Security problem in PPPoE connection
Hi, We are facing problem with PPPoE in ethernet access network. To provide high speed access, 10Mbps/100Mbps ethernet is used as access method. But, we found some guy 'steal' some other's account by listening to broadcasting packets, and they also set up 'phishing' PPPoE server to catch those PPPoE authentication packets. With ATM DSLAM,we could solve this by binding account with PVC. With ethernet, although we could seperate subscribers into VLANs there is more than 100 subscribers within one VLAN. What's your method to deal with such problem? Will CHAP in PPPoE help? thanks Joe __________________________________ Do you Yahoo!? Yahoo! Movies - Search movie info and celeb profiles and photos. http://sg.movies.yahoo.com/
Joe Shen wrote:
Hi,
We are facing problem with PPPoE in ethernet access network.
To provide high speed access, 10Mbps/100Mbps ethernet is used as access method. But, we found some guy 'steal' some other's account by listening to broadcasting packets, and they also set up 'phishing' PPPoE server to catch those PPPoE authentication packets.
With ATM DSLAM,we could solve this by binding account with PVC. With ethernet, although we could seperate subscribers into VLANs there is more than 100 subscribers within one VLAN.
What's your method to deal with such problem? Will CHAP in PPPoE help?
thanks
Joe
http://www.juniper.net/products/eseries/ Hi Joe, I am connected through this one: Access-Concentrator: DARX41-erx AC-Ethernet-Address: 00:90:1a:a0:01:46 -------------------------------------------------- I guess dtag.de has got some 8 of them. Everybody (almost) offering dsl in germany goes through their infrastructure. The ip address range 84.167.0.0/16 seems to be shared by all of them. I did have an "intruder" myself reported by arpwatch. host_look("192.168.20.80","fluffy.n","3232240720"). host_name("192.168.20.80","fluffy.n"). That thing is a PPPoE modem looking like a bridge. It allows different people behind it to access the DARX41-erx using different mac addresses (client) and userid/passwords to access each their own ISPs. All of these boxes have the same ip-address. If a box finds anotherone via arp then it shuts down. To prevent broadcast storms? That box made me look very carefully at PPPoE but I never have seen anything but the packets that were sent to me only. I did supply a PPPoE server. It never saw anybody access it but my own machines. I tried to reach my neighbar an to build a private communications channel. Never could we see eachother. I guess dtag.de feels so secure with them that they dont enable chap. Using chap will help you but it will not solve the real problem. At least you will make the "poor fishermen" angry - but maybe nasty too. Have a look at http://iason.site.voila.fr/ http://www.koom.com/iason/ There are some tools that might help you tracking those people via their mac-addresses. Chance is good you might make some friends. You can alwys need some people with a clue, cant you :) Kind regards Peter and Karin -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: peter@peter-dambier.de mail: peter@echnaton.serveftp.com http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
* Peter Dambier:
I am connected through this one:
Access-Concentrator: DARX41-erx AC-Ethernet-Address: 00:90:1a:a0:01:46 --------------------------------------------------
I guess dtag.de has got some 8 of them. Everybody (almost) offering dsl in germany goes through their infrastructure. The ip address range 84.167.0.0/16 seems to be shared by all of them.
But you've got an ATM PVC to them, haven't you? This is a completely different setup. Imagine you haven't got a DSL modem, but just an RJ45 plug in the wall which leads into a stupid cloud of L2 Ethernet switches, and you still talk PPPoE to your ISP. AFAICS, this is the kind of network setup the OP is talking about.
* joe_hznm@yahoo.com.sg (Joe Shen) [Sun 12 Mar 2006, 07:48 CET]:
We are facing problem with PPPoE in ethernet access network.
To provide high speed access, 10Mbps/100Mbps ethernet is used as access method. But, we found some guy 'steal' some other's account by listening to broadcasting packets, and they also set up 'phishing' PPPoE server to catch those PPPoE authentication packets.
I humbly suggest you re-evaluate your network design, only this time keeping in mind the fundamental nature of Ethernet as a broadcast medium. A commonly used model is to use private VLANs (one per customer) combined with "local-proxy-arp".
What's your method to deal with such problem? Will CHAP in PPPoE help?
That may help against password sniffing but won't help against sniffing traffic by an active attacker once the session has been established. Also, you'll have to revisit all CPE to explicitly disable PAP, or an active attacker could still steal the password if he impersonates the real PPPoE server. HTH, -- Niels. -- "Calling religion a drug is an insult to drugs everywhere. Religion is more like the placebo of the masses." -- MeFi user boaz
What's your method to deal with such problem? Will CHAP in PPPoE help?
That may help against password sniffing but won't help against sniffing traffic by an active attacker once the session has been established. Also, you'll have to revisit all CPE to explicitly disable PAP, or an active attacker could still steal the password if he impersonates the real PPPoE server.
If we enable CHAP on BRAS, is it enough that asking subscriber to enable Chap on MS-windows dial connection or Linux ? Need we install some other tools? Regards Joe __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 1GB free storage! http://sg.whatsnew.mail.yahoo.com
On Mon, 13 Mar 2006, Joe Shen wrote:
What's your method to deal with such problem? Will CHAP in PPPoE help?
That may help against password sniffing but won't help against sniffing traffic by an active attacker once the session has been established. Also, you'll have to revisit all CPE to explicitly disable PAP, or an active attacker could still steal the password if he impersonates the real PPPoE server.
If we enable CHAP on BRAS, is it enough that asking subscriber to enable Chap on MS-windows dial connection or Linux ? Need we install some other tools?
Microsoft has some suggestions for configuring PPPOE for MS-Windows. http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/pppoe.mspx A problem is many of your customers won't follow the directions, and may still be vulnerable to man-in-the-middle attacks for the login if they don't disable PAP. Because things will appear to work, i.e. Windows will use CHAP first and fallback to PAP, your customers may not notice when an attack does occur. Although PPPOE is a layer 2 protocol, the user data may be vulnerable to many of the same ethernet CAM table, denial of service and sniffing weaknesses even if the login credentials are kept secret with CHAP (or more advanced EAP options). PPPOE and PPP tend to assume the access networks are 1) "free" and 2) "secure." This may be constrained using point-to-point connections, but often require additional configuration of multi-access networks. The configuration details will vary by equipment vendor. But you should find some good information by doing a few web searches for metro ethernet security, private vlan, broadcast security.
On Sun, 12 Mar 2006 20:32:26 +0100 Florian Weimer <fw@deneb.enyo.de> wrote:
* Joe Shen:
What's your method to deal with such problem? Will CHAP in PPPoE help?
AFAIK, CHAP does not authenticate the terminal server, either, so it won't stop all attacks.
CHAP can be bidirectional. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Joe Shen wrote:
Hi,
We are facing problem with PPPoE in ethernet access network.
To provide high speed access, 10Mbps/100Mbps ethernet is used as access method. But, we found some guy 'steal' some other's account by listening to broadcasting packets, and they also set up 'phishing' PPPoE server to catch those PPPoE authentication packets.
Well you need to do a few things -- Terminate access to the miscreants -- Implement features like private-vlans -- Otherwise prevent ports from communicating between eachothers except through your authorized PPPoE server. MAC access lists may provide some help with that. You will need to examine exactly what your L2 switches support.
participants (7)
-
Florian Weimer -
Joe Maimon -
Joe Shen -
Niels Bakker -
Peter Dambier -
Sean Donelan -
Steven M. Bellovin