> > In short--I'm having a hard time understanding how a non-paying entity > still has working connectivity and BGP sessions, which makes me suspect > there's a different side to this story we're not hearing yet. ^_^; >
I know Cogent has long offered very cheap transit prices, but this seems very aggressive! :) On Thu, Jul 20, 2023 at 12:28 PM Matthew Petach <mpet...@netflight.com> wrote: > > > On Thu, Jul 20, 2023 at 8:09 AM Pete Rohrman <prohr...@stage2networks.com> > wrote: > >> Ben, >> >> Compromised as in a nefarious entity went into the router and changed >> passwords and did whatever. Everything advertised by that comprised router >> is bogus. The compromised router is owned by OrgID: S2NL (now defunct). >> AS 36471 belongs to KDSS-23 >> <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>. The >> compromised router does not belong to Kratos KDSS-23 >> <https://search.arin.net/rdap?query=KDSS-23&searchFilter=entity>, and is >> causing routing problems. The compromised router needs to be shut down. >> The owner of the compromised router ceased business, and there isn't anyone >> around to address this at S2NL. The only people that can resolve this is >> Cogent. Cogent's defunct customer's router was compromised, and is >> spewing out bogus advertisements. >> >> Pete >> > > > Hi Pete, > > This seems a bit confusing. > > So, S2NL was a bill-paying customer of Cogent with a BGP speaking router. > They went out of business, and stopped paying their Cogent bills. > Cogent, out of the goodness of their hearts, continued to let a non-paying > customer keep their connectivity up and active, and continued to freely > import prefixes across BGP neighbors from this non-paying defunct customer. > Now, someone else has gained access to this non-paying, defunct customer's > router (which Cogent is still providing free connectivity to, out of the > goodness of their hearts), and is generating RPKI-valid announcements from > it, which have somehow not caused a flurry of messages on the outages list > about prefix hijackings. > > The elements to your claim don't really seem to add up. > 1) ISPs aren't famous for letting non-bill-paying customers stay connected > for very long past the grace period on their billing cycle, let alone long > after the company has gone belly-up. > 2) It's not impossible to generate RPKI-valid announcements from a > hijacked network, but it's very difficult to generate *bogus* RPKI-valid > announcements from a compromised router--that's the whole point of RPKI, to > be able to validate that the prefixes being announced from an origin are > indeed the ones that are owned by that origin. > > Can you provide specific prefix and AS_PATH combinations being originated > by that router that are "bogus" and don't belong to the router's ASN? > > If, however, what you meant is that the router used to be ASN XXXXX, and > is now suddenly showing up as ASN 36471, and Cogent happily changed their > BGP neighbor statements to match the new ASN, even though the entity no > longer exists and hasn't been paying their bills for some time, then that > would imply a level of complicity on Cogent's part that would make them > unlikely to respond to your abuse reports. That would be a very strong > allegation to make, and the necessary level of documented proof of that > level of malfeasance would be substantial. > > In short--I'm having a hard time understanding how a non-paying entity > still has working connectivity and BGP sessions, which makes me suspect > there's a different side to this story we're not hearing yet. ^_^; > > Thanks! > > Matt > > > > > > >>
