Top «Prev(2008-12-03) Latest Next(2008-12-15)» Edit

pterjan's diary


2008-12-11

  Numericable

Few days ago I was connected through Numericable and I started wireshark to diagnose a local issue.

I was suprised to see a lot of traffic, the most visible one was about 20 ARP requests per second, coming from their routers and asking for other customers.

Cisco_29:c1:05        Broadcast             ARP      Who has 89.3.183.58?  Tell 89.3.176.1
Cisco_29:c1:05        Broadcast             ARP      Who has 89.3.123.29?  Tell 89.3.120.1
Cisco_29:c1:05        Broadcast             ARP      Who has 89.2.102.4?  Tell 89.2.102.1
Cisco_29:c1:05        Broadcast             ARP      Who has 82.216.182.19?  Tell 82.216.182.1

That's surprising than they forward the ARP broadcast to the local network, but that's not the interesting part.

Hidden in the flow, were quite a lot of DHCP answers I will now comment on.

Here is common part of all the DHCP answer, nothing very interesting:

Ethernet II, Src: Cisco_29:c1:05 (00:15:f9:29:c1:05), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 10.27.0.1 (10.27.0.1), Dst: 255.255.255.255 (255.255.255.255)
User Datagram Protocol, Src Port: bootps (67), Dst Port: bootpc (68)
    Message type: Boot Reply (2)

First the ones for the user machines, probably when the modem is not set up as a router, as the one I was connected to had given me a 192.168.0.x address and was masquerading me :

Your (client) IP address: 89.3.125.59 (89.3.125.59)
    Relay agent IP address: 85.69.128.1 (85.69.128.1)
    Client MAC address: HewlettP_5b:cf:a9 (00:1a:4b:5b:cf:a9)
    Option: (t=53,l=1) DHCP Message Type = DHCP ACK
    Option: (t=54,l=4) Server Identifier = 172.20.230.15
    Option: (t=1,l=4) Subnet Mask = 255.255.248.0
    Option: (t=3,l=4) Router = 89.3.120.1

Your (client) IP address: 89.3.178.52 (89.3.178.52) Relay agent IP address: 85.69.128.1 (85.69.128.1) Client MAC address: AsustekC_7f:3d:ee (00:15:f2:7f:3d:ee) Option: (t=53,l=1) DHCP Message Type = DHCP Offer Option: (t=54,l=4) Server Identifier = 172.20.130.15 Option: (t=1,l=4) Subnet Mask = 255.255.240.0 Option: (t=3,l=4) Router = 89.3.176.1

So, I get the IP and MAC of other customer's machines, still not very interesting

Relay agent IP address: 85.69.128.1 (85.69.128.1)
    Client MAC address: AppleCom_ef:8e:24 (00:30:65:ef:8e:24)
    Option: (t=53,l=1) DHCP Message Type = DHCP NAK
    Option: (t=56,l=95) Message = "Requested lease 85.69.128.190 was active and assigned to different client: 01:00:1f:33:de:10:cd"
    Option: (t=54,l=4) Server Identifier = 172.20.130.15

Does this mean you can't change the connected machine until the (1 hour) lease has expired ?

Now some more interesting ones, for the modems. The common part, giving internal addresses of their servers:

    Next server IP address: 172.20.143.8 (172.20.143.8)
    Relay agent IP address: 10.27.0.1 (10.27.0.1)
    Option: (t=53,l=1) DHCP Message Type = DHCP Offer
    Option: (t=54,l=4) Server Identifier = 172.20.143.15
    Option: (t=1,l=4) Subnet Mask = 255.255.128.0
    Option: (t=3,l=4) Router = 10.27.0.1
    Option: (t=4,l=4) Time Server = 172.20.143.1

And now the interesting part, the one which changes:

    Your (client) IP address: 10.27.74.224 (10.27.74.224)
    Client MAC address: Motorola_5e:34:82 (00:0e:5c:5e:34:82)
    Boot file name: selfprov.cm

Your (client) IP address: 10.27.59.77 (10.27.59.77) Client MAC address: NVPhilip_4b:be:4c (00:90:3e:4b:be:4c) Boot file name: s9e_30m_1m_01.cm
Your (client) IP address: 10.27.65.27 (10.27.65.27) Client MAC address: NVPhilip_56:18:e3 (00:90:3e:56:18:e3) Boot file name: s9e_512k_128k_01.cm

So, there are two brands of modem, and boot file is different if you subscribed to the 30Mb/1Mb offer, or to the 512kb/128kb one. Would your connection get faster if you trick your modem into getting the other file? I don't know but I would not be surprised...

I had thought of getting a connection through them in addition to my current DSL, as they promise 100Mb/s here before the end of 2008 (which is almost finished). After this experience I have decided to never subscribe to their services, playing with their network would be too tempting.

I think I didn't do anything bad, only looked at packets sent to me on the local network :) I didn't even try to see if the 10.x addresses are routed by the modem (I'm almost sure they are not).

Another point, all people in this building connected with Numericable (that's 12 of them) have WEP network on channel 6. I hope the modem supports WPA and selecting other channels. WEP when you have so much permanent unwanted traffic is very weak...

Today's TSUKKOMI(Total: 5) [Add a TSUKKOMI]
  ethana2 (2008-12-11 02:26)

Leaving the vulnerability alone doesn't make it go away. You've now put the idea out there for anyone else to take advantage of.<br><br>I'm afraid that to see just how much of a potential problem this is, you're obligated to exploit it.

  plaes (2008-12-11 10:36)

Yup, cable modems get their communication parameters with the configuration file. If you manage go change the parameters it is possible to max out the pipe :)

  bkor (2008-12-11 11:10)

I thought it was pretty well known. At least my ISP checks if you change the config (it is still possible to change it IIRC).

  ChrisS (2008-12-14 14:07)

I do hope they lock things down. That's a good way of going broke!

  Nico (2008-12-30 22:46)

In 2007, VoIP traffic for other customer was broadcasted to everyone.<br>And their DNS servers gave you reverse dns for 168.192.in-addr.arpa ( => supervision.noos.net.)<br>But since the Noos/Numericable fusion, things has been slowly improved.


2004|06|07|08|09|11|
2005|01|02|05|06|07|08|09|10|11|12|
2006|01|02|03|06|08|10|11|12|
2007|01|02|03|04|05|06|07|08|09|10|11|12|
2008|01|03|04|05|06|07|08|09|10|11|12|
2009|01|02|03|04|05|06|07|08|09|10|11|12|
2010|01|02|03|04|05|06|07|08|09|10|12|
2011|02|04|06|
2012|01|05|11|
2013|01|02|04|06|
2014|02|
2015|06|
2017|05|07|12|