RE: ISP reconfiguring cable modem?

["Joshua M. Jones" <jjones () isgwichita com>]

Let me throw this scenario at you folks. What if you owned your own
cable modem and the ISP DID modify your modem such as flashing the
firmware? I have a good example of that. The Motorola has a way of
uncapping or editing your config file as you will. What legal rights
does the ISP have upgrading a personal modem that bought from an online
store? That would be another interesting topic to discuss as I am sure
many ISP's are implementing their own ways to prevent abusers stealing
more bandwidth.



-----Original Message-----
From: Tony Kava [mailto:securityfocus () pottcounty com] 
Sent: Wednesday, June 02, 2004 4:47 PM
To: security-basics () securityfocus com
Cc: 'David Schwendinger'
Subject: RE: ISP reconfiguring cable modem?

On 1 June 2004, David Schwendinger wrote:

> I think an equally important question besides the "is it technically 
> possible" is: Is it or should it be legal for ISPs to reconfigure 
> equipment belonging to its subscribers, let alone doing it without 
> telling them about it? 

I think this has been hit on already, but I wanted to chime in as I was
formerly employed by a cable modem ISP.

Of course the TOS will allow your ISP to modify that modem's
configuration
at will.  It is more polite to contact customers if they are singled out
individually or at least post a clearly written policy / notice to
explain
how your company handles instances where you must stop or modify a
user's
internet service.

The cable modem receives its configuration by TFTP when it boots.  There
are
some SNMP variables that can be set remotely, but for the most part
everything is set by the config file it downloads using TFTP.  The
config
file is actually setting values for a number of OIDs (like a batch
snmpset).
For those interested in what the configurations can look like, the
'docsis'
project has an open source tool and examples for generating config files
from text file configurations.  See http://tinyurl.com/2xbyt

If my recollection is correct, you have the ability to setup port
filtering
and traffic rules in the cable modem configuration.  You might, for
example,
prevent outgoing traffic destined for port 25 (other than to your mail
servers) to keep viruses and spammers from wreaking havoc.  This can
keep
that traffic from even traversing your cable plant.  Of course there is
always the option of blocking this traffic at any of the routers or
firewalls along the way.

If you detect a problem coming from one of your users' modems you would
only
need to change their modem's config filename (typically on your
DHCP/BOOTP
server) then issue a reset command to that modem.  The reset can be
accomplished by either using an SNMPset (best method for most modems) or
by
issuing a reset from the CMTS.  I have found that with some modems the
CMTS-issued reset did not always do the job.

The modem will reboot and obtain the new configuration.  I should hope
that
your ISP would contact you, but if your company is as large as Comcast,
and
your problem is as acute as theirs, they may not be able to do so.  They
could, however either send an e-mail (assuming they don't completely
disable
the user) or force the user's HTTP requests to a web page that explains
what
has happened to their access and provides a method of resolution.

I would be interested to see how Comcast handles this issue.  Internet
users
tend to be very defensive (and sometimes brutal) when you take away
their
internet access, especially if they are misusing it.  I've spoken with
more
than one spammer after blocking their ability to send e-mail.  When you
explain that their deeds cause undue load on your mail servers their
response is invariably that your company should have purchased
additional
servers just to handle their 'marketing'.  Most spammers (and on another
topic, day traders) insist that they are losing hundreds of thousands of
dollars for every minute they are without service.

--
Tony Kava
Senior Network Administrator
Pottawattamie County, Iowa



------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off 
any course! All of our class sizes are guaranteed to be 10 students or
less 
to facilitate one-on-one interaction with one of our expert instructors.

Attend a course taught by an expert instructor with years of
in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization.

Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------