Expo Canitec 2010, Taller Arris
-
Upload
expo-canitec -
Category
Technology
-
view
1.512 -
download
0
description
Transcript of Expo Canitec 2010, Taller Arris
Avoiding Piracy in DOCSIS Networks
Patricio S. LatiniDirector, Sales EngineeringCaribbean and Latin America
April 29th, 2010
Agenda
▪
DOCSIS Provisioning▪
Piracy Attacks and Solutions▪
CPE Related Security
DOCSIS Provisioning
DOCSIS Provisioning
▪
Standards Based-
DHCP, ToD, TFTP
▪
Distributed Architecture-
DHCP Server has all the customer data
-
CMTS and CMs just policy enforcers-
CMs are untrusted elements
DOCSIS Piracy
▪
Mostly Based on Hacked Firmware of Cablemodems.
▪
Need to be mitigated by a battery of counter measures.-
Network Based
-
CMTS Based-
Provisioning System Based
DOCSIS Piracy
DOCSIS Piracy
DOCSIS Piracy Speed Uncapping
▪
Removing the Speed Caps (Limits) by either changing them for higher ones or completely removing them.
▪
Done by changing the legit configuration file used by the Cable Modem with a different one.
▪
Can use a file on a Local PC or in the TFTP servers in the Network.
DOCSIS Piracy Speed Uncapping
▪
Case I –
No Shared Secret implemented
Worst case, the hacker can create a Config file with any speed limit (or no limit), put it in his PC and instruct the hacked modem to ignore the parameters received by DHCP and download a file from the Local PC.
DOCSIS Provisioning DHCP Process
DHCP ServerDHCP Server
TFTP ServerTFTP Server
ToD ServerToD Server
Provisioning System
CMTS
CMTS is a DHCP Relay
Agent
CablemodemMAC: 00:00:DE:AD:BE:EF
HFC Network
Src: C4:C4:C4:C4:C4:C4 Dst: 00:00:DE:AD:BE:EF
Src: 10.0.0.1
Dst: 10.0.0.254
TFTP S: 10.0.0.2
TFTP F: silver.bin
172.16.0.110.0.0.254
10.0.0.1
10.0.0.2
10.0.0.3
DHCP Offer DHCP Offer
TFTP
-R
eque
st
DOCSIS Provisioning Hacked TFTP Process
DHCP ServerDHCP Server
TFTP ServerTFTP Server
ToD ServerToD Server
Provisioning System
CMTS
Hacked CablemodemMAC: 00:00:DE:AD:BE:EF
IP: 172.16.0.10
HFC Network
Src: 192.168.100.1
Dst: 192.168.100.10
FILE: hacked.bin
172.16.0.110.0.0.254
10.0.0.1
10.0.0.2
10.0.0.3
TFTP
-R
espo
nse
Src: 192.168.100.10
Dst: 192.168.100.1
FILE: hacked.bin
DOCSIS Piracy Speed Uncapping
▪
Case II – Shared Secret implemented
No Network Security
In this case, the hacker cannot create a custom config file because it will fail Shared Secret verification. However it can get valid files with higher speeds from the MSO TFTP Server and put them in their own PC.
TFTP - Request
DOCSIS Provisioning Hacked TFTP Process
DHCP ServerDHCP Server
TFTP ServerTFTP Server
ToD ServerToD Server
Provisioning System
CMTS
CablemodemMAC: 00:00:DE:AD:BE:EF
IP: 172.16.0.10
HFC Network
Src: 200.0.0.10
Dst: 10.0.0.2
FILE: gold.bin
172.16.0.1
200.0.0.1
10.0.0.254
10.0.0.1
10.0.0.2
10.0.0.3
TFTP - Response
Src: 10.0.0.2
Dst: 200.0.0.10
FILE: gold.bin
DOCSIS Provisioning DHCP Process
DHCP ServerDHCP Server
TFTP ServerTFTP Server
ToD ServerToD Server
Provisioning System
CMTS
CMTS is a DHCP Relay
Agent
CablemodemMAC: 00:00:DE:AD:BE:EF
HFC Network
Src: C4:C4:C4:C4:C4:C4 Dst: 00:00:DE:AD:BE:EF
Src: 10.0.0.1
Dst: 10.0.0.254
TFTP S: 10.0.0.2
TFTP F: silver.bin
172.16.0.110.0.0.254
10.0.0.1
10.0.0.2
10.0.0.3
DHCP Offer DHCP Offer
TFTP
-R
eque
st
DOCSIS Provisioning Hacked TFTP Process
DHCP ServerDHCP Server
TFTP ServerTFTP Server
ToD ServerToD Server
Provisioning System
CMTS
CablemodemMAC: 00:00:DE:AD:BE:EF
IP: 172.16.0.10
HFC Network
Src: 192.168.100.1
Dst: 192.168.100.10
FILE: gold.bin
172.16.0.110.0.0.254
10.0.0.1
10.0.0.2
10.0.0.3
TFTP
-R
espo
nse
Src: 192.168.100.10
Dst: 192.168.100.1
FILE: gold.bin
DOCSIS Piracy DHCP Broadcast and Unicast
▪
If a modem makes a DHCP discover with the Broadcast flag enabled, the Offer is sent to the Broadcast (ff:ff:ff:ff:ff:ff) in the Downstream.
▪
All the broadcast traffic received by a modem is copied to the ethernet port.
▪
Anybody with a packet sniffer and get Modem MAC Addresses and config file names in the local downstream!!!.
▪
When the modem sends a Discover with the broadcast flag in 0 the Offer will be sent only to the modem MAC Address and will not be copied in other modems ethernet port.
DOCSIS Piracy Speed Uncapping - Protection
DOCSIS Provided▪
Implement Shared Secret MIC!
▪
Use a Strong Secret -
30 Chars+ and Special Characters.
▪
Allow TFTP Files Downloads only from Cablemodem IP Networks (172.16.0.0) and block from CPE network and others (Use Filters in CMTS and routers, not CMs they are untrusted).
▪
Request CM Vendors firmware supporting DHCP requests using Broadcast Flag disabled.
CMTS Provided▪
Implement TFTP Enforce (TFTP Proxy)
▪
Use Dynamic Shared Secret
DOCSIS Piracy Speed Uncapping – TFTP Enforce
▪
During the DHCP Exchange, the CMTS replaces the TFTP Server address and name with its own address and stores that information in a table.
▪
When the modem sends the TFTP File request, the CMTS Proxies it and gets the file from the TFTP Server.
▪
By doing that it ensures that the legit file is downloaded from the proper server.
DOCSIS Provisioning TFTP Enforce - DHCP Process
DHCP ServerDHCP Server
TFTP ServerTFTP Server
ToD ServerToD Server
Provisioning System
CMTSCMTS TFTP Client Table
CM
TFTP S TFTP File
172.16.0.11 10.0.0.2 gold.bin
172.16.0.10 10.0.0.2 silver.bin
CablemodemMAC: 00:00:DE:AD:BE:EF
HFC Network
Yiaddr:172.16.0.10
TFTP S: 172.16.0.1
TFTP F: silver.bin
Src: 10.0.0.1
Dst: 10.0.0.254
Yiaddr:172.16.0.10
TFTP S: 10.0.0.2
TFTP F: silver.bin
172.16.0.110.0.0.254
10.0.0.1
10.0.0.2
10.0.0.3
DHCP Offer DHCP Offer
DOCSIS Provisioning TFTP Enforce - TFTP Process
DHCP ServerDHCP Server
TFTP ServerTFTP Server
ToD ServerToD Server
Provisioning System
CMTS
CablemodemMAC: 00:00:DE:AD:BE:EF
IP: 172.16.0.10
HFC Network
Src: 172.16.0.10
Dst: 172.16.0.1
FILE: silver.bin
172.16.0.110.0.0.254
10.0.0.1
10.0.0.2
10.0.0.3
Src: 172.16.0.1
Dst: 10.0.0.2
FILE: silver.bin
TFTP - RequestTFTP - Response
CMTS TFTP Client Table
CM
TFTP S TFTP File
172.16.0.11 10.0.0.2 gold.bin
172.16.0.10 10.0.0.2 silver.bin
TFTP - Request TFTP - Response
Src: 10.0.0.2
Dst: 172.16.0.1
FILE: silver.bin
Src: 172.16.0.1
Dst: 172.16.0.10
FILE: silver.bin
DOCSIS Piracy Speed Uncapping – Dynamic Secret
▪
This feature goes one step further than TFTP enforce, the CMTS instead of just doing a proxy of the file, it disassembles the file and recalculates the MIC with a per session shared secret and reassemble the file.
▪
After the modem gets the file and sends the Registration Request, the MICs must match.
▪
This is much more secure as an individual secret is used for each file download.
DOCSIS Provisioning Dynamic Shared Secret
DHCP ServerDHCP Server
TFTP ServerTFTP Server
ToD ServerToD Server
Provisioning System
CMTS
CablemodemMAC: 00:00:DE:AD:BE:EF
IP: 172.16.0.10
HFC Network
Src: 172.16.0.10
Dst: 172.16.0.1
FILE: silver.bin
172.16.0.110.0.0.254
10.0.0.1
10.0.0.2
10.0.0.3
Src: 172.16.0.1
Dst: 10.0.0.2
FILE: silver.bin
TFTP - RequestTFTP - Response
CMTS TFTP Client Table
CM
TFTP S TFTP File Dynamic MIC
172.16.0.11 10.0.0.2 gold.bin 0x12dce5f5430
172.16.0.10 10.0.0.2 silver.bin
TFTP - Request TFTP - Response
Src: 10.0.0.2
Dst: 172.16.0.1
FILE: silver.bin
Src: 172.16.0.1
Dst: 172.16.0.10
FILE: silver.bin
0x524c45f5879
REG - Request
DOCSIS Provisioning Dynamic Shared Secret
DHCP ServerDHCP Server
TFTP ServerTFTP Server
ToD ServerToD Server
Provisioning System
CMTS
CablemodemMAC: 00:00:DE:AD:BE:EF
IP: 172.16.0.10
HFC Network
Service Flows
Classifiers
MAC CPE
MD5 CMTS MIC=
0x524c45f5879
172.16.0.110.0.0.254
10.0.0.1
10.0.0.2
10.0.0.3
REG - Response
Registration ACK
CMTS TFTP Client Table
CM
TFTP S TFTP File Dynamic MIC
00:00:DE:AD:00:00
10.0.0.2 gold.bin 0x12dce5f5430
00:00:DE:AD:BE:EF
10.0.0.2 silver.bin 0x524c45f5879
DOCSIS Piracy Cablemodem MAC Cloning
▪
A Cable Modem identifies to the Network by its MAC Address
▪
Cloning the MAC Address of a Modem allows an un-provisioned modem to get the Service of a provisioned modem.
▪
This is much more dangerous because a Hacker behind a cloned modem can do illegal activities and be untraceable.
▪
Hacked Firmware allows to change the MAC address of a compromised modem to any value
DOCSIS Piracy Cablemodem MAC Cloning
▪
DOCSIS 1.1 Specified BPI Plus as a method to authenticate a Cable Modem
▪
All Modems DOCSIS 1.1 and over, have an embedded certificate that is Signed by the Manufacturer and Cablelabs
▪
When BPI+ is enabled the modem must send the Certificate to the CMTS and it validates the signature with its own database. If it fails the CMTS can deny the service.
DOCSIS Piracy MAC Cloning - Recommendations
▪
BPI+ is enabled in the Configuration File, all the previous protection measures should be implemented in order to ensure that the file is not modified and BPI+ is disabled.
▪
It is recommended to remove all DOCSIS 1.0 modems from the network and only having DOCSIS 1.1 Modems, by doing so all DOCSIS 1.0 Config files can be deleted from the TFTP Server.
▪
Ensure all the modems send the DHCP broadcast flag in 0 in order to ensure that that their offers are not sent on the broadcast.
DOCSIS Piracy MAC Cloning – BPI+ Mandatory
▪
Hacked firmware also supports changing the advertised supported DOCSIS Version in order to cheat the provisioning.
▪
Some CMTSs support BPI+ mandatory, that means that if a modem tries to register without BPI+ is rejected.
▪
All modems and config files need to be DOCSIS 1.1 enabled.
DOCSIS Piracy MAC Cloning – Other Cases
▪
Some modems vendor are vulnerable to full Flash copy (MAC and Certificates)
▪
This Creates a full Clone▪
High Tech Equipment and physical access is required for that.
▪
BPI+ cannot do much about that.▪
Some CMTSs support manual deny lists in order to block that modems to pass from Ranging stage.
▪
Your provisioning system could have detection algorithms in order to detect the same MAC coming from different CMTS/Upstream Ports
CPE Related Security
Customer Security
CMTS▪
Packet Filters
▪
Source Verify (Source Address Verification)▪
DHCP Option 82.1 and 82.2 relaying
▪
Protocol Throttling (DHCP and ARP)DHCP Server▪
CPE Lease Logging
Customer Security Source Verify
▪
CMTS snoops all CPE DHCP offers and creates a list of CPE MAC/IP and CM Table
▪
When a CPE sends and ARP Request, the CMTS Looks for in the table for an existing entry, if there is not matching entry, the ARP is discarded.
▪
This allows to avoid ARP Poisoning.▪
Also allows a tight control to be sure that all the IP addresses being used by CPEs were assigned and logged by the DHCP Server.
DOCSIS Provisioning Source Verify
DHCP ServerDHCP Server
TFTP ServerTFTP Server
ToD ServerToD Server
Provisioning System
CMTS
CablemodemMAC: 00:00:DE:AD:BE:EF
IP: 172.16.0.10
HFC Network
Src: 00:11:22:33:44:55
Dst: FF:FF:FF:FF.FF:FF
172.16.0.1
200.0.0.1
10.0.0.254
10.0.0.1
10.0.0.2
10.0.0.3
Src: 10.0.0.254
Dst: 10.0.0.1
Giaddr:200.0.0.1
CMTS MACDB Client Table
CPE MAC CPE IP CM MAC
00:11:22:33:44:55 200.0.0.10
00:00:DE:AD:BE:EF
DHCP - Discover
Src: 10.0.0.1
Dst: 10.0.0.254
chaddr: 00:11:22:33:44:55
yiaddr: 200.0.0.10
Src: C4:C4:C4:C4:C4:C4
Dst: 00:11:22:33:44:55
yiaddr: 200.0.0.10
DHCP - DiscoverDHCP - Offer DHCP - Offer
DOCSIS Provisioning Source Verify
DHCP ServerDHCP Server
TFTP ServerTFTP Server
ToD ServerToD Server
Provisioning System
CMTS
CablemodemMAC: 00:00:DE:AD:BE:EF
IP: 172.16.0.10
HFC Network
Who has : 200.0.0.1
Src: 00:11:22:33:44:55
Dst: 00:00:00:00:00:00
172.16.0.1
200.0.0.1
10.0.0.254
10.0.0.1
10.0.0.2
10.0.0.3CMTS MACDB Client Table
CPE MAC CPE IP CM MAC
00:11:22:33:44:55 200.0.0.10
00:00:DE:AD:BE:EF
Src: C4:C4:C4:C4:C4:C4
Dst: 00:11:22:33:44:55
tell: 200.0.0.1
ARP REQARP REP
Customer Security CMTS Option 82.1 and 82.2 Relay
▪
The CMTS can add to either CM or CPE DHCP Discover packets the option 82.
▪
Option 82.1 specifies the Upstream Port name from where the request came.
▪
Option 82.2 specifies the MAC Address of the Cablemodem from where that Discover came.
▪
For CPEs is Very useful to know to which Cablemodem (MAC) that Device is connected in order to take provisioning actions, or just for keeping a log.
DOCSIS Provisioning Option 82 Relay
DHCP ServerDHCP Server
TFTP ServerTFTP Server
ToD ServerToD Server
Provisioning System
CMTS
CablemodemMAC: 00:00:DE:AD:BE:EF
IP: 172.16.0.10
HFC Network
Src: 00:11:22:33:44:55
Dst: FF:FF:FF:FF.FF:FF
172.16.0.1
200.0.0.1
10.0.0.254
10.0.0.1
10.0.0.2
10.0.0.3
Src: 10.0.0.254
Dst: 10.0.0.1
Giaddr: 200.0.0.1
hwaddr: 00:11:22:33:44:55 Opt 82.1:Upstream 1
Opt 82.2 :00:00:DE:AD:BE:EF
DHCP - Discover DHCP - Discover
Customer Security Protocol Throttling
▪
ARP and DHCP are protocols that are necessary for system operation and cannot be completely filtered.
▪
Hackers can take advantage of that and generate denial of service attacks.
▪
DHCP DoS
can overload the DHCP Server.▪
ARP DoS
can saturate the local segment with
ARP Traffic.▪
CMTSs
support Protocol Throttling, that means
that they allow a certain acceptable amount of traffic of that protocols and drop the rest.
Questions?
Thanks!