how-to block ads
|
Share Topic
 |
 |
|
|
Reviews:
 ·Armstrong Zoom ..
| Re: Hope Virgin Media isn't blowing smoke I designed an entire cable plant and system, and never did I see this happen. We did however did see a single modem inject noise into the system requiring we track it down. It may depend on the technology being used, but there are several ways to detect and "void" a non authorized modem. So if the cable operator did not implement security features then shame on them.
The modem HAS to download the proper file and certificate from the CMTS every single time it comes online. If a MAC comes online and there was not the security certificate exchange and file download then it is blocked. The file name changes constantly and the certificate is updated on occasion.
Second, there are plenty of hardware vendors that allow monitoring and blocking if a modem goes over its speed. Blocked if they exceed it.
Third, there are cloning detection methods. It is easy to do if you follow the pattern of how a mac is cloned.
There are a bunch of other methods that if implemented and watched, can eliminate this problem near 100%.
I just think that the cable provider you worked for used crappy hardware, bad security schemes, or just plain incompetence overall with how they operate. And I feel the same way about Virgin... in there upgrade "mode" I think they just let security go out the window.
You can also track a modem a lot easier without sending out techs. It really depends on the amps you use. It is really easy to track which node they are on. Then, track what AMP they are using. You can even sometimes just "ask" the modem some questions using SNMP and other methods (not usually, but "hackers" get sloppy). So you start sending messages and getting replies from the modem, go amp by amp (if you can talk to these amps, IE they are modern and configured to do so, you do not have to go anywhere), then once you get down to the amp you can look at power level to and from the modem then narrow it down to a specific TAP. Then, you may have to deal with maybe 8 customers depending on tap type. If your company uses high pass filters (this one did by design, I requested it on all non-internet customers) then you only have to worry about customers that have internet service. So then you are down to maybe 4 if that. Then disconnect them (or just "listen" to the line, but it is alot easier to just unhook them at this point).
All the above is done by sending 1 tech out for less than 10 minutes. However, it may take an hour or more to find them at from the data center/NOC/office... Properly designed cable systems function properly. Poor or lax design gets what you see with Virgin. | |
|  Lazlow
join:2006-08-07
Saint Louis, MO | Re: Hope Virgin Media isn't blowing smoke keyboard5684
With the modified firmwares on the modems it does NOT have to download the proper files. The firmwares shuts off the anti sniff filters, then it is a relatively easy thing to grab the certificate and mac of several modems(just takes time). Once you have enough it is really not the hard to recreate the algorithm. One does have to stay within the parameters of the account of the Mac you have cloned, but most systems have business accounts that have the high upload provisioning.
You can get close as you described, assuming the field techs have followed procedure (a lot do not). But as I stated in the earlier post, if you are not doing this in prime time it is usually not worth the ISPs time to track it down. Just look at the number of people who pirate regular cable. When they could not get my line cleaned up last spring, they went through every connection. There were over 90 houses pirating cable just between me and the node (removing them did a great job cleaning the signal). | |
|  RallyBah HumbugPremium
join:2000-10-27
Astoria, NY
·RoadRunner Cable
| The newer line of hacked modems, cannot be brought down by using SNMP/Bin File etc.. you'll literally have to find it, by going door to door. Why? Because the modems are using valid mac addresses, with the correct bin files, that are used daily. The older modems keyboard, can be detected by your method(s), but the newer motorola 5100 series, it's nearly impossible. Because the CMTS thinks this modem is a valid one based on the valid mac address, so it sends out the dynamic bin file each and everytime.
On another note, i hope they do find these criminals and take them off the networks. I know without a doubt, this is one of the issues effecting congestion at the node level. And the MSO's do little to nothing about it. All it takes is a google search, and you'll find the series of modems, pre-configured or not etc..
--
The more you talk, the less you listen. | |
| | Reviews:
·Armstrong Zoom ..
| Re: Hope Virgin Media isn't blowing smoke There is more to it. The serial number is one I can think of. They need to match, it is sent to the DHCP server as a request to get an IP to be able to download the file to begin with. It is like sending the serial as the password in a way. If SNMP is shut off, then it should not be allowed on?
There are plenty of ways to prevent theft, and to specifically say how a cable system operates would be out of context, basically starting a thread on how to defeat cable systems.
I understand they are valid MACs, and that the SNMP is disabled, but there are a ton of checks that go into the stages of a modem getting online. The CMTS should never assume just because the MAC address is valid the modem is.
One major point is detecting the MAC cloning itself. If a MAC appears twice that would shut them both down and trigger an alert. There are different algorithms to detect this activity, and stop it.
Again, I think Virgin, while upgrading, left out the security features to not be so restrictive while troubleshooting. A good system really makes sure everything is very specific with the process of coming online, and if it is not, they will not get online. I think Virgin was just in upgrade mode and not concerned about security.
As a good engineer, they would get the hacked modem and test with it. Make sure it could not do what happened. The best way to find out how people are stealing services is to read online how to do it/how others are. Then defeat it. It is almost a game sometimes. A new "hack" gets posted, and security experts read those same posts, and then they just repeat the method and break it up.
The best way to keep a hacked service is to shut up and not share it with others. Then, you may not be found out. Post it somewhere so others do it, and it is surely going to be resolved at some point. | |
| | |  marigoldsGainfully employed, finallyPremium,MVM
join:2002-05-13
Saint Louis, MO
kudos:1 | Re: Hope Virgin Media isn't blowing smoke Having done this before back in the days...
you never touch the dhcp server. You set up your own tftp service client side (using a modified legit file or a legit file for a higher level service0, and I will leave out the rest for the sake of people not trying it. You have to use some fairly old modems (SB3100s, SB4100s) because more modern ones have security against inducing client side tftp.
--
ISCABBS - the oldest and largest BBS on the Internet
telnet://bbs.iscabbs.com
Professional Geographer
Geographic Information Science researcher | |
|
| | Reviews:
·Armstrong Zoom ..
| Re: Hope Virgin Media isn't blowing smoke Send some people out to redo it/repair the situation and clean it up. That is me, and I do not work for anyone right now... so it is all my opinion. (Anyone looking for a network engineer!)
But really, that is poor maintenance and probably started with one tech doing something messy, then the rest just did not care after that because one already did it.
That is a management problem, nothing else. Management needs to get out into the field more it looks like.
The setup looks like it was actually correct to begin with, and even looks like it was fine in the pictures, just messy.
Tags appeared to be there, it looks like it is documented, just need to really clean it up and seal up the box.
Alot of those types of problems will go away too when cable companies are all digital. Analog cable is too easy to steal and also too easy for people to do things in there home that mess with the cable systems themselves (allowing ingress noise, etc). Digital cable will make it pointless for average Joe to just connect to the cable system and connect it to a TV. | |
| | | Lazlow
join:2006-08-07
Saint Louis, MO | Re: Hope Virgin Media isn't blowing smoke keyboard5684
Unless they are going to encrypt everything the digital conversion (QAM) is going to do little to change anything. As the battle of using proprietary for everything has already been fought once (cable lost) I think it is reasonable to assume that it will be blocked again. | |
| | | | patcat88
join:2002-04-05
Jamaica, NY
kudos:1 | Re: Hope Virgin Media isn't blowing smoke said by Lazlow:keyboard5684 Unless they are going to encrypt everything the digital conversion (QAM) is going to do little to change anything. As the battle of using proprietary for everything has already been fought once (cable lost) I think it is reasonable to assume that it will be blocked again. Its standard policy to never put anything other than OTA in clear QAM, some cable companies don't ever do that. I've never heard of a cable company putting any expanded basic (30-70 cable only channels) channels on clear QAM.
Who knows if the FCC will ever do anything about it. | |
|
| |
|
