Enforce Trusted ID limits
Verify RID and Device ID for all modems
Mitigating Theft of Service

This document covers ways to configure Broadband Provisioner® to mitigate theft of service for DOCSIS® networks.

Enforce Trusted ID limits

If a cloned cable modem uses the cloned hardware address for layer 2 communications, the CMTS will insert the cloned hardware address as the option 82 Remote ID (RID). To limit this type of attack, add the "Self ID address limit" option in a cable-modem specific policy and set its value to '1'. Also add the "Binding TID Type" option to this policy and set its value to 4 (store self ids).

This will cause the server to refuse to lease an address to the second modem, because it will be over quota on its active leases. Note that adding this option to the cable-modem specific policy does not affect the IP address limits for all other devices, so you are free to use IP address limits for your customers' PCs and residential gateways.

Verify RID and Device ID for all modems

If a cloned cable modem is using its original hardware address for layer 2 communications, but the cloned hardware address for the DHCP client identifier, then CMTS will insert the original hardware address as the option 82 Remote ID (RID), and the DHCP packet will contain the hardware address of the cloned modem.

In this case, you can simply check that for all cable modems, the RID must be the same as a DHCP client identifier. Any cable modem that does not pass this test is a fake.

It is possible that there are cable modems that normally use an identifier other than the hardware address for the DHCP client identifier, but this is definitely not the norm. In fact, many vendors use this specific check to determine if the device is a cable modem at all.

It is also possible to check that the RID is equal to the DHCPv4 'chaddr' field. This field is reserved for the hardware address of the cable modem. if you use this method, you should also add the 'Override client id' option to any cable-modem specific policy, and set the value to [ $HWADDR() ]. This will ensure that leases for cable modems are tracked based on the 'chaddr', not the DHCP client identifier.

Engineer
Network