Here are some articles
Cable modems transmitting Ethernet broadcast packets to every subscriber on
the neighborhood are a significant vulnerability, easily exploited by a
technically savvy attacker. For example, using a freely available program
called "arpwatch," I can scan for the ARP packets and detect how many
subscribers are on my cable segment. Since MediaOne has assigned host names
that look a lot like user names (e.g. sjones.ne.mediaone.net), I can learn
the names of my cyber-neighbors. I can also learn when the ARP packets are
sent, and establish when my neighbors are using their computers -- and when
they are at work.
The ARP problem, meanwhile, will be solved by the next-generation cable
modems that implement the so-called DOCSIS 1.1 protocol. Instead of
broadcasting ARP packets over the entire cable segment, DOCSIS 1.1 makes
sure that each customer will only see the ARP messages intended for his or
her machine. As an added protection, DOCSIS 1.1 is capable of encrypting all
information sent over the cable itself, with a separate encryption key for
each customer. This security measure prevents an attacker from splicing
their own cable modem into the backbone, the way that some people used to
hook up unauthorized cable decoders to get free cable TV service
A third issue with large bridging networks concerns security and what is
known as Address Resolution Protocol, or ARP. In a bridging network, a
broadcast is issued to every user-perhaps thousands-to locate a particular
address. But perhaps another user chooses to write a simple program that
listens for broadcast requests and erroneously replies that it is the
intended recipient. This "hacker" can continue to intercept Bob's messages
as long as he or she wishes, and nothing in the network will automatically
prevent it.
Brandon Caudle
--------------
15yr Old Avid Unix User (HP-UX,FreeBSD,Linux)
>From: "'Glenn Johnson'" <[EMAIL PROTECTED]>
>To: "Jose M. Sanchez" <[EMAIL PROTECTED]>
>CC: "'Brandon Caudle'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
>Subject: Re: [expert] Re: mysterious incoming packets
>Date: Sun, 5 Aug 2001 00:33:11 -0500
>
>On Sun, Aug 05, 2001 at 01:06:12AM -0400, Jose M. Sanchez wrote:
>
> > It's unlikely that this is a problem given the relatively ARP low rate
> > you are getting.
> >
> > A normal Cable modem "node" may have over 10,000 users.
> >
> > The head-end system has to update it's table of available (connected)
> > IP's almost constantly.
> >
> > If you call the cable company, all you are going to get will be a
> >
> > "yeah, well, this is normal." response...
>
>Well, that may be the case. The thing is though, it is not normal. I
>have had this cable modem service for about a year and this is the first
>time I have seen this behavior. Even today, this morning everything was
>normal (no activity) then at about noon CST the arp requests started
>flooding in.
>
>--
>Glenn Johnson
>[EMAIL PROTECTED]
>
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
