: Cogent Abuse - Bogus Propagation of ASN 36471

[Giorgio Bonfiglio via NANOG]

Do you mind following up on Matthew’s request for details - really interested 
to see the threat model there and how the RPKI part played out?

On 20 Jul 2023, at 18:06, Pete Rohrman  wrote:

 

All,

 


 

 

Cogent has shut down the compromised router.  This issue is resolved.  Thank 
you all for your help.

 


 

 


 

 


 
Pete 
 
 
Stage2 "Survivor Island" Bronze Medal Winner
 

 
 

 
 

 
 
On 7/20/23 12:59, Mike Hammett wrote:
 
 
If they (or anyone else) want to give me free service to use as I see fit 
(well, legally), I'll gladly accept their offer.
 
 

 
 -
 Mike Hammett
 Intelligent Computing Solutions
 http://www.ics-il.com
 
 Midwest-IX
 http://www.midwest-ix.com
 
 
 

 
From: "Tom Beecher" 
 To: "Matthew Petach" 
 Cc: nanog@nanog.org
 Sent: Thursday, July 20, 2023 11:38:50 AM
 Subject: Re: Cogent Abuse - Bogus Propagation of ASN 36471
 
 
 In short--I'm having a hard time understanding how a non-paying entity still 
has working connectivity and BGP sessions, which makes me suspect there's a 
different side to this story we're not hearing yet.   ^_^;
 

 
 
I know Cogent has long offered very cheap transit prices, but this seems very 
aggressive! :)  
 
 
 
 
On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach mailto:mpet...@netflight.com> > wrote:
 
 
 

 
 
 
 
On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman mailto:prohr...@stage2networks.com> > wrote:
 
 
 

Ben,

 

Compromised as in a nefarious entity went into the router and changed passwords 
and did whatever.  Everything advertised by that comprised router is bogus.  
The compromised router is owned by OrgID: S2NL (now defunct).  AS 36471 belongs 
to KDSS-23  
.  The compromised router does not belong to Kratos KDSS-23 
 , and is 
causing routing problems.  The compromised router needs to be shut down.  The 
owner of the compromised router ceased business, and there isn't anyone around 
to address this at S2NL.  The only people that can resolve this is Cogent.   
Cogent's defunct customer's router was compromised, and is spewing out bogus 
advertisements.  
 

 

Pete

 
 

 
 

 
 
Hi Pete,
 

 
 
This seems a bit confusing. 
 

 
 
So, S2NL was a bill-paying customer of Cogent with a BGP speaking router.
 
They went out of business, and stopped paying their Cogent bills.
 
Cogent, out of the goodness of their hearts, continued to let a non-paying 
customer keep their connectivity up and active, and continued to freely import 
prefixes across BGP neighbors from this non-paying defunct customer.
 
Now, someone else has gained access to this non-paying, defunct customer's 
router (which Cogent is still providing free connectivity to, out of the 
goodness of their hearts), and is generating RPKI-valid announcements from it, 
which have somehow not caused a flurry of messages on the outages list about 
prefix hijackings.
 

 
 
The elements to your claim don't really seem to add up.
 
1) ISPs aren't famous for letting non-bill-paying customers stay connected for 
very long past the grace period on their billing cycle, let alone long after 
the company has gone belly-up.
 
2) It's not impossible to generate RPKI-valid announcements from a hijacked 
network, but it's very difficult to generate *bogus* RPKI-valid announcements 
from a compromised router--that's the whole point of RPKI, to be able to 
validate that the prefixes being announced from an origin are indeed the ones 
that are owned by that origin.
 

 
 
Can you provide specific prefix and AS_PATH combinations being originated by 
that router that are "bogus" and don't belong to the router's ASN?

 

 
 
If, however, what you meant is that the router used to be ASN X, and is now 
suddenly showing up as ASN 36471, and Cogent happily changed their BGP neighbor 
statements to match the new ASN, even though the entity no longer exists and 
hasn't been paying their bills for some time, then that would imply a level of 
complicity on Cogent's part that would make them unlikely to respond to your 
abuse reports.  That would be a very strong allegation to make, and the 
necessary level of documented proof of that level of malfeasance would be 
substantial.
 

 
 
In short--I'm having a hard time understanding how a non-paying entity still 
has working connectivity and BGP sessions, which makes me suspect there's a 
different side to this story we're not hearing yet.   ^_^;
 

 
 
Thanks!
 

 
 
Matt
 

 
 

 
 

 
 

 
 
  
 
 
 
 
 
 
 
 

Re: Cogent Abuse - Bogus Propagation of ASN 36471

[David Hubbard]

Heck, I can’t even get Cogent to keep my paid services functional; going on 
four weeks with an unusable 10gig point to point.


From: NANOG  on behalf 
of Mike Hammett 
Date: Thursday, July 20, 2023 at 1:03 PM
To: Tom Beecher 
Cc: nanog@nanog.org 
Subject: Re: Cogent Abuse - Bogus Propagation of ASN 36471
If they (or anyone else) want to give me free service to use as I see fit 
(well, legally), I'll gladly accept their offer.


-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com


From: "Tom Beecher" 
To: "Matthew Petach" 
Cc: nanog@nanog.org
Sent: Thursday, July 20, 2023 11:38:50 AM
Subject: Re: Cogent Abuse - Bogus Propagation of ASN 36471
In short--I'm having a hard time understanding how a non-paying entity still 
has working connectivity and BGP sessions, which makes me suspect there's a 
different side to this story we're not hearing yet.   ^_^;

I know Cogent has long offered very cheap transit prices, but this seems very 
aggressive! :)

On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach 
mailto:mpet...@netflight.com>> wrote:


On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman 
mailto:prohr...@stage2networks.com>> wrote:

Ben,

Compromised as in a nefarious entity went into the router and changed passwords 
and did whatever.  Everything advertised by that comprised router is bogus.  
The compromised router is owned by OrgID: S2NL (now defunct).  AS 36471 belongs 
to KDSS-23.  
The compromised router does not belong to Kratos 
KDSS-23, and is 
causing routing problems.  The compromised router needs to be shut down.  The 
owner of the compromised router ceased business, and there isn't anyone around 
to address this at S2NL.  The only people that can resolve this is Cogent.   
Cogent's defunct customer's router was compromised, and is spewing out bogus 
advertisements.

Pete


Hi Pete,

This seems a bit confusing.

So, S2NL was a bill-paying customer of Cogent with a BGP speaking router.
They went out of business, and stopped paying their Cogent bills.
Cogent, out of the goodness of their hearts, continued to let a non-paying 
customer keep their connectivity up and active, and continued to freely import 
prefixes across BGP neighbors from this non-paying defunct customer.
Now, someone else has gained access to this non-paying, defunct customer's 
router (which Cogent is still providing free connectivity to, out of the 
goodness of their hearts), and is generating RPKI-valid announcements from it, 
which have somehow not caused a flurry of messages on the outages list about 
prefix hijackings.

The elements to your claim don't really seem to add up.
1) ISPs aren't famous for letting non-bill-paying customers stay connected for 
very long past the grace period on their billing cycle, let alone long after 
the company has gone belly-up.
2) It's not impossible to generate RPKI-valid announcements from a hijacked 
network, but it's very difficult to generate *bogus* RPKI-valid announcements 
from a compromised router--that's the whole point of RPKI, to be able to 
validate that the prefixes being announced from an origin are indeed the ones 
that are owned by that origin.

Can you provide specific prefix and AS_PATH combinations being originated by 
that router that are "bogus" and don't belong to the router's ASN?

If, however, what you meant is that the router used to be ASN X, and is now 
suddenly showing up as ASN 36471, and Cogent happily changed their BGP neighbor 
statements to match the new ASN, even though the entity no longer exists and 
hasn't been paying their bills for some time, then that would imply a level of 
complicity on Cogent's part that would make them unlikely to respond to your 
abuse reports.  That would be a very strong allegation to make, and the 
necessary level of documented proof of that level of malfeasance would be 
substantial.

In short--I'm having a hard time understanding how a non-paying entity still 
has working connectivity and BGP sessions, which makes me suspect there's a 
different side to this story we're not hearing yet.   ^_^;

Thanks!

Matt

Re: Cogent Abuse - Bogus Propagation of ASN 36471

[Mike Lyon]

I've told all Cogent reps that have ever called me that I would never,
under any circumstances, use their service. even if they provided it
to me free of charge...

Friends don't let friends use Cogent.

-Mike

On Thu, Jul 20, 2023 at 10:02 AM Mike Hammett  wrote:
>
> If they (or anyone else) want to give me free service to use as I see fit 
> (well, legally), I'll gladly accept their offer.
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> 
> From: "Tom Beecher" 
> To: "Matthew Petach" 
> Cc: nanog@nanog.org
> Sent: Thursday, July 20, 2023 11:38:50 AM
> Subject: Re: Cogent Abuse - Bogus Propagation of ASN 36471
>
>> In short--I'm having a hard time understanding how a non-paying entity still 
>> has working connectivity and BGP sessions, which makes me suspect there's a 
>> different side to this story we're not hearing yet.   ^_^;
>
>
> I know Cogent has long offered very cheap transit prices, but this seems very 
> aggressive! :)
>
> On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach  wrote:
>>
>>
>>
>> On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman  
>> wrote:
>>>
>>> Ben,
>>>
>>> Compromised as in a nefarious entity went into the router and changed 
>>> passwords and did whatever.  Everything advertised by that comprised router 
>>> is bogus.  The compromised router is owned by OrgID: S2NL (now defunct).  
>>> AS 36471 belongs to KDSS-23.  The compromised router does not belong to 
>>> Kratos KDSS-23, and is causing routing problems.  The compromised router 
>>> needs to be shut down.  The owner of the compromised router ceased 
>>> business, and there isn't anyone around to address this at S2NL.  The only 
>>> people that can resolve this is Cogent.   Cogent's defunct customer's 
>>> router was compromised, and is spewing out bogus advertisements.
>>>
>>> Pete
>>
>>
>>
>> Hi Pete,
>>
>> This seems a bit confusing.
>>
>> So, S2NL was a bill-paying customer of Cogent with a BGP speaking router.
>> They went out of business, and stopped paying their Cogent bills.
>> Cogent, out of the goodness of their hearts, continued to let a non-paying 
>> customer keep their connectivity up and active, and continued to freely 
>> import prefixes across BGP neighbors from this non-paying defunct customer.
>> Now, someone else has gained access to this non-paying, defunct customer's 
>> router (which Cogent is still providing free connectivity to, out of the 
>> goodness of their hearts), and is generating RPKI-valid announcements from 
>> it, which have somehow not caused a flurry of messages on the outages list 
>> about prefix hijackings.
>>
>> The elements to your claim don't really seem to add up.
>> 1) ISPs aren't famous for letting non-bill-paying customers stay connected 
>> for very long past the grace period on their billing cycle, let alone long 
>> after the company has gone belly-up.
>> 2) It's not impossible to generate RPKI-valid announcements from a hijacked 
>> network, but it's very difficult to generate *bogus* RPKI-valid 
>> announcements from a compromised router--that's the whole point of RPKI, to 
>> be able to validate that the prefixes being announced from an origin are 
>> indeed the ones that are owned by that origin.
>>
>> Can you provide specific prefix and AS_PATH combinations being originated by 
>> that router that are "bogus" and don't belong to the router's ASN?
>>
>> If, however, what you meant is that the router used to be ASN X, and is 
>> now suddenly showing up as ASN 36471, and Cogent happily changed their BGP 
>> neighbor statements to match the new ASN, even though the entity no longer 
>> exists and hasn't been paying their bills for some time, then that would 
>> imply a level of complicity on Cogent's part that would make them unlikely 
>> to respond to your abuse reports.  That would be a very strong allegation to 
>> make, and the necessary level of documented proof of that level of 
>> malfeasance would be substantial.
>>
>> In short--I'm having a hard time understanding how a non-paying entity still 
>> has working connectivity and BGP sessions, which makes me suspect there's a 
>> different side to this story we're not hearing yet.   ^_^;
>>
>> Thanks!
>>
>> Matt
>>
>>
>>
>>
>>
>
>


-- 
Mike Lyon
mike.l...@gmail.com
http://www.linkedin.com/in/mlyon

RESOLVED: Cogent Abuse - Bogus Propagation of ASN 36471

[Pete Rohrman]

All,


Cogent has shut down the compromised router.  This issue is resolved.  
Thank you all for your help.




Pete
Stage2 "Survivor Island" Bronze Medal Winner



On 7/20/23 12:59, Mike Hammett wrote:
If they (or anyone else) want to give me free service to use as I see 
fit (well, legally), I'll gladly accept their offer.




-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com


*From: *"Tom Beecher" 
*To: *"Matthew Petach" 
*Cc: *nanog@nanog.org
*Sent: *Thursday, July 20, 2023 11:38:50 AM
*Subject: *Re: Cogent Abuse - Bogus Propagation of ASN 36471

In short--I'm having a hard time understanding how a non-paying
entity still has working connectivity and BGP sessions, which
makes me suspect there's a different side to this story we're not
hearing yet.   ^_^;


I know Cogent has long offered very cheap transit prices, but this 
seems very aggressive! :)


On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach 
 wrote:




On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman
 wrote:

Ben,

Compromised as in a nefarious entity went into the router and
changed passwords and did whatever.  Everything advertised by
that comprised router is bogus.  The compromised router is
owned by OrgID: S2NL (now defunct). AS 36471 belongs to
KDSS-23
.
The compromised router does not belong to Kratos KDSS-23
,
and is causing routing problems.  The compromised router needs
to be shut down.  The owner of the compromised router ceased
business, and there isn't anyone around to address this at
S2NL.  The only people that can resolve this is Cogent.  
Cogent's defunct customer's router was compromised, and is
spewing out bogus advertisements.

Pete



Hi Pete,

This seems a bit confusing.

So, S2NL was a bill-paying customer of Cogent with a BGP speaking
router.
They went out of business, and stopped paying their Cogent bills.
Cogent, out of the goodness of their hearts, continued to let a
non-paying customer keep their connectivity up and active, and
continued to freely import prefixes across BGP neighbors from this
non-paying defunct customer.
Now, someone else has gained access to this non-paying, defunct
customer's router (which Cogent is still providing free
connectivity to, out of the goodness of their hearts), and is
generating RPKI-valid announcements from it, which have somehow
not caused a flurry of messages on the outages list about prefix
hijackings.

The elements to your claim don't really seem to add up.
1) ISPs aren't famous for letting non-bill-paying customers stay
connected for very long past the grace period on their billing
cycle, let alone long after the company has gone belly-up.
2) It's not impossible to generate RPKI-valid announcements from a
hijacked network, but it's very difficult to generate *bogus*
RPKI-valid announcements from a compromised router--that's the
whole point of RPKI, to be able to validate that the prefixes
being announced from an origin are indeed the ones that are owned
by that origin.

Can you provide specific prefix and AS_PATH combinations being
originated by that router that are "bogus" and don't belong to the
router's ASN?

If, however, what you meant is that the router used to be ASN
X, and is now suddenly showing up as ASN 36471, and Cogent
happily changed their BGP neighbor statements to match the new
ASN, even though the entity no longer exists and hasn't been
paying their bills for some time, then that would imply a level of
complicity on Cogent's part that would make them unlikely to
respond to your abuse reports.  That would be a very strong
allegation to make, and the necessary level of documented proof of
that level of malfeasance would be substantial.

In short--I'm having a hard time understanding how a non-paying
entity still has working connectivity and BGP sessions, which
makes me suspect there's a different side to this story we're not
hearing yet.   ^_^;

Thanks!

Matt

Re: Cogent Abuse - Bogus Propagation of ASN 36471

[Mike Hammett]

If they (or anyone else) want to give me free service to use as I see fit 
(well, legally), I'll gladly accept their offer. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Tom Beecher"  
To: "Matthew Petach"  
Cc: nanog@nanog.org 
Sent: Thursday, July 20, 2023 11:38:50 AM 
Subject: Re: Cogent Abuse - Bogus Propagation of ASN 36471 




In short--I'm having a hard time understanding how a non-paying entity still 
has working connectivity and BGP sessions, which makes me suspect there's a 
different side to this story we're not hearing yet. ^_^; 





I know Cogent has long offered very cheap transit prices, but this seems very 
aggressive! :) 


On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach < mpet...@netflight.com > 
wrote: 








On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman < prohr...@stage2networks.com > 
wrote: 




Ben, 
Compromised as in a nefarious entity went into the router and changed passwords 
and did whatever. Everything advertised by that comprised router is bogus. The 
compromised router is owned by OrgID: S2NL (now defunct). AS 36471 belongs to 
KDSS-23 . The compromised router does not belong to Kratos KDSS-23 , and is 
causing routing problems. The compromised router needs to be shut down. The 
owner of the compromised router ceased business, and there isn't anyone around 
to address this at S2NL. The only people that can resolve this is Cogent. 
Cogent's defunct customer's router was compromised, and is spewing out bogus 
advertisements. 

Pete 






Hi Pete, 


This seems a bit confusing. 


So, S2NL was a bill-paying customer of Cogent with a BGP speaking router. 
They went out of business, and stopped paying their Cogent bills. 
Cogent, out of the goodness of their hearts, continued to let a non-paying 
customer keep their connectivity up and active, and continued to freely import 
prefixes across BGP neighbors from this non-paying defunct customer. 
Now, someone else has gained access to this non-paying, defunct customer's 
router (which Cogent is still providing free connectivity to, out of the 
goodness of their hearts), and is generating RPKI-valid announcements from it, 
which have somehow not caused a flurry of messages on the outages list about 
prefix hijackings. 


The elements to your claim don't really seem to add up. 
1) ISPs aren't famous for letting non-bill-paying customers stay connected for 
very long past the grace period on their billing cycle, let alone long after 
the company has gone belly-up. 
2) It's not impossible to generate RPKI-valid announcements from a hijacked 
network, but it's very difficult to generate *bogus* RPKI-valid announcements 
from a compromised router--that's the whole point of RPKI, to be able to 
validate that the prefixes being announced from an origin are indeed the ones 
that are owned by that origin. 


Can you provide specific prefix and AS_PATH combinations being originated by 
that router that are "bogus" and don't belong to the router's ASN? 


If, however, what you meant is that the router used to be ASN X, and is now 
suddenly showing up as ASN 36471, and Cogent happily changed their BGP neighbor 
statements to match the new ASN, even though the entity no longer exists and 
hasn't been paying their bills for some time, then that would imply a level of 
complicity on Cogent's part that would make them unlikely to respond to your 
abuse reports. That would be a very strong allegation to make, and the 
necessary level of documented proof of that level of malfeasance would be 
substantial. 


In short--I'm having a hard time understanding how a non-paying entity still 
has working connectivity and BGP sessions, which makes me suspect there's a 
different side to this story we're not hearing yet. ^_^; 


Thanks! 


Matt 

Re: Cogent Abuse - Bogus Propagation of ASN 36471

[Tom Beecher]

>
> In short--I'm having a hard time understanding how a non-paying entity
> still has working connectivity and BGP sessions, which makes me suspect
> there's a different side to this story we're not hearing yet.   ^_^;
>

I know Cogent has long offered very cheap transit prices, but this seems
very aggressive! :)

On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach 
wrote:

>
>
> On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman 
> wrote:
>
>> Ben,
>>
>> Compromised as in a nefarious entity went into the router and changed
>> passwords and did whatever.  Everything advertised by that comprised router
>> is bogus.  The compromised router is owned by OrgID: S2NL (now defunct).
>> AS 36471 belongs to KDSS-23
>> .  The
>> compromised router does not belong to Kratos KDSS-23
>> , and is
>> causing routing problems.  The compromised router needs to be shut down.
>> The owner of the compromised router ceased business, and there isn't anyone
>> around to address this at S2NL.  The only people that can resolve this is
>> Cogent.   Cogent's defunct customer's router was compromised, and is
>> spewing out bogus advertisements.
>>
>> Pete
>>
>
>
> Hi Pete,
>
> This seems a bit confusing.
>
> So, S2NL was a bill-paying customer of Cogent with a BGP speaking router.
> They went out of business, and stopped paying their Cogent bills.
> Cogent, out of the goodness of their hearts, continued to let a non-paying
> customer keep their connectivity up and active, and continued to freely
> import prefixes across BGP neighbors from this non-paying defunct customer.
> Now, someone else has gained access to this non-paying, defunct customer's
> router (which Cogent is still providing free connectivity to, out of the
> goodness of their hearts), and is generating RPKI-valid announcements from
> it, which have somehow not caused a flurry of messages on the outages list
> about prefix hijackings.
>
> The elements to your claim don't really seem to add up.
> 1) ISPs aren't famous for letting non-bill-paying customers stay connected
> for very long past the grace period on their billing cycle, let alone long
> after the company has gone belly-up.
> 2) It's not impossible to generate RPKI-valid announcements from a
> hijacked network, but it's very difficult to generate *bogus* RPKI-valid
> announcements from a compromised router--that's the whole point of RPKI, to
> be able to validate that the prefixes being announced from an origin are
> indeed the ones that are owned by that origin.
>
> Can you provide specific prefix and AS_PATH combinations being originated
> by that router that are "bogus" and don't belong to the router's ASN?
>
> If, however, what you meant is that the router used to be ASN X, and
> is now suddenly showing up as ASN 36471, and Cogent happily changed their
> BGP neighbor statements to match the new ASN, even though the entity no
> longer exists and hasn't been paying their bills for some time, then that
> would imply a level of complicity on Cogent's part that would make them
> unlikely to respond to your abuse reports.  That would be a very strong
> allegation to make, and the necessary level of documented proof of that
> level of malfeasance would be substantial.
>
> In short--I'm having a hard time understanding how a non-paying entity
> still has working connectivity and BGP sessions, which makes me suspect
> there's a different side to this story we're not hearing yet.   ^_^;
>
> Thanks!
>
> Matt
>
>
>
>
>
>
>>

Re: Cogent Abuse - Bogus Propagation of ASN 36471

[William Herrin]

On Thu, Jul 20, 2023 at 8:06 AM Pete Rohrman
 wrote:
> On 7/20/23 10:40, Ben Cox wrote:
>> Can you confirm what you mean by compromised here?
> Compromised as in a nefarious entity went into the router and changed 
> passwords and did whatever.

Hi Pete,

I think Ben is asking you to "be more specific." The information you
provided isn't really sufficient for someone who isn't you to
differentiate between the routes you consider legitimate and and the
ones you think bogus.

If you would provide the output of two runs of "show ip bgp," one
trimmed to show the routes you consider bogus and the other trimmed to
show the routes you consider legitimate, it would likely answer Ben's
questions. Routeviews has FRR instances you can log in to and fetch
the text output of "show ip bgp" which are outside your network.

Regards,
Bill Herrin



--
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: Cogent Abuse - Bogus Propagation of ASN 36471

[Matthew Petach]

On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman 
wrote:

> Ben,
>
> Compromised as in a nefarious entity went into the router and changed
> passwords and did whatever.  Everything advertised by that comprised router
> is bogus.  The compromised router is owned by OrgID: S2NL (now defunct).
> AS 36471 belongs to KDSS-23
> .  The
> compromised router does not belong to Kratos KDSS-23
> , and is
> causing routing problems.  The compromised router needs to be shut down.
> The owner of the compromised router ceased business, and there isn't anyone
> around to address this at S2NL.  The only people that can resolve this is
> Cogent.   Cogent's defunct customer's router was compromised, and is
> spewing out bogus advertisements.
>
> Pete
>


Hi Pete,

This seems a bit confusing.

So, S2NL was a bill-paying customer of Cogent with a BGP speaking router.
They went out of business, and stopped paying their Cogent bills.
Cogent, out of the goodness of their hearts, continued to let a non-paying
customer keep their connectivity up and active, and continued to freely
import prefixes across BGP neighbors from this non-paying defunct customer.
Now, someone else has gained access to this non-paying, defunct customer's
router (which Cogent is still providing free connectivity to, out of the
goodness of their hearts), and is generating RPKI-valid announcements from
it, which have somehow not caused a flurry of messages on the outages list
about prefix hijackings.

The elements to your claim don't really seem to add up.
1) ISPs aren't famous for letting non-bill-paying customers stay connected
for very long past the grace period on their billing cycle, let alone long
after the company has gone belly-up.
2) It's not impossible to generate RPKI-valid announcements from a hijacked
network, but it's very difficult to generate *bogus* RPKI-valid
announcements from a compromised router--that's the whole point of RPKI, to
be able to validate that the prefixes being announced from an origin are
indeed the ones that are owned by that origin.

Can you provide specific prefix and AS_PATH combinations being originated
by that router that are "bogus" and don't belong to the router's ASN?

If, however, what you meant is that the router used to be ASN X, and is
now suddenly showing up as ASN 36471, and Cogent happily changed their BGP
neighbor statements to match the new ASN, even though the entity no longer
exists and hasn't been paying their bills for some time, then that would
imply a level of complicity on Cogent's part that would make them unlikely
to respond to your abuse reports.  That would be a very strong allegation
to make, and the necessary level of documented proof of that level of
malfeasance would be substantial.

In short--I'm having a hard time understanding how a non-paying entity
still has working connectivity and BGP sessions, which makes me suspect
there's a different side to this story we're not hearing yet.   ^_^;

Thanks!

Matt






>

Re: Cogent Abuse - Bogus Propagation of ASN 36471

[Pete Rohrman]

Ben,

Compromised as in a nefarious entity went into the router and changed 
passwords and did whatever.  Everything advertised by that comprised 
router is bogus.  The compromised router is owned by OrgID: S2NL (now 
defunct).  AS 36471 belongs to KDSS-23 
. The 
compromised router does not belong to Kratos KDSS-23 
, and is 
causing routing problems.  The compromised router needs to be shut 
down.  The owner of the compromised router ceased business, and there 
isn't anyone around to address this at S2NL. The only people that can 
resolve this is Cogent.   Cogent's defunct customer's router was 
compromised, and is spewing out bogus advertisements.


Pete


--
Pete
Stage2 "Survivor Island" Bronze Medal Winner


On 7/20/23 10:40, Ben Cox wrote:

Can you confirm what you mean by compromised here?

The prefixes currently (as far as I can see from bgp.tools) originated are:

Prefix   Description
209.255.244.0/24 Windstream Communications LLC
209.255.245.0/24 CONSOLIDATED TECHNOLOGIES INC 325 HUDSON
209.255.246.0/24 Windstream Communications LLC
209.255.247.0/24 CONSOLIDATED TECHNOLOGIES INC 325 HUDSON
216.197.80.0/20 --

The 209.xx have valid RPKI certs, so they seem validish, but all have
RADB IRR entries made by lightower.com in 2015.

Do you mean that someone has impersonated AS36471 and set up a cogent
port, and is now announcing your space? I'm confused

On Thu, Jul 20, 2023 at 3:32 PM Pete Rohrman
  wrote:

NANOG,

A customer of Cogent has a compromised router that is announcing
prefixes sourced from AS 36471.   Cogent is propagating that to the
world.  Problem is, those prefixes and AS don't belong to that customer
of Cogent - AS 36471 belongs to Kratos Defense & Security Solutions,
Inc. (see whois).

Requests to Cogent Support and Abuse go un-actioned.  Need a contact at
Cogent Abuse that can shut down that compromised router.  Anyone have a
good contact at Cogent Abuse Dept?

Cogent ticket: HD302928500

Pete

--
Pete
Stage2 "Survivor Island" Bronze Medal Winner

Re: Cogent Abuse - Bogus Propagation of ASN 36471

[Ben Cox via NANOG]

Can you confirm what you mean by compromised here?

The prefixes currently (as far as I can see from bgp.tools) originated are:

Prefix   Description
209.255.244.0/24 Windstream Communications LLC
209.255.245.0/24 CONSOLIDATED TECHNOLOGIES INC 325 HUDSON
209.255.246.0/24 Windstream Communications LLC
209.255.247.0/24 CONSOLIDATED TECHNOLOGIES INC 325 HUDSON
216.197.80.0/20 --

The 209.xx have valid RPKI certs, so they seem validish, but all have
RADB IRR entries made by lightower.com in 2015.

Do you mean that someone has impersonated AS36471 and set up a cogent
port, and is now announcing your space? I'm confused

On Thu, Jul 20, 2023 at 3:32 PM Pete Rohrman
 wrote:
>
> NANOG,
>
> A customer of Cogent has a compromised router that is announcing
> prefixes sourced from AS 36471.   Cogent is propagating that to the
> world.  Problem is, those prefixes and AS don't belong to that customer
> of Cogent - AS 36471 belongs to Kratos Defense & Security Solutions,
> Inc. (see whois).
>
> Requests to Cogent Support and Abuse go un-actioned.  Need a contact at
> Cogent Abuse that can shut down that compromised router.  Anyone have a
> good contact at Cogent Abuse Dept?
>
> Cogent ticket: HD302928500
>
> Pete
>
> --
> Pete
> Stage2 "Survivor Island" Bronze Medal Winner

Cogent Abuse - Bogus Propagation of ASN 36471

[Pete Rohrman]

NANOG,

A customer of Cogent has a compromised router that is announcing 
prefixes sourced from AS 36471.   Cogent is propagating that to the 
world.  Problem is, those prefixes and AS don't belong to that customer 
of Cogent - AS 36471 belongs to Kratos Defense & Security Solutions, 
Inc. (see whois).


Requests to Cogent Support and Abuse go un-actioned.  Need a contact at 
Cogent Abuse that can shut down that compromised router.  Anyone have a 
good contact at Cogent Abuse Dept?


Cogent ticket: HD302928500

Pete

--
Pete
Stage2 "Survivor Island" Bronze Medal Winner