Having worked as Sysadmin for a cable modem provider for two years, I have
extensive experience with configuring both the CMTS side and the cable modem
side of 3Com's cable modem network access equipment.
There is a setting in 3Com's Cable Access Router that will eliminate the
arps flying across the network. The command:
set cable cpearp [enabled disabled]
toggles whether or not the cable access router will accept ARP's from the
boxen on the other side of the cable modem. When CPE ARP is disabled, the
router builds it's ARP table by viewing the DHCP traffic that passes through
it. While it is more secure to disable this feature (eliminating arp
spoofing), it also will break any customer's boxes that have statically
assigned their IP address. All too often, customer satisfaction overcomes
the need for security....
For those who wish to know, a very general description of how all DOCSIS
modems (should) register on the network follows:
1) Lock on the downstream frequency where there is data being broadcast
about available upstream frequencies.
2) Scan all upstream channels looking for the correct response from the
cable router indicating that the cable modem is where it should be.
3) The cable modem issues a DHCP request for it's own MAC address (the coax
side). The cable router has a DHCP helper service that routes this request
to a DHCP server on the service providers network. The ACK of the DHCP
contains the following information:
IP Address
Subnet Mask
Default Gateway
TFTP Boot Server IP Address
TFTP Boot Filename
The IP network on the coax part is usually a reserved, non-routable
network - ie 10.x.x.x
4) The cable modem then connects to the TFTP server assigned via DHCP, and
asks for the file also specified in the DHCP packets.
5) This file contains all kinds of information - max upstream and
downstream, minimum upstream and downstream, max number of CPE's allowed,
SNMP information, etc.
6) After downloading the file and configuring itself, the cable modem is in
a "registered" state, and it is at this point that the cable modem will
function. Depending on the setup, this is where the cable modem sets itself
up as a bridge, and the CPE's can begin DHCPDISCOVER's, etc.
Justin
----- Original Message -----
From: "Keith.Morgan" <Keith.Morganat_private>
To: <VULN-DEVat_private>
Sent: Thursday, April 19, 2001 8:20 AM
Subject: Re: Hijack IP Address using cable modem (fwd)
> Charter cable networks use 3-com cable modems. Thier modems are
> configured/viewed via a lightweight webserver that runs on the cable
modem.
> I recieved a copy of the webserver software from the vendor that provides
it
> to 3com but was unable to find any glaring vulnerabilities. However, this
> appears to be un-neccessary on charter networks. Charter provides
> addressing via DHCP, but does not lock the IP down to the MAC address of
the
> client. I have tested this on thier network, and arp-reply floods will
> allow a cable modem user to assume the IP address of another customer. I
> did not attempt to use this for a MiM attack, but it certainly seems
> possible. ARP storms are common on Charter's networks. It appears that
> thier routers do not cash MAC addresses for very long.
>
> Of course, that could be a result of everyone's DHCP lease expiring in
> tandem, but the ARP storms appear to be much more common than the 3 day
> leases that are assigned.
>
This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 08:59:35 PDT