Home / Blogs

Steps on How Service Providers Can Combat CPE Fraud and Protect Network Security

Najla Dadmand

Co-authored by Najla Dadmand, Incognito Software Systems’ product manager, and Patrick Kinnerk, senior product manager.

Cable modem fraud can be a major source of revenue leakage for service providers. A recent study found that communication service providers lost $3 billion dollars worldwide due to cable modem cloning and fraudulent practices.

To combat this problem, device provisioning solutions include mechanisms to prevent loss — but what do you really need to protect your bottom line?

There are a number of DOCSIS-specific specifications designed to address this problem:

  • TFTP Server Timestamp (TLV 19): This puts a timestamp in the TLV, which the CMTS uses to prevent a modem from downloading old files and incorrectly provisioning the device.
  • IP Address Verification (TLV 20): The IP address is included in the TLV to enable the CMTS to verify that the correct IP is being provisioned.
  • DOCSIS 3.0 Message Integrity Check (MIC): This feature provides additional security for file generation by ensuring the file the CMTS gives to the cable modem is correct.
  • Baseline Privacy Plus (BPI+): When enabled on the DOCSIS network, this causes the CMTS to authenticate the cable modem through an exchange of certificates that includes the MAC address of the modem. The certificate exchange is very difficult to hack. This means that if the cable modem attempts to authenticate with a different MAC address than what is listed in the certificate, the CMTS will detect MAC address spoofing and will not authorize the CM for data services. As a result, BPI+ prevents simple MAC spoofing, which is one of the most common forms of theft of service, although further measures are required to detect whether the actual certificate itself has been cloned.

Only provisioning solutions that dynamically generate DOCSIS and PacketCable configuration files on-demand can include features such as IP verification and TFTP server timestamp. Furthermore, in addition to the above specifications, further security measures should be considered for an extra level of protection against cable modem cloning.

Dynamic File Generation

It is more secure to generate dynamic files than static files as the unique file names can't be used in file replay attacks. In addition to the unique file name, the IP address assigned to a device must be verified to download the file.

Why is this useful? Consider someone sniffing the network to see what is being downloaded (for example, a file called gold.bin). The person may assume this file is a gold-service package and they might attempt to download it. To prevent this from occurring, the file is stored in a short-term cache and the DHCP server assigns an IP to the device, along with the unique file. As a result, if a device with the wrong IP tries to download the file, it will not succeed.

Dynamic file generation also offers operators a simple and secure way to change the MIC setting (also known as a Shared Secret). This is because any given CMTS may generate hundreds or even thousands of unique configuration files for devices. Without dynamic file configuration, an operator would need to manually rebuild every unique configuration file to change the Shared Secret, whereas a device provisioning solution that supports dynamic file generation gives operators the ability to make one central change.

IP Limiting

Limiting the number of IPs that the DHCP service can give to CPEs behind a modem can prevent more basic forms of service theft. For example, a DOCSIS provisioning service that includes IP limiting will restrict a legitimate subscriber from allowing a neighbor or friend who does not live in the household from accessing the service.

Anti-Roaming

This feature prevents the cable modem to move around the network illegitimately. It is designed for use in one cluster, rather than multiple, and may be useful in regions where there are legal restrictions about moving service from one point to another.

Prevention of Denial of Service

This is a security feature that aims to increase the availability of the provisioning system by preventing DHCP Denial of Service (DoS) attacks. For instance, if someone attempts to attack an operator and tries to cause problems with the provisioning system, denial of service is in place to prevent this. The feature works by detecting the DoS attack and the related device, and then dropping all DHCP packets/traffic associated with the attack.

Lease Query and Bulk Lease Query

This feature authorizes hosts on the network in order to allow the transmission of IP packets. The CMTS checks with the provisioning system to ensure the IP is legitimate and if the DHCP service authorizes the IP, the packet can go through. If the IP is not authorized, the packet is not transmitted.

The CMTS snoops DHCP packets to build IP-to-cable modem mapping to ensure there is an entry for every IP given out. If this data is out-of-sync, for example due to a CMTS reboot, the CMTS can obtain this information from the provisioning service via lease query to built the table.

Central Lease Service

An additional measure for more comprehensive protection is to store, track, and manage leases in a central solution that integrates directly with the provisioning solution. This makes it much simpler to keep track of lease information in large networks where there may be multiple provisioning servers in use.

This gives operators the ability to catch any modem that attempts to be cloned and prevents that clone from appearing anywhere else in the network. Even in the case of a full cloning where the BPI+ specification misses the fraudulent modem, a central repository of lease data will detect fraudulent cloning even if the MAC certificate is cloned.

Overall, a comprehensive device provisioning solution with security features can protect your network from cloned devices trying to access service for free, or problem devices from launching denial of service attacks. You should be able to configure these features to suit your needs, whether it is to deny service to any suspicious device or take it to a walled garden.

The last thing you need is a barrage of fraudulent devices accessing your service for free, affecting not only your bottom line, but also potentially the quality of service of your legitimate customers.

Want to learn more? Discover how a Tier 1 North American service provider eliminated 88% of CPE cloning with a comprehensive device provisioning solution that included security mechanisms.

By Najla Dadmand, Product Manager at Incognito Software Systems

Related topics: Access Providers, Security

 
   
WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Promoted Post

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

Encrypting Inbound and Outbound Email Connections with PowerMTA

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year

Sponsored Topics