ISP security questions

Your questions can be answered when you consider that the cable modem has MAC and IP address on the cable side of the device, as well as on the AN side of the device. The ISP's database defines which services are allowed for which modem by using the modem's MAC address.

Thanks for your reply. But, if the cable modem is acting like a true bridge, then wouldn't it pass through the MAC address of the subscriber's device (PC or router), so that the MAC address "seen" by the ISP would be the address of the connected device, and not of the modem itself?

Thanks, Nick

Who says the cable modem acts as a bridge? Remember, all the traffic for a given neighborhood is present on the same cable. The modem has to detect and selectively pass only the traffic intended for it. Similarly, the modem is paired with only one device (specified by MAC address) on the LAN side. That sounds more like routing, rather than bridging.

All that aside, you could probably look up the DOCIS specifications and see exactly what the protocol does, and does not, allow.

But, in reality, it's not.

Now the big fun is if you can modify your cable modem's MAC to be a mac of a legit cable modem on another segment. There was a vulnerability or hack released several years ago whereby access was regulated upstream of multiple segments whereby if you spoofed a legit MAC on another segment, your traffic would be routed happily by the upstream devices, and because you were on a separate segment, there would be no arp conflicts. I never tried it, but it is the best example I can think of that plays to the scenarios you are pondering. I think it also needed a configuration goof on teh cable modem provider's part to not lock ip's to a mac or some such. I'm fuzzy on the details, but it was possible at some providers apparently.

Best Regards,

-- Todd H.

I'll take a stab, partly because I hope someone will correct me where I'm wrong.

The cable modem knows how many IP's it's allowed to request on your behalf via it's config file, and it learns the MAC address of the first device that it talks to after powering up. If you're allowed X, and you request X+1, the last request is ignored.

My information is dated here, but as recently as 2001 I knew of a teenager (who would later become my step-son) who would manually assign public IP addresses to 3-4 of his friends when they'd bring their PC's over for a LAN party. He was in a single-PC household with the PC directly connected to the CM (via a hub), so he would look at his own IP and just make up as many additional IP's as he needed by incrementing the last octet. If anyone had trouble connecting to the 'net, he would try another number until he found one that worked. My assumption is that 'trouble connecting' meant an IP collision with a legitimate user of that IP. When I discovered what they were doing, I added a router to the mix. Who knows how many people they inconvenienced by making up their own 24.x.x.x IP's.

The cable modem's MAC never changes and is provisioned to a specific user account, so my guess is that the CM MAC plays a role here. At the same time, the ISP knows who had a specific IP address at a specific time, so one way or another it should be pretty simple to identify individual users for billing, etc.

I believe the CM's config file contains the bandwidth parameter, so the CM is the traffic cop.

I did a bit more digging around regarding the authentication mechanism, and found the following guide:

One possible explanation that I've come up with is that when the user makes a DHCP request, the head-end router dynamically records the user's current MAC address and "binds" it to the assigned DHCP IP address, so that the user traffic can be identified. Is this how it's done?

Thanks, Nick

They use the MAC address on the cable side of the modem; not the MAC address of the user device attached to the LAN side of the modem.