undefined | Better HN

0 points1000100_10001013y ago0 comments

Not quite. It was ISP incompetence (or malice, who knows), but not due to routing. Everyone in your neighbourhood was on branches off of the same string of coax. I think a CMTS (Cable Modem Termination System... a box run by your ISP send you your SYNC, MAP, etc.) headend could be like 20 miles of coax away. Anybody on that 20 miles of coax, assigned to the same channel, would share routing... ie: send down this cable on this channel's frequency.

Each cable modem knew which devices were attached to them (IP and MAC). A dumb ISP would limit you to one MAC on the CM, even though it made no difference to them. Perhaps trying to upsell more connections. Everyone just got routers instead. The CM receives packets from the CMTS for everyone on your 20 mile stretch of cable. It needs to decode them to know who they're for, where one ends and where a new packet starts. An option, configured by the ISP and downloaded as you connect to the network, would tell your modem to either discard all traffic that didn't belong to a known device on your local subnet, or just spew absolutely everything out on your local ethernet. Many ISPs configured their modems to spew everything. Not only was this insecure, most PCs didn't handle all the ethernet interrupts gracefully either, and it could grind your PC to a halt.

CMs also supported encryption, optionally, at the discretion of the ISP (the "Baseline Privacy" you see in the article). Hardware assisted encryption was just rolling out, and only on some CMs, so many ISPs would have this off to improve throughput. DES or 3DES, and possibly another option was available at the time. Your CM and the CMTS would negotiate keys, rotate them with fresh ones every now and then (configurable duration). With this in place, your modem wouldn't be able to decode your 20 miles of neighbours traffic. Your data was secure, at least to the cable office, which could act as nefarious as they chose (why end to end encryption is ideal).

Traffic on another channel would never be decoded (unless the CMTS told your CM to switch channels, it could actively migrate you to optimize the network, shunt you off a channel whose hardware was about to be replaced, then move you back all seamlessly... there would be slight hiccup while it re-did ranging, etc).

Source: I used to write CM firmware for Docsis 2.0 modems in the late 90s.

0 comments

p_l3y ago

Ahhh, the combination of options that led to CMTS allowing client->CMTS->client connection is what I alluded to with "ethernet emulation" (I bet it also made sense for some setups). Great to see some more detail.

BTW, I seem to recall that at least in early 2000s it was kinda popular to hack TFTP servers providing CM configuration files, to somehow change speeds available - was that really doable, or did retelling mangle the details?

1000100_1000101OP3y ago

TLDR: I don't know. :)

The configuration was just a file. The file format was standardized to allow any modem to work I believe, so in theory someone could replace the configuration file without much effort. The ISP would know the CM MAC, possibly another identifier (it's been a while, I don't recall everything), to know what services/speeds to allow for a particular customer, and know which config to send them. If the ISP just make the filename for a customer the CM's MAC, it would be easy to replace for just one user. If it looked up which configuration to supply a customer from a database, you'd need to tweak that. As the configuration selection gets more complex, you might just get hackers replacing a config shared by hundreds or thousands of customers... the massive uptick in traffic that would cause would likely cause trouble. No idea how quickly they'd find the replaced config, but if it was affecting everyone on the same plan, I imagine they'd clue in pretty quick.

I'm not aware of how people abused the system or how the ISP configuration side was generally done, but it sounds plausible. What I don't recall if is the downstream bandwidth is actually listed in the CM config, since only the CMTS needs to know the limit on what it can send, or what upstream bandwidth to allow. A CM can request to download whatever it wants, but the CMTS will throttle your downstream and upstream bandwidth however it wants. If it's in the config, and if the CMTS reads and uses the same config, then sure.

Even if they were separate configs, and the CMTS config was non-standard, people may also just just copied the higher-end CMTS config over top of the lower-end one. Who knows.

But yeah, if you did it in a way that affected everyone, you'd probably cause enough trouble to get noticed pretty quickly.

j / k navigate · click thread line to collapse