COMBATING SECURITY RISKS ON THE CABLE IP NETWORK

Transcription

1 COMBATING SECURITY RISKS ON THE CABLE IP NETWORK J.T. McKelvey Cisco Systems, Inc., USA ABSTRACT Cable IP networks are often mistakenly believed to be insecure. Theft of service is becoming more common on DOCSIS networks as the details of vulnerabilities are distributed by the press and on websites dedicated to helping subscribers understand how to steal service. The possibility of subscriber data theft or other violations of data integrity is increasingly problematic. Denial-of-service attacks such as Code Red and NIMDA have crippled CMTS devices and cable IP networks throughout the world. However, the cable IP network can be an extremely secure access medium at least as secure as other common access media. The DOCSIS specifications, along with advanced features available on some CMTS platforms, enable cable operators to effectively combat security risks through simple means. DOCSIS shared secrets, BPI+, and other cable IP network features can mitigate all but the most aggressive attacks. Nevertheless, cable operators are only recently beginning to deploy these security features. Cable operators should accelerate deployment of security features to mitigate growing security concerns. INTRODUCTION Due to several well-publicised security faults in early deployments as well as known security issues common to all high-speed always-on access media, cable IP networks have historically been considered insecure. Recent denial-of-service attacks against cable operators and the publication of procedures for theft of IP service have only served to increase the widely held belief that cable IP networks are prone to information theft and breaches of privacy. While this may be true in some current cable IP deployments, cable operators today have tools available to tightly secure their networks and combat denial-ofservice, theft of data, and theft-of-service attacks. It is the goal of this paper to briefly discuss both common types of attacks and mitigation procedures. Theft of video signal is estimated to cost the cable television industry billions of dollars per year. A recent study by United States based National Cable & Telecommunications Association (NCTA) showed over $6.5 billion US dollars were lost in 2000 in North America alone to theft-of-service and other acts of cable piracy (1). An estimated 11% of cable television viewers in the US illegally obtain video service. This is the environment into which cable operators are deploying cable IP network services. The growth of the potential for service theft grows in correspondence with the increase in revenue-generating services on the cable network. For example, the same NCTA studies indicate that nearly $560 million US dollars of revenue were lost in 2000 to Pay-per-view service theft. Theft of service on DOCSIS cable modem networks has increased at a rate greater than the growth of the networks themselves. This is due in part to the proliferation of knowledge of how to perpetrate these thefts. Several well-publicised websites document how to steal DOCSIS service or how to illegally modify cable modems to receive unauthorised (usually

2 faster) service parameters. In particular, several hacker websites around the world have posted detailed information and free software for use in illegally modifying service profiles on systems using popular brands of cable modem. This unauthorised service profile modification can lead to unexpected congestion on the cable IP network, network resource over utilisation, and subsequent increased costs to legitimate cable modem subscribers. Data integrity and privacy are also key issues for broadband subscribers. Numerous articles in the press are indicative of the public s concerns that neighbours or other persons might be able to read cable modem traffic and violate user privacy. While the DOCSIS specifications include provisions for heightened data security on cable IP networks, these security features are infrequently deployed. It is simply a matter of time until a publicised incident exposes data or privacy theft on a cable modem network. When deployed, DOCSIS security features can help create a cable IP access network as secure as any circuit-switched point-to-point access network. Therefore, it is vital that cable operators understand and enable these features before a publicised breach in data privacy further undermines subscriber confidence. Large-scale denial-of-service attacks have also served to corrode subscriber faith in the security and stability of cable modem networks. Code Red worm and NIMDA worm attacks have caused cable IP network service outages and necessitated widespread software upgrades and system reconfigurations. Most subscribers are unfamiliar with the technical aspects of these attacks and see the cable IP network as vulnerable to further denial-ofservice outages. In an environment of public concern, it is important to the cable provider to understand security risks for all their services. For the cable IP network it is particularly important to understand theft-of-service attacks, data integrity, and denial-of-service attacks so that effects can be mitigated and attacks prevented in the future. THEFT OF SERVICE Theft of service on cable IP networks takes several forms. In all cases, however, theft of service negatively impacts paying subscribers. The shared nature of the cable access network necessitates careful capacity planning and theft of service damages a cable operator s ability to adequately design the network to support subscribers. Some common types of service theft on the cable IP network include modem uncapping, configuration file counterfeiting, configuration cloning, IP address accumulation, and modem cloning. Cable Modem Uncapping Uncapping cable modems, the process by which a cable modem's rate limits are removed, is the most common and mostly widely publicised security breach on cable IP networks. Uncapping refers to the removal of a modem s throughput "cap" or maximum rate limit (usually in the upstream direction). Uncapping typically involves users who have valid service contracts initially but who wish to achieve higher service levels (usually higher speed connections) without authorisation. When users uncap their cable modems they are committing a theft of service. Users who perform this act will receive a level of service for which they are not authorised and for which they do not pay. Due to the shared nature of DOCSIS networks, users who modify class-ofservice (CoS) profiles such as rate limits will cause other users to experience correspondingly poorer service levels. Several users with illegally uncapped cable modems may completely monopolise available bandwidth and legitimate users may even be denied service completely. If a cable operator is to appropriately design, deploy, and maintain the cable IP network, uncapped cable modems must be denied access to network resources.

3 Several websites have appeared detailing the process of modifying DOCSIS cable modems such that they connect with no defined limits to throughput. How-to guides to uncapping modems and even free software programs that assist users in uncapping their modems are widely available. Efforts to limit the publication of uncapping techniques simply will not suffice to keep users from practicing these techniques. Only by securing the cable IP network can users be kept from the unauthorised modification of their CoS profiles. Figure 1 - A sample uncapping website Cable modem uncapping is performed in several ways including: counterfeit DOCSIS configuration files, valid configuration file reuse, shell-based modem configuration, use of multiple IP addresses, and modem cloning (IP and MAC cloning). Of these, the most common today is the use of counterfeit DOCSIS configuration files. Counterfeit DOCSIS Configuration Files Some cable modems were designed to support download of the DOCSIS configuration file from the modem s Ethernet port. Although they violate DOCSIS specifications, modems designed in this manner are easy to manufacture and test because modems can be tested without needing to be connected to a functional DOCSIS CMTS. Users wishing to uncap their cable modems take advantage of the violation of DOCSIS specification and boot their modems without having them connected to the actual cable network. Modems that can be booted while only connected via Ethernet can be exploited and uncapped. By using widely available tools such as DHCP server software, TFTP server software, TOD server software, and DOCSIS file configurators, a user can cause vulnerable cable modems to initialise using a special set of DOCSIS configuration file parameters. All the tools necessary for the process are quickly found on websites that explain and promote uncapping. Using these tools, the modem can be made to entirely bypass the cable operator s configuration process. Once a modem has been configured to accept a custom configuration file and complete initialisation, a user need only build a configuration file that allows for unlimited throughput. Causing the modem to boot from this user-generated configuration file allows for totally uncapped throughput. To combat this type of modem uncapping (using illicit configuration files from unknown sources), a feature is included in DOCSIS configuration files known as shared secret.

4 Shared secret allows the cable operators to confirm that configuration files are valid by provisioning each valid file with a special authentication string. Although the authentication string is entered in the configuration file editor at the time the file is created, the string is not included in the file. Instead, the file includes an MD5 hash based on the total information contained in the file and the authentication string. Because the process of creating an MD5 hash is unidirectional, anyone receiving the file will have an extremely difficult time recreating the authentication string (2). The CMTS is also configured with the authentication string. When the CMTS receives a request for registration from a cable modem, it uses the known authentication string to recreate the MD5 hash and compares the hash value to the one provisioned on the cable modem. If the hash values differ, the modem is denied registration. A malicious user wishing to counterfeit a DOCSIS configuration file on a system configured with shared secret must know the authentication string to create a functional file. This is extremely difficult due to the nature of MD5 hashes. However, several groups have discovered brute force methods for bypassing shared secret. These tools repeatedly attempt connections through the CMTS until eventually they discover a valid MD5 hash based on known cable modem parameters. Although the authentication string is seldom discovered, the end result is in a counterfeit configuration file that appears to be authentic. Luckily for cable operators, these tools are still rather ineffective (3). Other mechanisms to detect and combat counterfeit configuration files include the consistent monitoring of users and their throughput profiles. The use of SNMP to poll each DOCSIS device in the network is common and effective. One cable modem uncapping website suggests that those users who have access to their modem s configuration quickly disable SNMP before they are detected. Another uncapping tutorial suggests using moderate limits in the counterfeit configuration files because unreasonable limits or completely uncapped modems are easily detected and denied service. Reusing Valid Configuration Files The counterfeiting of configuration files can for the most part be defeated using shared secret authentication string but it is possible that a modem be configured with an unauthorised but nevertheless authentic configuration file that was originally destined for another user. To accomplish this, a user intercepts or steals a valid configuration file used for the provisioning of some other cable modem. On cable IP networks where tiered service levels are offered, some subscribers can pay additional fees to received correspondingly higher levels of throughput or other desirable service parameters. Each modem receiving premium service must be appropriately provisioned, usually via the DOCSIS configuration file. Malicious users may be able to acquire a configuration file for a level of service superior to their own. This is accomplished by downloading the file from an insecure TFTP server or by intercepting the file during the initialisation of other cable modems. Using the same mechanisms for illicitly provisioning cable modems described earlier, a valid premium level configuration file may be placed on a cable modem not authorised for that service level. To combat the reuse or theft of existing valid configuration files it is suggested that cable operators regularly change the authentication string used in provisioned configuration files. Because the process of stealing a valid file and re-provisioning a cable modem is onerous, frequent changes in shared secret files may significantly reduce theft. Securing or updating TFTP server software may also help. It is possible with SNMP to query the CMTS as well as individual cable modems and determine the service profile each modem is receiving. To further combat valid configuration

5 file theft, management software could be written to compare known billing data with service profile information and subsequently identify modems with unauthorised service profiles. Shell Based Cable Modem Configuration Certain cable modems can be directly configured either through a graphical user interface or through a command line shell. Direct configuration mechanisms violate the DOCSIS specifications but still most cable modems have some type of shell functionality for debugging and troubleshooting. When it is possible for users to gain direct access to the cable modem shell configuration it is possible that the modem can be configured to support higher throughput levels or some other modified service parameter. To gain enough direct control of a cable modem to commit theft of service is difficult. Usually some extraordinary circumstance is required such as custom cable modem operation system versions or specialised knowledge of the modem s development process. It is possible that a user familiar with cable modem technologies and access to source code could create a software image designed to allow uncapping or changes to service parameters but this is considered unlikely. Nevertheless, there are documented incidents of service theft believed to include shell based modem manipulation. To combat shell based configuration changes, some CMTS vendors have deployed software that denies cable modems the ability to create new service profiles. When enabled, these features restrict a modem to a known set of parameters and those attempting to connect with unrecognised service classes are denied access to network resources (4). Multiple IP Addresses Some cable operators have chosen to no use the features inherent in the DOCSIS specification to limit user throughput rates. Instead, rates are limited a point beyond the CMTS, usually on the basis of IP address. Often this type of rate limiting is found in hotels using DOCSIS or other cable modem networks to offer internet access to customers. The use of multiple IP address, sometimes called IP address accumulation, is the process by which a single user transmits using several valid IP addresses. For example, a user may be able to emulate several IP addresses at once and pool throughput thus gaining extremely high speed access. This type of service theft is complicated, however, and requires a relatively high level of knowledge of IP and device configuration and is therefore rare. It is not yet documented on DOCSIS networks although it is theoretically possible with a specialised modem software image. Modem Cloning IP Address A more common way of using IP addresses to steal service is for a user to emulate a valid provisioned cable modem either by reusing a known valid address or by using a vacant address in a known valid IP address range. A modem can be provisioned, for example, using many of the same techniques used for provisioning counterfeit configuration files, to use the IP address of another subscriber s modem. The modem can then transmit normally and appears to the cable operator as an appropriately provisioned modem. Problems frequently manifest when this type of theft of service is occurring on the cable network. In particular, IP addressing conflicts can deny valid subscriber modems access to network resources. The presence of many unauthorised users on the shared network can also impact the service available to valid subscribers by restricting total throughput. To prevent this type of theft, Cisco Systems has developed a feature that uses the IETF draft standard (5) DHCP LEASEQUERY to validate IP and MAC address pairs. In conjunction

6 with a DHCP server, the Cisco CMTS can determine the MAC address of each cable modem and the IP address each modem was assigned during initialisation. When a modem attempts to connect to the CMTS, the CMTS compares the MAC address and IP address of the modem and if they do not match the DHCP server information, the modem is denied registration. If a user attempts to clone an unassigned IP address the CMTS will be unable to determine a MAC-IP pair and will deny the modem registration. An additional benefit of using DHCP LEASEQUERY is that it negates the need for the CMTS to use Address Resolution Protocol (ARP) to determine the MAC-IP address pairings for attached devices. As a result, ARP messaging on the cable IP network is kept to a minimum. The interception of ARP messages is one way in which IP addresses are acquired for use in IP address cloning. Although Cisco Systems is currently the only CMTS vendor offering DHCP LEASEQUERY functionality on deployed CMTS devices, it is assumed that other vendors will quickly follow suit. Modem Cloning MAC Address It is also possible for a modem to be modified to emulate the MAC address of a known valid cable modem. In the case of this MAC address cloning, the CMTS sees the cable modem as a valid modem and provisions it accordingly. The CMTS cannot tell the cloned modem from the original and once the cloned modem is provisioned it operates as though it were the original. For all intents and purposes, the CMTS cannot differentiate the cloned modem from the original. To differentiate modems from each other using means other than the modem s MAC address, the DOCSIS 1.1 specification includes new features within the Baseline Privacy Plus Interface Specification (6) (BPI+). BPI+ requires the provisioning of cable modems with RSA encrypted digital certificates. At the time of manufacture, each modem manufacture provisions modems with unique X.509 certificates that include values that reflect the modems MAC address. These digital certificates are very difficult to clone or emulate. Using the digital certificates for authentication, a cable operator can quickly identify and deny modems with cloned MAC addresses. Although devices meeting the DOCSIS 1.1 specification are still only minimally deployed, BPI+ features are compelling and it is widely assumed that DOCSIS 1.1 deployments will accelerate in coming months. DATA INTEGRITY Cable modem networks have been widely criticised as insecure due to the shared nature of the cable IP MAC domain. While all access networks ultimately aggregate to some shared medium, the possibility of malicious entities gaining knowledge to private user traffic cannot be ignored. The DOCSIS specifications include provisions for data privacy and integrity using various strengths of encryption and for advanced modem authentication procedures. Using these methods can help prevent the breach of user privacy and maintain the security and integrity of subscriber traffic and information. Baseline Privacy Interface Specification (BPI) The BPI specification (7), a part of DOCSIS 1.0, is designed to improve the security of data over DOCSIS cable IP networks through data encryption. The purpose of BPI is to provide a fundamental level of protection for all DOCSIS devices such that the cable IP network is as secure as that of any other access medium, particularly point-to-point circuit based networks. When enabled, BPI helps prevent subscribers from gaining knowledge of information

7 sourced from or destined for other subscribers. Using 56-bit DES encryption, BPI enabled cable modems encrypt and decrypt traffic automatically in a manner transparent to the subscriber. A Baseline Privacy Key Management (BPKM) protocol outlines the algorithm used to exchange keys and update the encryption endpoints. Frequent key exchanges further protect data security by requiring unauthorised viewers to constantly decipher new key values. Baseline privacy is not enabled by default but can be easily configured on the CMTS and in the DOCSIS configuration file. All cable operators should enable BPI on their networks at the soonest possible opportunity. Because BPI encryption and decryption occur in all modem and CMTS hardware subsystems, there are not compatibility concerns. Because the encryption and decryption occur in hardware subsystems, there is no appreciable degradation in system performance when BPI is enabled. In early DOCSIS 1.0 deployments the United States government restricted the export of 56- bit DES encryption software. As a result, 40-bit DES encryption was included for many cable modems to allow for export beyond US borders. Some older cable IP networks may still operate using 40-bit BPI but the subsequent relaxation of US export constraints has allowed for the proliferation of 56-bit DES encryption software throughout the world. In a DOCSIS 1.0 network, BPI mainly protects against unauthorized access to data using strong data encryption. BPI 1.0 does not have any type of authentication distribution protocol between the cable modem and CMTS; hence it does not provide strong protection from theft of service. MAC address spoofing can bypass BPI in this case, despite the encryption between the CMTS and cable modem, since there is no authentication between them. In a best practice security model, strong protection is constructed upon not only strong encryption, but also strong authentication. Authenticating users in a cable environment becomes critical to protection against device cloning. Baseline Privacy Plus Interface Specification (BPI+) BPI+ allows for the same encryption mechanisms to support data security defined in BPI, but as a part of DOCSIS 1.1 includes significantly greater requirements for device authentication. As discussed before, BPI+ authentication via pre-provisioned RSA digital certificates allows the cable IP network operator to uniquely identify each cable modem and protect against MAC address cloning. Additionally, BPI+ allows for the use of AAA servers to authenticate devices and users. In the DOCSIS 1.1 specification, cable modems may also authenticate with a Common Open Policy Server (8) (COPS). This affords the cable operator greater authentication that extends beyond BPI+. This protocol uses a client/server model that maintains message integrity and reliability. COPS is a stateful protocol in that it allows the server to push configuration information to the client, and then allows the server to remove that information from the client when it is no longer applicable. This helps prevent modems from unauthorized access on the network, thus curtailing theft of service. IP Security (IP-Sec) Encryption and Virtual Private Networks (VPNs) BPI 56-bit encryption is relatively easy to compromise using modern computer hardware. Constant key exchanges can improve security but as decryption mechanisms become more sophisticated, those concerned about maintaining data security must improve encryption mechanisms to keep pace. Advanced cable modems are now available that contain hardware-based IP-Sec encryption

8 engines to dramatically improve data security not only across the cable IP network but also from one end of the transmission to the other. These secure connections, known as IP-Sec VPNs, require the configuration of both endpoints (the modem and a corporate firewall, for example). Once configured, IP-Sec VPNs are transparent to the user. IP-Sec VPNs can provide security as high as 3-DES encryption as well as authentication and other security benefits. IP-Sec VPNs are most widely used for telecommuter, business-to-business, office-to-office, and other business related functions. DENIAL-OF-SERVICE Denial-of-service attacks (DoS) are characterised by service outages or disruptions initiated by malicious or unauthorised individuals. In a typical denial-of-service attack network resources are consumed and made unavailable to legitimate subscribers. Other types of denial-of-service attacks include the damaging of important network infrastructure resulting in network outages. Some of the most damaging of denial-of-service attacks are certain selfpropagating programs, called worms, that use infected hosts to find and infect other hosts in a geometrically increasing wave of undesirable resource utilisation. Figure 2 - Denial-of-service attacks cost cable operators millions of dollars every year Numerous denial-of-service attacks have been widely reported by the press (9) both in the United States and other countries. Among the most pervasive and damaging service disruptions were those caused by the Code Red worm (and its related worm programs) and the NIMDA worm. Code Red Worm and Code Red II Code Red worm and its variants exploit a weakness in Microsoft s IIS server software (a buffer overload exploit) to gain access to target machines. Once infected, a program is loaded into the host s memory and the host is used by Code Red to scan the network for other vulnerable systems and as a platform from which to infect them. Additionally, some

9 variants of the Code Red worm will use infected hosts as platforms from which to launch Distributed Denial-of-service attacks against specific IP addresses. It is network-scanning traffic combined with the directed attack traffic caused by hundreds or thousands of infected systems that consumes network resources and cause disruption or degradation of service. Code Red particularly impacted Cable IP networks due to the vulnerability of cable hosts to repeated random scanning by infected hosts. To minimise damage caused by Code Red (10), it is necessary to identify and manage traffic associated with Code Red HTTP queries. Although the best mechanism to combat Code Red and Code Red II is to update all vulnerable hosts to protect them from infection, the cable operator must protect the network resources first and foremost. The identification and removal of Code Red traffic on the Cisco CMTS is accomplished using Network Based Application Recognition (NBAR) for identification and several other standard mechanisms for traffic management. Code Red worm scanning attacks are easily recognisable by their distinct pattern. Using NBAR or other mechanisms that can differentiate HTTP traffic based on the URLs contained in HTTP requests allows for relatively simple traffic identification and marking. Policy-based routing (PBR), IP access lists, and traffic policing can all be used to deny marked traffic. NIMDA Worm NIMDA (admin spelled in reverse) is another worm variant that uses multiple means to propagate. One such method is through MIME enabled mail clients. The NIMDA worm can be included in an attachment such that it is automatically executed when received by vulnerable systems (11). Another way in which NIMDA spreads is by exploiting web server vulnerabilities much like the Code Red worm. Like Code Red and other worms, NIMDA harms cable operators by denying service to cable modem subscribers. NIMDA creates large amounts of data and can monopolise network resources to the exclusion of all other applications. To protect against Code Red-like NIMDA behaviour, the same precautions should be taken as are taken against Code Red. To help protect against propagation, users must be encouraged to install appropriate patches to their software applications. Smurf Attacks A smurf attack or smurfing involves the abuse of IP broadcast functionality. In a smurf attack an ICMP echo is sent using the source address of the target device. The initiating ICMP packets are sent with a source address of a network broadcast address. Because large numbers of hosts receive the ICMP echo, each responds to the ICMP echo source address with an ICMP echo reply. By using ICMP echo reply magnification in this manner, a malicious individual can amplify ICMP traffic on target hosts in a manner that denies all other traffic. Cable IP networks are vulnerable for use both as target networks due to shared nature and as amplification points due to their always-on properties. To combat smurf attacks, IP filtering is required. Using IP filters to limit the volume of ICMP traffic or to deny completely directed broadcast traffic is suggested. The Cisco IOS feature no ip directed-broadcast can be easily enabled on Cisco CMTSs to protect against smurf attacks.

10 Distributed Denial-of-service (DDoS) A DDoS attack relies on numerous hosts, typically infected with a small IRC-based software agents, to send traffic simultaneous traffic streams to the target host or router. These traffic streams, usually in the form of UDP or ICMP packets, overwhelm available network resources and deny throughput to desirable traffic streams. By consuming all available bandwidth a target host or system can be completely denied service (12). Figure 3 - Available bandwidth at grc.com during a DDoS attack (Steve Gibson) Combating DDoS attacks is complex and usually involves a set of complex traffic filters, NBAR functionality, and other mechanisms. Frequently the mitigation of DDoS attacks requires the cooperation between several network operators. ARP Exploits In certain older CMTS products (13) ARP processing can be used to deny service on the cable interfaces. ARP packets, both request and reply, received by a CMTS for the CMTS's own interface address, but with a different MAC address, will overwrite the router's MAC address in the router's ARP table with the one in the ARP request or reply. This type of denial-of-service attack can only be carried out from the local network. Effected CMTS devices will defend the MAC address of an interface for several attempts, but in an attempt to prevent an ARP storm, the device will accept the incorrect information into the ARP table, which causes the interface to stop accepting new ARP entries, and entries will not be accepted or updated in the ARP table. This behaviour has been repaired on most current CMTS software to properly defend the interface MAC address, with rate limiting the response to avoid an ARP storm on the local network. Other Denial-of-service Attacks A cable IP network Denial-of-service attack has been reported when a single CPE client performs multiple DHCP requests, immediately followed by a DHCP-Decline for all offered addresses. In this case, it is best to exclude this single customer from the network until the offending behaviour ends. This may be done using a script on the CNR server, which detects multiple DHCP-Declines from a single source, and then drops all further declines.

11 CONCLUSIONS A recent informal poll of cable IP network operators has exposed a serious concern. The great majority of cable operators indicated that neither BPI nor BPI+ was enabled on their networks. Additional press reports continue to indicate that cable IP networks are not deployed using the vital security features now available and DoS attacks occur with alarming regularity. It appears that currently deployed DOCSIS networks do not take advantage of current security features. It is very important that cable operators learn to combat theft of service not because of lost revenues but to maintain a quality service for paying subscribers. If the quality of cable modem access service is degraded by theft of service, all cable operators will suffer. Subscribers will seek other technologies and methods for accessing shared networks. Because DOCSIS devices today support several mechanisms for mitigating theft of service, operators should be able to deploy the mechanisms with minimal effort. Without these features, cable operators are destined to continue the legacy of huge financial losses to service theft. To reassure customers that their data is private and secure, cable operators should immediately move to deploy either BPI or BPI+. That BPI is not enabled today is a grave security risk. The ease of BPI deployment and its lack of performance impact should be compelling. Protection against DoS attacks must also become a part of normal cable IP network operations. Constant monitoring and measurement of cable network traffic is vital to this goal. Tools exist to help operators minimise and quickly resolve the impact of denial-ofservice attacks. Simply put, cable operators must become more proactive when it comes to combating cable security risks. The risks are well understood, the features exist to combat them, and it is the responsibility of the cable operator to take advantage of these benefits. REFERENCES 1. NCTA Office of Cable Signal Theft, Report on Cable Industry Lost Revenue source of MD5 software for modem uncapping 4. details on Cisco s no cable qos permission modem command 5. draft version of DHCP LEASEQUERY proposed standard 6. Data-Over-Cable Service Interface Specification (DOCSIS) Baseline Privacy Plus Interface Specification. SP-BPI+-I , revision March Data-Over-Cable Service Interface Specification (DOCSIS) Baseline Privacy Interface Specification. SP-BPI-C , revision August Common Open Policy Server Specification RFC January Study: Code Red Costs Top $2 billion. August 2001.

12 10. Study: Code Red Costs Top $2 billion. August Microsoft security bulletin (MS01-020). Incorrect MIME header can cause IE to execute attachment. March, The Strange Tale of the Denial-of-service Attacks Against GRC.COM Steve Gibson, March grc.com/dosbv/grcdos.htm Cisco ARP table overwrite vulnerability advisory. December ACKNOWLEDGEMENTS The author would like to thank his colleagues for their contributions to this work. In particular, the works of Ms. Anh Phan and Mr. Mark Millet were greatly appreciated. Mr. Steve Gibson s work describing the DDoS attacks against GRC.COM is not only informative but also extremely interesting. Mr. Rolf V. Østergaard s article on cable modem uncapping (as found at was also very useful and the author thanks Mr. Østergaard for his efforts in explaining this complex topic to the general public in an unbiased manner. The author would also like to thank Cisco Systems, Inc. for allocating the resources necessary to research and create this paper and the International Broadcasting Convention for permission to publish it.