Jump to content
RESET Forums (homeservershow.com)

Sophos UTM - Drop traffic directed to your Motorola-Arris Cable Modem


Drashna Jaelre
 Share

Recommended Posts

For those that haven't already seen this, if you have a Motorola or Arris cable modem, you *may* be at risk for ... well a rather unique "Denial of Service" attack that involves rebooting your cable modem:

http://securityaffairs.co/wordpress/46117/hacking/arris-cable-modems-attack.html

 

 

Since at least one person has already approached me about this, let me post it more publicly (and later on my blog with pretty, pretty pictures). 

 

This is for Sophos UTM only, as I'm not sure how to do this on XG Firewall (and not a lot of interest in doing so currently, sorry)

Open the web UI. Go to "Interfaces & Routing" and open up the "Static Routing" option. 

Click on "New static route".

Set the "route type" to "Blackhole route". This drops all packets, silently. (there may be a better way to do this, but this works). 

On the "Network" entry, click on the "+" and create a new "Host" (for the type).  Set the IP address to 192.168.100.1, and save.  And then save the route. 

You'll need to toggle the route on, for it to start working.

With it off, you should be able to access the cable modem. If you turn the static route on, you should be greeted with a "Network is unreachable" error. 

 

 

Also, there may be a better (more surgical, less blunt tool) way to do this, but this works and doesn't affect connectivity. 

  • Like 1
Link to comment
Share on other sites

thanks for sharing that. my attempts to use ip based firewall rules were ineffective and I am curious why.

Link to comment
Share on other sites

Honestly, I'm not sure why, but as static routing works, this may be a routing issue. 

 

But I'm not a networking expert, at all. 

Link to comment
Share on other sites

We need to follow these steps if we use a SB6141 Motorola Surfboard and Sophos UTM?

 

Yes. Immediately.  Well, navigate to  "http://192.168.100.1/reset.htm"and see. :P 

 

Just a warning, if you do, it may drop your connection for up to 30 minutes (possibly longer) as that URL will/should reset your cable modem.

 

ARRIS acquired a large part of Motorola's home unit division, this means cable modems. 

 

The Motorola SurfBOARD SB6141 *is* the ARRIS SurfBOARD SB6141, as far as I am aware. 

 

So if you have the motorola version, then you, you should definitely do this. 

 

If you have a similar model, I would STILL recommend doing this, as it may affect more than just the listed model. Also, there may be other exploits in the future, so securing your cable model may be a VERY good idea. 

  • Like 1
Link to comment
Share on other sites

so if you do this but need to access the modem for troubleshooting you can temporarily disable that routing setting.

Link to comment
Share on other sites

so if you do this but need to access the modem for troubleshooting you can temporarily disable that routing setting.

Yup. With a flick of a switch. :)

 

Specifically, it does have a toggle, so if you need to access it temporarily, you can.

 

But to be honest, I've never needed to do this. Powering off for 30 seconds is usually enough to reset it. And if I need more than that, I'm calling my ISP (especially as i'm on a business line :) )

Link to comment
Share on other sites

Found another solution: 

 

Use the web filter. :)

 

 

[Edit Filter Action] >> [Websites] >> [block These Websites] >> [+]

 
Name: Modem Reboot
Match URLs based on: [Regular Expression]
Regular Expressions: >> [+]
https?://192\.168\.100\.1/reset\.html?
[Apply]
[save]
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...