Expo Canitec 2010, Taller Arris

Avoiding Piracy in DOCSIS Networks

Patricio S. LatiniDirector, Sales EngineeringCaribbean and Latin America

April 29th, 2010

Agenda

▪

DOCSIS Provisioning▪

Piracy Attacks and Solutions▪

CPE Related Security

DOCSIS Provisioning

DOCSIS Provisioning

▪

Standards Based-

DHCP, ToD, TFTP

▪

Distributed Architecture-

DHCP Server has all the customer data

-

CMTS and CMs just policy enforcers-

CMs are untrusted elements

DOCSIS Piracy

▪

Mostly Based on Hacked Firmware of Cablemodems.

▪

Need to be mitigated by a battery of counter measures.-

Network Based

-

CMTS Based-

Provisioning System Based

DOCSIS Piracy

DOCSIS Piracy Speed Uncapping

▪

Removing the Speed Caps (Limits) by either changing them for higher ones or completely removing them.

▪

Done by changing the legit configuration file used by the Cable Modem with a different one.

▪

Can use a file on a Local PC or in the TFTP servers in the Network.


▪

Case I –

No Shared Secret implemented

Worst case, the hacker can create a Config file with any speed limit (or no limit), put it in his PC and instruct the hacked modem to ignore the parameters received by DHCP and download a file from the Local PC.

DOCSIS Provisioning DHCP Process

DHCP ServerDHCP Server

TFTP ServerTFTP Server

ToD ServerToD Server

Provisioning System

CMTS

CMTS is a DHCP Relay

Agent

CablemodemMAC: 00:00:DE:AD:BE:EF

HFC Network

Src: C4:C4:C4:C4:C4:C4 Dst: 00:00:DE:AD:BE:EF

Src: 10.0.0.1

Dst: 10.0.0.254

TFTP S: 10.0.0.2

TFTP F: silver.bin

172.16.0.110.0.0.254

10.0.0.1

10.0.0.2

10.0.0.3

DHCP Offer DHCP Offer

TFTP

-R

eque

st

DOCSIS Provisioning Hacked TFTP Process




Provisioning System

CMTS

Hacked CablemodemMAC: 00:00:DE:AD:BE:EF

IP: 172.16.0.10

HFC Network

Src: 192.168.100.1

Dst: 192.168.100.10

FILE: hacked.bin

172.16.0.110.0.0.254

10.0.0.1

10.0.0.2

10.0.0.3

TFTP

-R

espo

nse

Src: 192.168.100.10

Dst: 192.168.100.1

FILE: hacked.bin


▪

Case II – Shared Secret implemented

No Network Security

In this case, the hacker cannot create a custom config file because it will fail Shared Secret verification. However it can get valid files with higher speeds from the MSO TFTP Server and put them in their own PC.

TFTP - Request





Provisioning System

CMTS


IP: 172.16.0.10

HFC Network

Src: 200.0.0.10

Dst: 10.0.0.2

FILE: gold.bin

172.16.0.1

200.0.0.1

10.0.0.254

10.0.0.1

10.0.0.2

10.0.0.3

TFTP - Response

Src: 10.0.0.2

Dst: 200.0.0.10

FILE: gold.bin

DOCSIS Provisioning DHCP Process




Provisioning System

CMTS

CMTS is a DHCP Relay

Agent


HFC Network

Src: C4:C4:C4:C4:C4:C4 Dst: 00:00:DE:AD:BE:EF

Src: 10.0.0.1

Dst: 10.0.0.254

TFTP S: 10.0.0.2

TFTP F: silver.bin

172.16.0.110.0.0.254

10.0.0.1

10.0.0.2

10.0.0.3


TFTP

-R

eque

st





Provisioning System

CMTS


IP: 172.16.0.10

HFC Network

Src: 192.168.100.1

Dst: 192.168.100.10

FILE: gold.bin

172.16.0.110.0.0.254

10.0.0.1

10.0.0.2

10.0.0.3

TFTP

-R

espo

nse

Src: 192.168.100.10

Dst: 192.168.100.1

FILE: gold.bin

DOCSIS Piracy DHCP Broadcast and Unicast

▪

If a modem makes a DHCP discover with the Broadcast flag enabled, the Offer is sent to the Broadcast (ff:ff:ff:ff:ff:ff) in the Downstream.

▪

All the broadcast traffic received by a modem is copied to the ethernet port.

▪

Anybody with a packet sniffer and get Modem MAC Addresses and config file names in the local downstream!!!.

▪

When the modem sends a Discover with the broadcast flag in 0 the Offer will be sent only to the modem MAC Address and will not be copied in other modems ethernet port.

DOCSIS Piracy Speed Uncapping - Protection

DOCSIS Provided▪

Implement Shared Secret MIC!

▪

Use a Strong Secret -

30 Chars+ and Special Characters.

▪

Allow TFTP Files Downloads only from Cablemodem IP Networks (172.16.0.0) and block from CPE network and others (Use Filters in CMTS and routers, not CMs they are untrusted).

▪

Request CM Vendors firmware supporting DHCP requests using Broadcast Flag disabled.

CMTS Provided▪

Implement TFTP Enforce (TFTP Proxy)

▪

Use Dynamic Shared Secret

DOCSIS Piracy Speed Uncapping – TFTP Enforce

▪

During the DHCP Exchange, the CMTS replaces the TFTP Server address and name with its own address and stores that information in a table.

▪

When the modem sends the TFTP File request, the CMTS Proxies it and gets the file from the TFTP Server.

▪

By doing that it ensures that the legit file is downloaded from the proper server.

DOCSIS Provisioning TFTP Enforce - DHCP Process




Provisioning System

CMTSCMTS TFTP Client Table

CM

TFTP S TFTP File

172.16.0.11 10.0.0.2 gold.bin

172.16.0.10 10.0.0.2 silver.bin


HFC Network

Yiaddr:172.16.0.10

TFTP S: 172.16.0.1

TFTP F: silver.bin

Src: 10.0.0.1

Dst: 10.0.0.254

Yiaddr:172.16.0.10

TFTP S: 10.0.0.2

TFTP F: silver.bin

172.16.0.110.0.0.254

10.0.0.1

10.0.0.2

10.0.0.3


http://www.arrisi.com/product_catalog/touchstone.asp

DOCSIS Provisioning TFTP Enforce - TFTP Process




Provisioning System

CMTS


IP: 172.16.0.10

HFC Network

Src: 172.16.0.10

Dst: 172.16.0.1

FILE: silver.bin

172.16.0.110.0.0.254

10.0.0.1

10.0.0.2

10.0.0.3

Src: 172.16.0.1

Dst: 10.0.0.2

FILE: silver.bin

TFTP - RequestTFTP - Response

CMTS TFTP Client Table

CM

TFTP S TFTP File

172.16.0.11 10.0.0.2 gold.bin

172.16.0.10 10.0.0.2 silver.bin

TFTP - Request TFTP - Response

Src: 10.0.0.2

Dst: 172.16.0.1

FILE: silver.bin

Src: 172.16.0.1

Dst: 172.16.0.10

FILE: silver.bin


DOCSIS Piracy Speed Uncapping – Dynamic Secret

▪

This feature goes one step further than TFTP enforce, the CMTS instead of just doing a proxy of the file, it disassembles the file and recalculates the MIC with a per session shared secret and reassemble the file.

▪

After the modem gets the file and sends the Registration Request, the MICs must match.

▪

This is much more secure as an individual secret is used for each file download.

DOCSIS Provisioning Dynamic Shared Secret




Provisioning System

CMTS


IP: 172.16.0.10

HFC Network

Src: 172.16.0.10

Dst: 172.16.0.1

FILE: silver.bin

172.16.0.110.0.0.254

10.0.0.1

10.0.0.2

10.0.0.3

Src: 172.16.0.1

Dst: 10.0.0.2

FILE: silver.bin

TFTP - RequestTFTP - Response


CM

TFTP S TFTP File Dynamic MIC

172.16.0.11 10.0.0.2 gold.bin 0x12dce5f5430

172.16.0.10 10.0.0.2 silver.bin

TFTP - Request TFTP - Response

Src: 10.0.0.2

Dst: 172.16.0.1

FILE: silver.bin

Src: 172.16.0.1

Dst: 172.16.0.10

FILE: silver.bin

0x524c45f5879


REG - Request

DOCSIS Provisioning Dynamic Shared Secret




Provisioning System

CMTS


IP: 172.16.0.10

HFC Network

Service Flows

Classifiers

MAC CPE

MD5 CMTS MIC=

0x524c45f5879

172.16.0.110.0.0.254

10.0.0.1

10.0.0.2

10.0.0.3

REG - Response

Registration ACK


CM

TFTP S TFTP File Dynamic MIC

00:00:DE:AD:00:00

10.0.0.2 gold.bin 0x12dce5f5430

00:00:DE:AD:BE:EF

10.0.0.2 silver.bin 0x524c45f5879


DOCSIS Piracy Cablemodem MAC Cloning

▪

A Cable Modem identifies to the Network by its MAC Address

▪

Cloning the MAC Address of a Modem allows an un-provisioned modem to get the Service of a provisioned modem.

▪

This is much more dangerous because a Hacker behind a cloned modem can do illegal activities and be untraceable.

▪

Hacked Firmware allows to change the MAC address of a compromised modem to any value

DOCSIS Piracy Cablemodem MAC Cloning

▪

DOCSIS 1.1 Specified BPI Plus as a method to authenticate a Cable Modem

▪

All Modems DOCSIS 1.1 and over, have an embedded certificate that is Signed by the Manufacturer and Cablelabs

▪

When BPI+ is enabled the modem must send the Certificate to the CMTS and it validates the signature with its own database. If it fails the CMTS can deny the service.

DOCSIS Piracy MAC Cloning - Recommendations

▪

BPI+ is enabled in the Configuration File, all the previous protection measures should be implemented in order to ensure that the file is not modified and BPI+ is disabled.

▪

It is recommended to remove all DOCSIS 1.0 modems from the network and only having DOCSIS 1.1 Modems, by doing so all DOCSIS 1.0 Config files can be deleted from the TFTP Server.

▪

Ensure all the modems send the DHCP broadcast flag in 0 in order to ensure that that their offers are not sent on the broadcast.

DOCSIS Piracy MAC Cloning – BPI+ Mandatory

▪

Hacked firmware also supports changing the advertised supported DOCSIS Version in order to cheat the provisioning.

▪

Some CMTSs support BPI+ mandatory, that means that if a modem tries to register without BPI+ is rejected.

▪

All modems and config files need to be DOCSIS 1.1 enabled.

DOCSIS Piracy MAC Cloning – Other Cases

▪

Some modems vendor are vulnerable to full Flash copy (MAC and Certificates)

▪

This Creates a full Clone▪

High Tech Equipment and physical access is required for that.

▪

BPI+ cannot do much about that.▪

Some CMTSs support manual deny lists in order to block that modems to pass from Ranging stage.

▪

Your provisioning system could have detection algorithms in order to detect the same MAC coming from different CMTS/Upstream Ports

CPE Related Security

Customer Security

CMTS▪

Packet Filters

▪

Source Verify (Source Address Verification)▪

DHCP Option 82.1 and 82.2 relaying

▪

Protocol Throttling (DHCP and ARP)DHCP Server▪

CPE Lease Logging

Customer Security Source Verify

▪

CMTS snoops all CPE DHCP offers and creates a list of CPE MAC/IP and CM Table

▪

When a CPE sends and ARP Request, the CMTS Looks for in the table for an existing entry, if there is not matching entry, the ARP is discarded.

▪

This allows to avoid ARP Poisoning.▪

Also allows a tight control to be sure that all the IP addresses being used by CPEs were assigned and logged by the DHCP Server.

DOCSIS Provisioning Source Verify




Provisioning System

CMTS


IP: 172.16.0.10

HFC Network

Src: 00:11:22:33:44:55

Dst: FF:FF:FF:FF.FF:FF

172.16.0.1

200.0.0.1

10.0.0.254

10.0.0.1

10.0.0.2

10.0.0.3

Src: 10.0.0.254

Dst: 10.0.0.1

Giaddr:200.0.0.1

CMTS MACDB Client Table

CPE MAC CPE IP CM MAC

00:11:22:33:44:55 200.0.0.10

00:00:DE:AD:BE:EF

DHCP - Discover

Src: 10.0.0.1

Dst: 10.0.0.254

chaddr: 00:11:22:33:44:55

yiaddr: 200.0.0.10

Src: C4:C4:C4:C4:C4:C4

Dst: 00:11:22:33:44:55

yiaddr: 200.0.0.10

DHCP - DiscoverDHCP - Offer DHCP - Offer


DOCSIS Provisioning Source Verify




Provisioning System

CMTS


IP: 172.16.0.10

HFC Network

Who has : 200.0.0.1

Src: 00:11:22:33:44:55

Dst: 00:00:00:00:00:00

172.16.0.1

200.0.0.1

10.0.0.254

10.0.0.1

10.0.0.2

10.0.0.3CMTS MACDB Client Table

CPE MAC CPE IP CM MAC

00:11:22:33:44:55 200.0.0.10

00:00:DE:AD:BE:EF

Src: C4:C4:C4:C4:C4:C4

Dst: 00:11:22:33:44:55

tell: 200.0.0.1

ARP REQARP REP


Customer Security CMTS Option 82.1 and 82.2 Relay

▪

The CMTS can add to either CM or CPE DHCP Discover packets the option 82.

▪

Option 82.1 specifies the Upstream Port name from where the request came.

▪

Option 82.2 specifies the MAC Address of the Cablemodem from where that Discover came.

▪

For CPEs is Very useful to know to which Cablemodem (MAC) that Device is connected in order to take provisioning actions, or just for keeping a log.

DOCSIS Provisioning Option 82 Relay




Provisioning System

CMTS


IP: 172.16.0.10

HFC Network

Src: 00:11:22:33:44:55

Dst: FF:FF:FF:FF.FF:FF

172.16.0.1

200.0.0.1

10.0.0.254

10.0.0.1

10.0.0.2

10.0.0.3

Src: 10.0.0.254

Dst: 10.0.0.1

Giaddr: 200.0.0.1

hwaddr: 00:11:22:33:44:55 Opt 82.1:Upstream 1

Opt 82.2 :00:00:DE:AD:BE:EF

DHCP - Discover DHCP - Discover


Customer Security Protocol Throttling

▪

ARP and DHCP are protocols that are necessary for system operation and cannot be completely filtered.

▪

Hackers can take advantage of that and generate denial of service attacks.

▪

DHCP DoS

can overload the DHCP Server.▪

ARP DoS

can saturate the local segment with

ARP Traffic.▪

CMTSs

support Protocol Throttling, that means

that they allow a certain acceptable amount of traffic of that protocols and drop the rest.

Questions?

Thanks!

Expo Canitec 2010, Taller Arris

Technology

Transcript of Expo Canitec 2010, Taller Arris