ABUSE OF CPE DEVICES AND RECOMMENDED FIXES presented at BlackHatUS 2014

by Paul A. Vixie, Jonathan m. Spring, Chris Hallenbeck,

Summary : Consumer Premise Equipment (CPE) has become common, nearly ubiquitous, home and small office attire. Many homes have a router/modem device that mediates access between home devices and the ISP. Abuse of these devices is particularly problematic both because the owner has difficulty interfacing with (and fixing) the device and because the static code provided by the vendor is generally rotted (and vulnerable) by the time the consumer unpacks the device.
The poor management of CPE has created an Internet-scale problem and potential for abuse. For example, the plurality of open DNS resolvers accessible on the Internet are on medium-speed DSL connections, the sorts of connections leased to home and small-business users. These devices are available for abuse in reflected and amplified DDoS attacks. The vulnerable devices themselves can also be leveraged against the consumer in middleperson attacks. In this presentation, we quantify this problem and provide recommendations for how the Internet community can address this public-health-like problem.