You can blow Intel-powered broadband modems off the 'net with a 'trivial' packet stream

[ajdibi]

You can blow Intel-powered broadband modems off the 'net with a 'trivial' packet stream

 

Broadband modems using Intel's bungled Puma 6 chipset can be overloaded and virtually knocked offline by a trivial stream of packets, it is claimed.

Effectively, if there's someone you don't like, and they are one of thousands upon thousands of people using a Puma 6-powered home gateway, and you know their IP address, you can kick them off the internet, we're told.

This week, inquisitive netizens discovered that, when presented with even modest amounts of packets – as little as 1.5Mbps – modems equipped with a Puma 6 can be slowed to a crawl.

According to one engineer who spoke to El Reg on the issue, the flaw would be "trivial" to exploit in the wild and would effectively render the targeted box useless for the duration.

"You send a stream of 200Kbps of TCP, UDP or maybe even ICMP to different port numbers and it has a tiny table to keep track of these and become immd unresponsive. It comes back after you stop," our tipster explains.

"It can be exploited remotely and there is no way to mitigate the issue."

This will be particularly frustrating for Puma 6 modem owners because the boxes are pitched as gigabit internet modems, meaning many of the devices can potentially be slowed to a crawl simply by getting traffic flowing at a fraction of the connection speeds you are paying for.

The Puma 6 chipset is used in a number of ISP-branded cable modems, including some supplied by Comcast in the US and Virgin in the UK, where customers have already begun filing complaints over the sluggish performance of the routers.

"Immediately following installation I noticed I was getting significant spikes in latency, resulting in unstable connections on VPN, and poor gaming/streaming performance," writes one customer who's asking for a replacement.

The reports are yet another nail in the coffin of the ill-fated Puma 6 chipset. Shortly after it was released, it was found to be prone to serious latency issues. The problem has already landed one vendor in court on a class action lawsuit.

 

Source: https://www.theregister.co.uk/2017/04/27/intel_puma6_chipset_trivial_to_dos/

 

---

 

Claims Low Bandwidth DoS Attack Can Hammer Virgin Media SuperHub 3

 

A growing number of Virgin Media’s cable broadband customers are claiming that the operator’s latest SuperHub 3 (Hub 3.0) router may be vulnerable to a low bandwidth Denial of Service (DoS) attack (i.e. a malicious person with a slow ADSL line could easily ruin your day).

 

Hopefully by now most of our Virgin Media using readers will be aware that the SuperHub 3 (ARRIS TG2492S/CE) uses a Intel Puma 6 chipset (x86 SoC), which is currently quite notorious due to how it suffers from a tedious bug that causes latency spikes and packet loss (here and here). A fix for this flaw has been in the works for some considerable time but, as we revealed last month, it’s still going through some lengthy testing.

 

Unfortunately it seems like the situation is about to get worse. Feedback on the DSL Reports site and Virgin Media’s Community Forum appears to show that the hardware is also vulnerable to a simple DoS attack, which means that if somebody knows your Virgin IP address then they could hit you with packets of data (i.e. sending random UDP data to the given host with random destination ports) from even a slow broadband connection and this effectively makes your Internet connection unusable.

 

 

In the example above a 1Mbps DoS causes an average latency rise of +20ms (milliseconds) and quite a few high peaks, while 2Mbps delivers +200ms and a huge amount of packet loss (65%).. it only gets worse from there. The 2Mbps example is enough to ruin most of your Internet activity until the attack stops (sadly you can’t block this one via the SH3’s firewall).

 

The vulnerability also impacts other routers that use the same Puma 6 chipset. We have asked Virgin Media for a comment and they’ve promised to respond, once their hub and security teams have had a chance to take a closer look. At this point we should remind readers that attacking another Internet user in this way could be considered a criminal offence.

 

Credits to one of our readers, Dale, for raising the issue. We will update once an official comment arrives and in the meantime The Register has also run a similar story.

 

UPDATE 12:29pm

 

According to Ross Allan, who created a piece of software to test the bug, such an attack can’t be stopped by the SH3’s firmwall either because packets from the internet would come through the modem then reach your firewall (i.e. by that point the damage is already done).

 

Source: http://www.ispreview.co.uk/index.php/2017/04/claims-low-bandwidth-dos-attack-can-hammer-virgin-media-superhub-3.html