Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 2 subscribers
  • Views 4837 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Man-in-the-Middle Attack

SalishSwede
I'm on Comcast and recently ran into incredible trouble with web connectivity.
With an on-site-engineer present we beat on the comcast provisioning system for some time.  We were chasing our tails.

Finally I disconnected the Astaro box from the cable modem and directly connected my laptop.  I noticed the ip address that was being given was a 192.168 address.  This is the non-routing private address space.  I asked the Senior Tech support on the phone if this was appropriate.  He said, "No".  

So there is a rogue DHCP server on Comcast's network which strongly suggests a man-in-the-middle attack.

I would like to hear of what technologies Sophos/Astaro might implement to prevent this sort of attack - or at least a monitoring system that could alert me to this sort of problem.

Thanks,

Doug

PS: I asked Comcast if they could provide me with the address space that would I should be connected to.  They could not provide this information.


This thread was automatically locked due to age.
Parents
  • 0
    I think I would suspect a dead/dying cable modem.  I've had two die in the last year.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    I think I would suspect a dead/dying cable modem.  I've had two die in the last year.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson
    No, I have two identical & new Motorola Cable Modems.  They're fine.
  • 0 in reply to SalishSwede
    At this point I suspect a  DHCP server on the Comcast side that was pushed an outdated configuration with an obsolete addressing scheme. 

    The other possibility is a man-in-the-middle attack.  I think if it were the latter, I wouldn't have noticed a problem and would have been happily sending all of my data through a third party.

    The question remains... how does one offer ip addressing in a secure manner.  Current DHCP is completely open to hijack.
  • 0 in reply to SalishSwede
    There's no real fix for that, other than a redesign of how these modems authenticate (AT&T Uverse, for instance, uses certificates if I'm not mistaken).  There's nothing an Astaro (sorry, Sophos UTM), or any other firewall, can do to work against that.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Cookie Information Banner