Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 2 subscribers
  • Views 4819 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Man-in-the-Middle Attack

SalishSwede
I'm on Comcast and recently ran into incredible trouble with web connectivity.
With an on-site-engineer present we beat on the comcast provisioning system for some time.  We were chasing our tails.

Finally I disconnected the Astaro box from the cable modem and directly connected my laptop.  I noticed the ip address that was being given was a 192.168 address.  This is the non-routing private address space.  I asked the Senior Tech support on the phone if this was appropriate.  He said, "No".  

So there is a rogue DHCP server on Comcast's network which strongly suggests a man-in-the-middle attack.

I would like to hear of what technologies Sophos/Astaro might implement to prevent this sort of attack - or at least a monitoring system that could alert me to this sort of problem.

Thanks,

Doug

PS: I asked Comcast if they could provide me with the address space that would I should be connected to.  They could not provide this information.


This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to BAlfson
    No, I have two identical & new Motorola Cable Modems.  They're fine.
  • 0 in reply to SalishSwede
    At this point I suspect a  DHCP server on the Comcast side that was pushed an outdated configuration with an obsolete addressing scheme. 

    The other possibility is a man-in-the-middle attack.  I think if it were the latter, I wouldn't have noticed a problem and would have been happily sending all of my data through a third party.

    The question remains... how does one offer ip addressing in a secure manner.  Current DHCP is completely open to hijack.
  • 0 in reply to SalishSwede
    There's no real fix for that, other than a redesign of how these modems authenticate (AT&T Uverse, for instance, uses certificates if I'm not mistaken).  There's nothing an Astaro (sorry, Sophos UTM), or any other firewall, can do to work against that.