RE: ISP reconfiguring cable modem?

[Tony Kava <securityfocus () pottcounty com>]

On 1 June 2004, David Schwendinger wrote:

> I think an equally important question besides the "is it technically 
> possible" is: Is it or should it be legal for ISPs to reconfigure 
> equipment belonging to its subscribers, let alone doing it without 
> telling them about it? 

I think this has been hit on already, but I wanted to chime in as I was
formerly employed by a cable modem ISP.

Of course the TOS will allow your ISP to modify that modem's configuration
at will.  It is more polite to contact customers if they are singled out
individually or at least post a clearly written policy / notice to explain
how your company handles instances where you must stop or modify a user's
internet service.

The cable modem receives its configuration by TFTP when it boots.  There are
some SNMP variables that can be set remotely, but for the most part
everything is set by the config file it downloads using TFTP.  The config
file is actually setting values for a number of OIDs (like a batch snmpset).
For those interested in what the configurations can look like, the 'docsis'
project has an open source tool and examples for generating config files
from text file configurations.  See http://tinyurl.com/2xbyt

If my recollection is correct, you have the ability to setup port filtering
and traffic rules in the cable modem configuration.  You might, for example,
prevent outgoing traffic destined for port 25 (other than to your mail
servers) to keep viruses and spammers from wreaking havoc.  This can keep
that traffic from even traversing your cable plant.  Of course there is
always the option of blocking this traffic at any of the routers or
firewalls along the way.

If you detect a problem coming from one of your users' modems you would only
need to change their modem's config filename (typically on your DHCP/BOOTP
server) then issue a reset command to that modem.  The reset can be
accomplished by either using an SNMPset (best method for most modems) or by
issuing a reset from the CMTS.  I have found that with some modems the
CMTS-issued reset did not always do the job.

The modem will reboot and obtain the new configuration.  I should hope that
your ISP would contact you, but if your company is as large as Comcast, and
your problem is as acute as theirs, they may not be able to do so.  They
could, however either send an e-mail (assuming they don't completely disable
the user) or force the user's HTTP requests to a web page that explains what
has happened to their access and provides a method of resolution.

I would be interested to see how Comcast handles this issue.  Internet users
tend to be very defensive (and sometimes brutal) when you take away their
internet access, especially if they are misusing it.  I've spoken with more
than one spammer after blocking their ability to send e-mail.  When you
explain that their deeds cause undue load on your mail servers their
response is invariably that your company should have purchased additional
servers just to handle their 'marketing'.  Most spammers (and on another
topic, day traders) insist that they are losing hundreds of thousands of
dollars for every minute they are without service.

--
Tony Kava
Senior Network Administrator
Pottawattamie County, Iowa



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------