Avoiding Piracy in DOCSIS
Networks
                     April 29th, 2010

Patricio S. Latini
Director, Sales Engineering
C...
Agenda


▪ DOCSIS Provisioning
▪ Piracy Attacks and Solutions
▪ CPE Related Security
DOCSIS Provisioning
DOCSIS Provisioning

▪ Standards Based
  - DHCP, ToD, TFTP


▪ Distributed Architecture
  - DHCP Server has all the custom...
DOCSIS Piracy

▪ Mostly Based on Hacked Firmware of
  Cablemodems.
▪ Need to be mitigated by a battery of counter
  measur...
DOCSIS Piracy
DOCSIS Piracy
DOCSIS Piracy
Speed Uncapping

▪ Removing the Speed Caps (Limits) by either
  changing them for higher ones or completely
...
DOCSIS Piracy
Speed Uncapping

▪ Case I – No Shared Secret implemented

 Worst case, the hacker can create a Config file
 ...
DOCSIS Provisioning
DHCP Process

                                          CMTS is a
                                    ...
DOCSIS Provisioning
Hacked TFTP Process
                                                           Hacked Cablemodem
     ...
DOCSIS Piracy
Speed Uncapping

▪ Case II –
  Shared Secret implemented
  No Network Security

 In this case, the hacker ca...
DOCSIS Provisioning
Hacked TFTP Process
                                                                                  ...
DOCSIS Provisioning
DHCP Process

                                          CMTS is a
                                    ...
DOCSIS Provisioning
Hacked TFTP Process
                                                              Cablemodem
         ...
DOCSIS Piracy
DHCP Broadcast and Unicast
▪ If a modem makes a DHCP discover with the
  Broadcast flag enabled, the Offer i...
DOCSIS Piracy
Speed Uncapping - Protection

DOCSIS Provided
▪ Implement Shared Secret MIC!
▪ Use a Strong Secret - 30 Char...
DOCSIS Piracy
Speed Uncapping – TFTP Enforce

▪ During the DHCP Exchange, the CMTS
  replaces the TFTP Server address and ...
DOCSIS Provisioning
TFTP Enforce - DHCP Process


  DHCP Server
  DHCP Server       DHCP Offer                            ...
DOCSIS Provisioning
TFTP Enforce - TFTP Process
                                                                          ...
DOCSIS Piracy
Speed Uncapping – Dynamic Secret

▪ This feature goes one step further than TFTP
  enforce, the CMTS instead...
DOCSIS Provisioning
Dynamic Shared Secret
                                                                                ...
DOCSIS Provisioning
Dynamic Shared Secret
                                    Registration ACK            Service Flows
  ...
DOCSIS Piracy
Cablemodem MAC Cloning

▪ A Cable Modem identifies to the Network by its
  MAC Address
▪ Cloning the MAC Add...
DOCSIS Piracy
Cablemodem MAC Cloning

▪ DOCSIS 1.1 Specified BPI Plus as a method to
  authenticate a Cable Modem
▪ All Mo...
DOCSIS Piracy
MAC Cloning - Recommendations
▪ BPI+ is enabled in the Configuration File, all the
  previous protection mea...
DOCSIS Piracy
MAC Cloning – BPI+ Mandatory

▪ Hacked firmware also supports changing the
  advertised supported DOCSIS Ver...
DOCSIS Piracy
MAC Cloning – Other Cases
▪ Some modems vendor are vulnerable to full Flash
  copy (MAC and Certificates)
▪ ...
CPE Related Security
Customer Security

CMTS
▪ Packet Filters
▪ Source Verify (Source Address Verification)
▪ DHCP Option 82.1 and 82.2 relayin...
Customer Security
Source Verify

▪ CMTS snoops all CPE DHCP offers and
  creates a list of CPE MAC/IP and CM Table
▪ When ...
DOCSIS Provisioning
Source Verify
                                                                         Src: 00:11:22:3...
DOCSIS Provisioning
Source Verify
                                                               Who has : 200.0.0.1
     ...
Customer Security
CMTS Option 82.1 and 82.2 Relay

▪ The CMTS can add to either CM or CPE
  DHCP Discover packets the opti...
DOCSIS Provisioning
Option 82 Relay
                                                                    Src: 00:11:22:33:4...
Customer Security
Protocol Throttling
▪ ARP and DHCP are protocols that are necessary
  for system operation and cannot be...
Questions?
Thanks!
Upcoming SlideShare
Loading in...5
×

Expo Canitec 2010, Taller Arris

1,230

Published on

Previniendo la piratería en las redes DOCSIS

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,230
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
35
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Expo Canitec 2010, Taller Arris

  1. 1. Avoiding Piracy in DOCSIS Networks April 29th, 2010 Patricio S. Latini Director, Sales Engineering Caribbean and Latin America
  2. 2. Agenda ▪ DOCSIS Provisioning ▪ Piracy Attacks and Solutions ▪ CPE Related Security
  3. 3. DOCSIS Provisioning
  4. 4. DOCSIS Provisioning ▪ Standards Based - DHCP, ToD, TFTP ▪ Distributed Architecture - DHCP Server has all the customer data - CMTS and CMs just policy enforcers - CMs are untrusted elements
  5. 5. DOCSIS Piracy ▪ Mostly Based on Hacked Firmware of Cablemodems. ▪ Need to be mitigated by a battery of counter measures. - Network Based - CMTS Based - Provisioning System Based
  6. 6. DOCSIS Piracy
  7. 7. DOCSIS Piracy
  8. 8. DOCSIS Piracy Speed Uncapping ▪ Removing the Speed Caps (Limits) by either changing them for higher ones or completely removing them. ▪ Done by changing the legit configuration file used by the Cable Modem with a different one. ▪ Can use a file on a Local PC or in the TFTP servers in the Network.
  9. 9. DOCSIS Piracy Speed Uncapping ▪ Case I – No Shared Secret implemented Worst case, the hacker can create a Config file with any speed limit (or no limit), put it in his PC and instruct the hacked modem to ignore the parameters received by DHCP and download a file from the Local PC.
  10. 10. DOCSIS Provisioning DHCP Process CMTS is a DHCP Relay DHCP Server DHCP Server DHCP Offer DHCP Offer Agent Src: 10.0.0.1 Src: C4:C4:C4:C4:C4:C4 10.0.0.1 Dst: 10.0.0.254 Dst: 00:00:DE:AD:BE:EF TFTP S: 10.0.0.2 TFTP F: silver.bin Cablemodem TFTP Server TFTP Server HFC MAC: 00:00:DE:AD:BE:EF Network 10.0.0.2 10.0.0.254 172.16.0.1 ToD Server ToD Server CMTS 10.0.0.3 Provisioning System
  11. 11. DOCSIS Provisioning Hacked TFTP Process Hacked Cablemodem MAC: 00:00:DE:AD:BE:EF IP: 172.16.0.10 DHCP Server DHCP Server Src: 192.168.100.1 Dst: 192.168.100.10 10.0.0.1 FILE: hacked.bin TFTP Server TFTP Server HFC TFTP - Request TFTP - Response Network 10.0.0.2 10.0.0.254 172.16.0.1 ToD Server ToD Server CMTS 10.0.0.3 Src: 192.168.100.10 Provisioning Dst: 192.168.100.1 FILE: hacked.bin System
  12. 12. DOCSIS Piracy Speed Uncapping ▪ Case II – Shared Secret implemented No Network Security In this case, the hacker cannot create a custom config file because it will fail Shared Secret verification. However it can get valid files with higher speeds from the MSO TFTP Server and put them in their own PC.
  13. 13. DOCSIS Provisioning Hacked TFTP Process Cablemodem MAC: 00:00:DE:AD:BE:EF IP: 172.16.0.10 Src: 10.0.0.2 DHCP Server DHCP Server Dst: 200.0.0.10 FILE: gold.bin 10.0.0.1 TFTP Server TFTP Server HFC Network 10.0.0.2 TF TF PT- P -e R 10.0.0.254 se Rpo qu s 172.16.0.1 Src: 200.0.0.10 ne ToD Server ToD Server e st 200.0.0.1 Dst: 10.0.0.2 CMTS FILE: gold.bin 10.0.0.3 Provisioning System
  14. 14. DOCSIS Provisioning DHCP Process CMTS is a DHCP Relay DHCP Server DHCP Server DHCP Offer DHCP Offer Agent Src: 10.0.0.1 Src: C4:C4:C4:C4:C4:C4 10.0.0.1 Dst: 10.0.0.254 Dst: 00:00:DE:AD:BE:EF TFTP S: 10.0.0.2 TFTP F: silver.bin Cablemodem TFTP Server TFTP Server HFC MAC: 00:00:DE:AD:BE:EF Network 10.0.0.2 10.0.0.254 172.16.0.1 ToD Server ToD Server CMTS 10.0.0.3 Provisioning System
  15. 15. DOCSIS Provisioning Hacked TFTP Process Cablemodem MAC: 00:00:DE:AD:BE:EF IP: 172.16.0.10 DHCP Server DHCP Server Src: 192.168.100.1 Dst: 192.168.100.10 10.0.0.1 FILE: gold.bin TFTP Server TFTP Server HFC TFTP - Request TFTP - Response Network 10.0.0.2 10.0.0.254 172.16.0.1 ToD Server ToD Server CMTS 10.0.0.3 Src: 192.168.100.10 Provisioning Dst: 192.168.100.1 FILE: gold.bin System
  16. 16. DOCSIS Piracy DHCP Broadcast and Unicast ▪ If a modem makes a DHCP discover with the Broadcast flag enabled, the Offer is sent to the Broadcast (ff:ff:ff:ff:ff:ff) in the Downstream. ▪ All the broadcast traffic received by a modem is copied to the ethernet port. ▪ Anybody with a packet sniffer and get Modem MAC Addresses and config file names in the local downstream!!!. ▪ When the modem sends a Discover with the broadcast flag in 0 the Offer will be sent only to the modem MAC Address and will not be copied in other modems ethernet port.
  17. 17. DOCSIS Piracy Speed Uncapping - Protection DOCSIS Provided ▪ Implement Shared Secret MIC! ▪ Use a Strong Secret - 30 Chars+ and Special Characters. ▪ Allow TFTP Files Downloads only from Cablemodem IP Networks (172.16.0.0) and block from CPE network and others (Use Filters in CMTS and routers, not CMs they are untrusted). ▪ Request CM Vendors firmware supporting DHCP requests using Broadcast Flag disabled. CMTS Provided ▪ Implement TFTP Enforce (TFTP Proxy) ▪ Use Dynamic Shared Secret
  18. 18. DOCSIS Piracy Speed Uncapping – TFTP Enforce ▪ During the DHCP Exchange, the CMTS replaces the TFTP Server address and name with its own address and stores that information in a table. ▪ When the modem sends the TFTP File request, the CMTS Proxies it and gets the file from the TFTP Server. ▪ By doing that it ensures that the legit file is downloaded from the proper server.
  19. 19. DOCSIS Provisioning TFTP Enforce - DHCP Process DHCP Server DHCP Server DHCP Offer DHCP Offer Yiaddr:172.16.0.10 Src: 10.0.0.1 10.0.0.1 TFTP S: 172.16.0.1 Dst: 10.0.0.254 TFTP F: silver.bin Yiaddr:172.16.0.10 Cablemodem TFTP Server TFTP Server TFTP S: 10.0.0.2 TFTP F: silver.bin HFC MAC: 00:00:DE:AD:BE:EF Network 10.0.0.2 10.0.0.254 172.16.0.1 ToD Server ToD Server CMTS 10.0.0.3 CMTS TFTP Client Table Provisioning CM TFTP S TFTP File System 172.16.0.11 10.0.0.2 gold.bin 172.16.0.10 10.0.0.2 silver.bin
  20. 20. DOCSIS Provisioning TFTP Enforce - TFTP Process Src: 172.16.0.10 Src: 172.16.0.1 Src: 10.0.0.2 Src: 172.16.0.1 Dst: 172.16.0.1 Dst: 10.0.0.2 Dst: 172.16.0.1 Dst: 172.16.0.10 FILE: silver.bin FILE: silver.bin FILE: silver.bin FILE: silver.bin DHCP Server DHCP Server TFTP - Response TFTP - Request TFTP - Response TFTP - Request 10.0.0.1 Cablemodem TFTP Server TFTP Server HFC MAC: 00:00:DE:AD:BE:EF Network IP: 172.16.0.10 10.0.0.2 10.0.0.254 172.16.0.1 ToD Server ToD Server CMTS 10.0.0.3 CMTS TFTP Client Table Provisioning CM TFTP S TFTP File System 172.16.0.11 10.0.0.2 gold.bin 172.16.0.10 10.0.0.2 silver.bin
  21. 21. DOCSIS Piracy Speed Uncapping – Dynamic Secret ▪ This feature goes one step further than TFTP enforce, the CMTS instead of just doing a proxy of the file, it disassembles the file and recalculates the MIC with a per session shared secret and reassemble the file. ▪ After the modem gets the file and sends the Registration Request, the MICs must match. ▪ This is much more secure as an individual secret is used for each file download.
  22. 22. DOCSIS Provisioning Dynamic Shared Secret Src: 172.16.0.10 Src: 172.16.0.1 Src: 10.0.0.2 Src: 172.16.0.1 Dst: 172.16.0.1 Dst: 10.0.0.2 Dst: 172.16.0.1 Dst: 172.16.0.10 FILE: silver.bin FILE: silver.bin FILE: silver.bin FILE: silver.bin DHCP Server DHCP Server TFTP - Response TFTP - Request TFTP - Response TFTP - Request 10.0.0.1 Cablemodem TFTP Server TFTP Server HFC MAC: 00:00:DE:AD:BE:EF Network IP: 172.16.0.10 10.0.0.2 10.0.0.254 172.16.0.1 ToD Server ToD Server CMTS 10.0.0.3 CMTS TFTP Client Table Provisioning CM TFTP S TFTP File Dynamic MIC System 172.16.0.11 10.0.0.2 gold.bin 0x12dce5f5430 172.16.0.10 10.0.0.2 silver.bin 0x524c45f5879
  23. 23. DOCSIS Provisioning Dynamic Shared Secret Registration ACK Service Flows Classifiers MAC CPE MD5 CMTS MIC= DHCP Server DHCP Server 0x524c45f5879 REG - Response REG - Request 10.0.0.1 Cablemodem TFTP Server TFTP Server HFC MAC: 00:00:DE:AD:BE:EF Network IP: 172.16.0.10 10.0.0.2 10.0.0.254 172.16.0.1 ToD Server ToD Server CMTS 10.0.0.3 CMTS TFTP Client Table Provisioning CM TFTP S TFTP File Dynamic MIC System 00:00:DE:AD:00:00 10.0.0.2 gold.bin 0x12dce5f5430 00:00:DE:AD:BE:EF 10.0.0.2 silver.bin 0x524c45f5879
  24. 24. DOCSIS Piracy Cablemodem MAC Cloning ▪ A Cable Modem identifies to the Network by its MAC Address ▪ Cloning the MAC Address of a Modem allows an un-provisioned modem to get the Service of a provisioned modem. ▪ This is much more dangerous because a Hacker behind a cloned modem can do illegal activities and be untraceable. ▪ Hacked Firmware allows to change the MAC address of a compromised modem to any value
  25. 25. DOCSIS Piracy Cablemodem MAC Cloning ▪ DOCSIS 1.1 Specified BPI Plus as a method to authenticate a Cable Modem ▪ All Modems DOCSIS 1.1 and over, have an embedded certificate that is Signed by the Manufacturer and Cablelabs ▪ When BPI+ is enabled the modem must send the Certificate to the CMTS and it validates the signature with its own database. If it fails the CMTS can deny the service.
  26. 26. DOCSIS Piracy MAC Cloning - Recommendations ▪ BPI+ is enabled in the Configuration File, all the previous protection measures should be implemented in order to ensure that the file is not modified and BPI+ is disabled. ▪ It is recommended to remove all DOCSIS 1.0 modems from the network and only having DOCSIS 1.1 Modems, by doing so all DOCSIS 1.0 Config files can be deleted from the TFTP Server. ▪ Ensure all the modems send the DHCP broadcast flag in 0 in order to ensure that that their offers are not sent on the broadcast.
  27. 27. DOCSIS Piracy MAC Cloning – BPI+ Mandatory ▪ Hacked firmware also supports changing the advertised supported DOCSIS Version in order to cheat the provisioning. ▪ Some CMTSs support BPI+ mandatory, that means that if a modem tries to register without BPI+ is rejected. ▪ All modems and config files need to be DOCSIS 1.1 enabled.
  28. 28. DOCSIS Piracy MAC Cloning – Other Cases ▪ Some modems vendor are vulnerable to full Flash copy (MAC and Certificates) ▪ This Creates a full Clone ▪ High Tech Equipment and physical access is required for that. ▪ BPI+ cannot do much about that. ▪ Some CMTSs support manual deny lists in order to block that modems to pass from Ranging stage. ▪ Your provisioning system could have detection algorithms in order to detect the same MAC coming from different CMTS/Upstream Ports
  29. 29. CPE Related Security
  30. 30. Customer Security CMTS ▪ Packet Filters ▪ Source Verify (Source Address Verification) ▪ DHCP Option 82.1 and 82.2 relaying ▪ Protocol Throttling (DHCP and ARP) DHCP Server ▪ CPE Lease Logging
  31. 31. Customer Security Source Verify ▪ CMTS snoops all CPE DHCP offers and creates a list of CPE MAC/IP and CM Table ▪ When a CPE sends and ARP Request, the CMTS Looks for in the table for an existing entry, if there is not matching entry, the ARP is discarded. ▪ This allows to avoid ARP Poisoning. ▪ Also allows a tight control to be sure that all the IP addresses being used by CPEs were assigned and logged by the DHCP Server.
  32. 32. DOCSIS Provisioning Source Verify Src: 00:11:22:33:44:55 Src: 10.0.0.254 Src: 10.0.0.1 Dst: FF:FF:FF:FF.FF:FF Src: C4:C4:C4:C4:C4:C4 Dst: 10.0.0.1 Dst: 10.0.0.254 Dst: 00:11:22:33:44:55 Giaddr:200.0.0.1 chaddr: 00:11:22:33:44:55 yiaddr: 200.0.0.10 yiaddr: 200.0.0.10 DHCP Server DHCP Server DHCP --Discover DHCP Offer DHCP --Discover DHCP Offer 10.0.0.1 TFTP Server TFTP Server HFC Network 10.0.0.2 Cablemodem 10.0.0.254 172.16.0.1 MAC: 00:00:DE:AD:BE:EF ToD Server ToD Server 200.0.0.1 IP: 172.16.0.10 CMTS 10.0.0.3 CMTS MACDB Client Table Provisioning CPE MAC CPE IP CM MAC System 00:11:22:33:44:55 200.0.0.10 00:00:DE:AD:BE:EF
  33. 33. DOCSIS Provisioning Source Verify Who has : 200.0.0.1 Src: 00:11:22:33:44:55 Src: C4:C4:C4:C4:C4:C4 Dst: 00:00:00:00:00:00 Dst: 00:11:22:33:44:55 tell: 200.0.0.1 DHCP Server DHCP Server ARP REP ARP REQ 10.0.0.1 TFTP Server TFTP Server HFC Network 10.0.0.2 Cablemodem 10.0.0.254 172.16.0.1 MAC: 00:00:DE:AD:BE:EF ToD Server ToD Server 200.0.0.1 IP: 172.16.0.10 CMTS 10.0.0.3 CMTS MACDB Client Table Provisioning CPE MAC CPE IP CM MAC System 00:11:22:33:44:55 200.0.0.10 00:00:DE:AD:BE:EF
  34. 34. Customer Security CMTS Option 82.1 and 82.2 Relay ▪ The CMTS can add to either CM or CPE DHCP Discover packets the option 82. ▪ Option 82.1 specifies the Upstream Port name from where the request came. ▪ Option 82.2 specifies the MAC Address of the Cablemodem from where that Discover came. ▪ For CPEs is Very useful to know to which Cablemodem (MAC) that Device is connected in order to take provisioning actions, or just for keeping a log.
  35. 35. DOCSIS Provisioning Option 82 Relay Src: 00:11:22:33:44:55 Src: 10.0.0.254 Dst: 10.0.0.1 Dst: FF:FF:FF:FF.FF:FF Giaddr: 200.0.0.1 hwaddr: 00:11:22:33:44:55 Opt 82.1:Upstream 1 Opt 82.2 :00:00:DE:AD:BE:EF DHCP Server DHCP Server DHCP - Discover DHCP - Discover 10.0.0.1 TFTP Server TFTP Server HFC Network 10.0.0.2 Cablemodem 10.0.0.254 172.16.0.1 MAC: 00:00:DE:AD:BE:EF ToD Server ToD Server 200.0.0.1 IP: 172.16.0.10 CMTS 10.0.0.3 Provisioning System
  36. 36. Customer Security Protocol Throttling ▪ ARP and DHCP are protocols that are necessary for system operation and cannot be completely filtered. ▪ Hackers can take advantage of that and generate denial of service attacks. ▪ DHCP DoS can overload the DHCP Server. ▪ ARP DoS can saturate the local segment with ARP Traffic. ▪ CMTSs support Protocol Throttling, that means that they allow a certain acceptable amount of traffic of that protocols and drop the rest.
  37. 37. Questions?
  38. 38. Thanks!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×