Hacker News new | ask | show | jobs
by AndyMcConachie 3868 days ago
Is this a cable modem or a router? My definition of cable modem doesn't include an IP address.

These POCs never include enough information for me. For instance, is this exploitable from the external interface, or only internal?
3 comments
PhantomGremlin 3868 days ago
Is this a cable modem or a router?

Reminds me of the inane SNL sketch, whose catchphrase was: "New Shimmer is both a floor wax and a dessert topping!"

My Arris (nee Motorola) SB6141 is a bridge and a router. It's actually very nicely done.

When the modem can't access the cable infrastructure, it turns itself into a DHCP server and hands out IP addresses in the range 192.168.100.xx. This is useful for people at home whose configurations are such that their home networks won't work properly without some sort of DHCP server provided by the ISP.

Once the modem can talk to the ISP, it turns itself into a bridge. The IP addresses the modem previously issued were valid for 30 seconds, so there will shortly be a new DHCPREQUEST which the modem bridges out to the ISP. From then on, the modem is transparent to IP traffic (but see below).

My definition of cable modem doesn't include an IP address.

This is highly useful. Once the modem has switched to being a bridge, it still responds to 192.168.100.1. There's all sorts of useful information there. E.g. DOCSIS status, Channel IDs, received Signal to Noise ratio, transmit Power Level, etc. There's even a nice (but short) log of the modem's interaction with the cable infrastructure.

The modem is outside my firewall, so I don't really worry about it much. It's like anything else on the Internet as far as my home network is concerned.

However, I do currently allow access to 192.168.100.1 (normally I block outbound RFC 1918 addresses). That is a potential problem should some rogue program on my network attempt to exploit a modem vulnerability. Maybe I'll just block all those addresses and only enable them in the firewall when I want to check the modem status.

link
MertsA 3868 days ago
> Maybe I'll just block all those addresses and only enable them in the firewall when I want to check the modem status.

For the business networks I manage I actually go out of my way to make sure that 192.168.100.1 is blocked. With no authentication anyone can reset a Motorola modem to factory defaults which takes like 15 minutes to come back up. An attacker can just jump on a guest network and basically DoS you until you figure out what's going on and good luck with that because most people are going to assume that their modem constantly rebooting means that they need a new one, or it's the ISPs fault.

link
voltagex_ 3868 days ago
>normally I block outbound RFC 1918 addresses

I'm assuming LAN traffic still works in this case.

>That is a potential problem should some rogue program on my network attempt to exploit a modem vulnerability. Maybe I'll just block all those addresses and only enable them in the firewall when I want to check the modem status.

I've been looking at scraping my modem interface for info and then blocking all but one PC from accessing the admin interface

link
uxp 3868 days ago
> I'm assuming LAN traffic still works in this case.

Blocking outbound RFC 1918 addresses is a fairly common firewall configuration to prevent any LAN traffic from leaking out into the internet due to weird or misconfigured NAT rules, etc. It doesn't prevent that traffic from traversing the LAN, just if it might try and escape the WAN.

link
voltagex_ 3868 days ago
Ah right, that's done by my ISP at the first hop.
link
mikequinlan 3868 days ago
You can address the Arris cable modem at ip address 192.168.100.1. Some providers disable this after it goes online. Here is one reference http://www.dslreports.com/forum/r20894378-What-is-the-cable-...
link
spydum 3868 days ago
If It's one cross site scripting attack away, what's the difference if it's external?
link