Difficult firewall problem

Xymox · ‎11-05-2017

Im working with a very interesting issue. Worldwide there is a BIG issue with Intel Puma based cable modems. These are in use all over the world. These ALL have a CVSSv3 7.3 rated DoS attack that cannot be blocked at the ISP of a MSO because the hardware would cost $1M USD per ISP hub installation. The main issue is that these MAJOR ISPs are going 40Gbps and 100Gbps connections going to single CMTS boxes. Dealing with 10's of millions of clients.

The DoS is trivial and very low bandwidth. You simply send at least 1500 packets per second of NEW connections and a look up table in the modem chokes and a DOS occurs. This it turns out is very difficult to block without effecting legit things. TCP/UDP IPv4 or IPv6. Its ANY protocol.

I run the badmodems.com site where we have collected all the data on this issue. The list of effected devices is huge. There is a unpublished CVE but its a 0-day and the code is published and readily available. Google Puma6fail.. This has all been covered in the press a lot.

We are having technical discussions now on this thread about it.

Its a tricky issue. The power required to inspect a 100Gbps stream for this and NOT have false positives on a MSO of 20 million clients is not easy.

I was going to try some rules on my own router and start to work out a rule that could be used that would not effect normal traffic. This is at home just to work out what kind of rule would work for this. I have a DoS web based tool I use to test. So I can test if this works.

Im posting here for some advice on how to write a rule that requires the least CPU power to block this issue. Rate limiting seems scary to use as there might be something that uses a high new connection rate legitimate. The packets are random content and random port numbers. The only thing common is the high rate and that they are new.. This has to work on every protocol and IPv4 and 6.

The other issue is this could be turned into a DDoS so the source IP could also be random.

Most likely any of you in the US or Eurpoe who are on cable and have high speeds are likely to have a Intel Puma based device. Its a serious issue, its a CVSSv3 7.2 0-day with trivial published code. IT can be scaled up and weaponized and because of its low rates per IP can attack a whole ISP and knock entire Intel Puma based ISPs offline with no mitigation known.

So far no firmware patch has been issued to any modem vendor after 9 months.

All the details are here

We could really use some really skilled network guys to come help work on a solution. Im working with Intel and MITRE. I run the badmodems site. The main place for discussion is the DSLReports forum thread I linked above.

This is a really hard problem that can knock a entire MSO offline with no mitigation possible currently and patches to the modems is months to years away. If you think you can help, come join us.

er.shivamdubey31190 · ‎11-06-2017

Hi Xymox,

These issues can be fixed if you have firepower solution deployed.

There are inbuilt signatures to identify the DOS and DDOS pattern.

Firewall can also detects start producing logs if you enable "Threat detection" feature.

Shivam

Xymox · ‎11-06-2017

Its beyond the capabilities of this. Also this is not a std DoS as it uses a UDP stream at very low bandwidth with ANY protocol and IPv4 and 6. The required hardware would cost so much money per install at a major MSO this is not a option. We are talking about inspecting 10's of millions of streams of data on a 100Gbps connection.

So the question could be can a block be implimented in the CMTS using creative thinking.