Showing results for 
Search instead for 
Did you mean: 

Interesting DoS attack that has no mitigation possible at the MSO level

Level 1
Level 1

Im working with a very interesting issue. Worldwide there is a BIG issue with Intel Puma based cable modems. These are in use all over the world. These ALL have a CVSSv3 7.3 rated DoS attack that cannot be blocked at the ISP of a MSO because the hardware would cost $1M USD per ISP installation. The main issue is that these MAJOR ISPs are going 40Gbps and 100Gbps connections going to single CMTS boxes. Dealing with 10's of millions of clients.

The DoS is trivial and very low bandwidth. You simply send at least 1500 packets per second of NEW connections and a look up table in the modem chokes and a DOS occurs. This it turns out is very difficult to block without effecting legit things. TCP/UDP IPv4 or IPv6. Its ANY protocol.

I run the site where we have collected all the data on this issue. The list of effected devices is huge. There is a unpublished CVE but its a 0-day and the code is published and readily available. Google Puma6fail.. This has all been covered in the press a lot. ... odem_woes/

We are having technical discussions now on this thread about it. ... start=7352

Its a tricky issue. The power required to inspect a 100Gbps stream for this and NOT false positive on a MSO of 20 million clients is not easy.

I was going to try some rules on my router and start to work out a rule that could be used that would not effect normal traffic. This is at home just to work out what kind of rule would work for this. I have a DoS web based tool I use to test. So I can test if this works.

Im posting here for some advice on how to write a rule that requires the least CPU power to block this issue. Rate limiting seems scary to use as there might be something that uses a high new connection rate legitimate. The packets are random content and random port numbers. The only thing common is the high rate and that they are new.. This has to work on every protocol and IPv4 and 6.


We are wondering if there might be some cretive way INSIDE the CMTS to block this attack as no ISP can afford to add the hardware required to inspect all packets for every client.

The other issue is this could be turned into a DDoS so the source IP could also be random.

Most likely any of you in the US or Eurpoe who are on cable and have high speeds are likely to have a Intel Puma based device. Its a serious issue, its a CVSSv3 7.2 0-day with trivial published code. IT can be scaled up and weaponized and because of its low rates per IP can attack a whole ISP and knock entire Intel Puma based ISPs offline with no mitigation known.

So far no firmware patch has been issued to any modem vendor after 9 months.

All the details are here

We could really use some really skilled network guys to come help work on a solution. Im working with Intel and MITRE. I run the badmodems site. The main place for discussion is the DSLReports forum thread I linked above.

This is a really hard problem that can knock a entire MSO offline with no mitigation possible currently and patches to the modems is months to years away. If you think you can help, come join us.

0 Replies 0