Cable Modem Hack - Cable Haunt pfSense rule?
-
Per the cable modem 'Cable Haunt' hack that appears to be against most all cable modems (https://cablehaunt.com/), Steve Gibson says in the very last paragraph of his show notes (https://www.grc.com/sn/SN-749-Notes.pdf) that blocking access to your cable modems web (192.168.100.1) and port 8080 with a pfSense rule will protect your network.
Am I correct in thinking this rule should on both my LAN and DMZ interfaces? Any suggestions on details of the rule?
-
@TAC57 Call it poor network hygiene because we've collectively gotten lazy due to the "inherent security" that using NAT brings.
In general, one shouldn't be attempting to access any RFC1918 IP addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) out the WAN interface.
Create an Alias for those subnets, and you can put in place a DENY rule on all of your internal interfaces to deny traffic to these addresses. Note that you might need to allow LAN - DMZ traffic before that rule though. -
awebster How do you think these devices are designed? every cable modem Ive ever used answered to 192.168.100.1 every on of our DSL modems when we had them were non router models and answered to 192.168.0.1 While you might be of the opinion that those addresses should be blocked it is actually expected behavior that they pass out the WAN.
NAT brings absolutely no security to those who know what they are doing. Thus it should never be used in the same sentence IMHO.
TAC57 If you have one of the modems on the list (which really isn't very long from what Ive seen) then yes you could put a rule blocking access on your LAN and DMZ interfaces with 192.168.100.1:8080 as the destination.
My broadcom based modem is not on any list Ive seen and has the spectrum analyzer page turned off by my ISP anyways so Im not concerned here.
-
Generally speaking, the modem will have a non-routable IP until such time as it has acquired a public IP from the Cable network infrastructure, which then becomes the primary IP. The non-routable IP continues to be accessible after this.
This is a source of much confusion / issues when pfSense accidentally gets a non-routable IP from the modem instead of the expected public IP when it requests a DHCP address. -
I think you misunderstand.. My cable modem is a simple bridge. It has no router capability nor does it accept my WAN IP for me. My router (pfsense) asks my ISP DHCP server for the address through the bridge (modem). The modem does ask for a "maintenance" address from the ISP.. So my modem GUI will have actually two addresses. Both RFC 1918. One for me (192.168.100.1 built in) and one for the ISP (10.20.x.x in my area given to it via DHCP) (Comcast uses IPv6 addresses as maintenance addresses) If one was to block my network from passing all RFC 1918 addresses out the WAN then we would not be able to access our cable modem GUI. Any bridge only modem or modem put into bridge mode works this way.
As it is I can see every maintenance address in my node. (my neighbors modems)
Every router I have ever used passes RFC 1918 out the WAN as long as it outside of my LAN subnets. I would not want it otherwise.
-
In fact, we are talking about the same thing, only in your case Comcast gave you a private IP instead of a public IP (shame on them), consequently, filtering RFC1918 outbound doesn't work so well.
Every setup I do, if the WAN side has a public IP, has an RFC1918 outbound filter to prevent data leakage, so implicitly protects the cable modem, however, if you can view your neighbor's cable modems that is a problem, presumably they can see yours. The Cablehaunt vuln is only supposed to be exposed on the ethernet port. -
No.. I am not a Comcast customer.. I only mentioned them because they hand out IPv6 maintenance addresses.
My ISP hands out the modem maintenance address in the 10.20.x.x range.
The maintenance address does not get me internet access. It only allows the ISP to access my modem for their use reboot modem look at signals ect. My modem does not care what my public IP address is nor is does it interfere with that process. It is only a bridge.
Why would any ISP want to use public IP space to maintain modems on their system?
-
@awebster said in Cable Modem Hack - Cable Haunt pfSense rule?:
Comcast gave you a private IP instead of a public IP (shame on them), consequently, filtering RFC1918 outbound doesn't work so well.
Comcast is moving everyone to IPv6 and providing only carrier grade NAT for IPv4.
-
@JKnott said in Cable Modem Hack - Cable Haunt pfSense rule?:
Comcast is moving everyone to IPv6 and providing only carrier grade NAT for IPv4.
Maybe in another ten years. Right now every Comcast residential and business customer gets a public ipv4 address. You can easily get a /29 on a business cable line, and a larger subnet on fiber. Please don't spread misinformation.
-
-
I am confused about this. My network config is like this:
Internet-->Cable modem-->NetGate Firewall-->My Stuff
If the NetGate firewall is configured to block any unsolicited traffic coming in and only allow traffic that was requested from downstream of the firewall, how is this hack a risk to me?
Note I have mine configured with the default rules, nothing removed or added.
Thanks.
-
@NGUSER6947 In theory, you could have malware installed on your computer via a scam email or web page, or even a hacked legitimate web page, which would attack your modem from the LAN net. Yeah, you can block access to the modem's management address from the LAN, but that would make reading modem stats or remotely rebooting it (if either are supported) inconvenient.
-
Modems are also available via their maintenance address on your local node. That means that using the right address you can ping or even access your neighbors modem. Without any logging available by much of anyone.
So in theory one could reboot their neighbors modem if it had a reboot button and no password access. Also in theory one could infect their neighbors modem.
Comcast only uses local IPv6 addresses for this. Most other ISP's use local IPv4 space.
-
@TAC57 said in Cable Modem Hack - Cable Haunt pfSense rule?:
Steve Gibson says
That guys says a lot of shit! Most if it utter nonsense.. heheheh
But sure if you want to block 8080 to your modems 192.168.100.1 IP... Have fun... Put a rule on your lan that blocks dest 192.168.100.1 port 8080... done!
-
Hello!
https://docs.netgate.com/pfsense/en/latest/firewall/preventing-rfc1918-traffic-from-exiting-a-wan-interface.html
https://github.com/pfsense/docs/blob/master/source/firewall/preventing-rfc1918-traffic-from-exiting-a-wan-interface.rst?
And because someone, like me, might ask/wonder...
https://forum.netgate.com/topic/119431/block-private-networks-what-does-that-do-what-is-it-used-for
John