Sigma --any solution |

You are here

Sigma --any solution

5 posts / 0 new
Last post
Sigma --any solution

Hi All,
By looking at various subjects running on forum.All are running all kinds of CMTS,CM,Provsioing systems available on earth.
But one comman problem all faced are SIGMA.
Popular solution suggested by CMTS/CM vendors is BPI+.
Due to some limitation(technical/operational) we are not able to implement it.
Yes we can identify that SIGMA modem by checking MAC.But going by the law.It's a time/money consuming thing to prosecute .
Any other workaround it possible? To prevent those kinds of modems to become online.


Vishal ---Just in case

Sigma --any solution

BPI+ is your best 1st step but if you unable to do this for some reason then you are going to be stuck having to identify the cloned devices. If you automate the process of identifying the cloned devices the next step is to build a script that will send a SNMP reset to the CMTS of the offending clone. The trick is to scan all you CMTS's for duplicate MAC's and them send the SNMP reset to the cloned devices every 10 seconds so they will not be able to finish there registration process. This will keep the hacked devices from fully coming online and if you constantly pull all the MAC fro all CMTS's in your system you can keep the hackers offline even if they change to another MAC. In the end you should really work on the issues that prevent you from running BPI/BPI+ due to the privacy concerns you should have for your customers data being sent plain-text over the HFC MAC domain on the CMTS.

my 2 cents,

Brian Wilson
CISSP, CCAI, CCNA, CCSE, JNCIA, Security+, Network+, MCP

Sigma --any solution

Thanks Brian,
We are still going for BPI+.But it can take 5-6 months or so to do.(firmware upgrade,IOS ,pilot run.... )
The setup i work here is some what different(in terms of customer connectivity)

We have 2 types of customers.Type 1. PPPOE Type 2. Static ip(rate limited for individual modems via policy and .tlv file-CNR)
Sigma users are uncapping the static ip modems(type2).We are able to identify the modem.But this altered modems we cannt do SNMP.
MAC Cloning is still not done here.If they do it also they need to know perfect CMTS config.As CPE static ips and CM ips configured on different subinterfaces.To use static ip ,sigma need to make modem online with very specific modem ip pool.Then and then connection can be used.

Type 1 customers are ok.If they uncapp the modem also they cannt go beyond subscribed BW(rate limited on userid).


Vishal Desai

Sigma --any solution

If your issue is just uncapping i would say make an example out of one of two of the hackers. To find the hacker all you need to do is look to the timing ofset as this can not be changed without knocking the modem. The timing offset will get you the distance from the CMTS. You can also compare the timing offset of the hacked modem to other known customers timing offset to get you close. Once you know about where the hacked modem is you can rool a truck to the TAP you see if from and disconnect the line. Once the uncapped modem drops offline you have the drop of the hacker and you can now have LAW enforcement do there thing. If you do this correct try to get the local news involved to show how theft of service is bad and that people that try it will be caught. I have found once you take legal action against a few of the hackers the rest get scared and stop uncapping and cloning. I have also seen some MOS's just cut the drop and when the customer calls about the outage they inform them that hacking or steeling service is against the law and they will no longer serve there address with cable.

Brian Wilson
CISSP, CCAI, CCNA, CCSE, JNCIA, Security+, Network+, MCP

Assuming you are using Cisco

Assuming you are using Cisco CMTSes since you mention IOS:

On the bundle you can add the following commands

cable tftp-enforce -- prevents customer from supplying their own config File i.e. looks for TFTP transaction on the Cable interface.

cable source-verify dhcp -- Disallows a modem from coming online unless the CMTS has seen a DHCP transaction. NOTE: your DHCP server must support leasequery, you mention cisco CNR which does support leasequery.

For your static customers you also need to use the following command

cable trust mac-address -- this command excludes the modem specified from source-verify. NOTE: Requires IOS 12.3.13a.

If it were me I would do anything possible to remove anything static when it comes to Modems everything should be DHCPed for the modems, that along with cable source-verify dhcp will completely stop your problem cold.

Log in or register to post comments