Re: chaging your @home IP address... could you take a bunch ofthem....probably... could you get something from it...maybe

["Laurence Brockman" <l.brockman () videon ca>]

In the states many companies will let you buy DOCSIS modems, here in Canada
however, most Cable ISP's are not at that stage currently. Some have
implemented DOCSIS on their networks (Including the one that I work for).

The way the modems are throttled are by config files (And possibly via SNMP
management as well), so to unthrottle the modem (And the modems should be
capable of 10mbps both directions if not more) you would need to replace the
modems config file.

However, attempts to hack the config file and replace it with your own can
be very difficult (Not saying it's not doable, but in all my trying on our
network I haven't been able to). They have shared encrypted secrets in the
DOCSIS config files, so even if you do manage to replace the config file on
your modem with another one (Very difficult to do) the cable router will not
accept the modem because the shared secret does not match.

Also, the config file is specified on boot up by the Cable ISP's DHCP server
(It should specify the TFTP server and the config file to download). So the
challenge is, to spoof the DHCP server responses and force the modem to
download a config file from your TFTP server.

The problem with this, is that most cable routers have a DHCP helper IP
address that they will forward the DHCP requests to, so it becomes very
difficult to spoof the DHCP responses because you will never see the
requests on either the ethernet side of your modem or the requests of other
modems.

It would be interesting to see what people come up with.

Anyways, this is from experience working as a Unix admin on a cable network
and not from reading any standards, etc so our implementation might be a
little different the others.

Laurence

----- Original Message -----
From: "Blue Boar" <BlueBoar () thievco com>
To: "Russell Handorf" <rhandorf () mail russells-world com>
Cc: <vuln-dev () securityfocus com>
Sent: Tuesday, February 05, 2002 10:52 PM
Subject: Re: chaging your @home IP address... could you take a bunch
ofthem....probably... could you get something from it...maybe


> Russell Handorf wrote:
> > Jon is correct- the speed is determined via the modem. Back when
> > excite@home was compromised by adrian lamo, I was privy to such access
as
> > well. On the computer havoc.corp.home.net there lay the 'help desk'
> > interface, where the users settings were editable. I distinctly remember
> > the speed being an editable option for the modems. However the only way,
to
> > my current knowledge, it to edit this information on the ISP side-
still. I
> Ultimately, if the box is in your house, it's only a matter of how much
> time you want to spend hacking it, and the agreement between yourself and
> your provider.
>
> I do believe that many cable providers will allow their customers to
> buy their own docsis compliant modems, no?  I understand the config file
> will come
> from the ISP, of course.  Well, the original config file...
>
> BB