What keeps you from changing your public IP address and wreaking havok?

39

9

An interesting question was asked of me and I did not know what to answer. So I'll ask here.

Let's say I subscribed to an ISP and I'm using cable internet access. The ISP gives me a public IP address of 60.61.62.63.

What keeps me from changing this IP address to, let's say, 60.61.62.75, and messing with another consumer's internet access?

For the sake of this argument, let's say that this other IP address is also owned by the same ISP. Also, let's assume that it's possible for me to go into the cable modem settings and manually change the IP address.

Under a business contract where you are allocated static addresses, you are also assigned a default gateway, a network address and a broadcast address. So that's 3 addresses the ISP "loses" to you. That seems very wasteful for dynamically assigned IP addresses, which the majority of customers are.

Could they simply be using static arps? ACLs? Other simple mechanisms?

Whitemage

Posted 2013-10-21T02:20:17.430

Reputation: 393

2the default gateway is shared across everyone on the same line so it doesn't lose that address, and a broadcast address is lost anyway in IPv4 (and is also shared in the line, maybe even across several lines) – ratchet freak – 2013-10-21T08:45:37.490

1I tried it years ago(maybe 5-10 years ago), manually setting my IP to something else other than what the ISP was sending via DHCP. It didn't work! I think I tried it with a PCI DSL modem, so the computer a direct connection to the internet. And if you wanted to -try- to set a different IP you set it in Windows.. anyhow, as mentioned, didn't work! (You can try it!) – barlop – 2013-10-21T16:44:28.243

2Many years ago when I worked at an ISP, a (now ex-) staff member set his dialup settings to use the IP of the nationwide DNS server of the ISP. Back then, the routes were allowed and as such the entire customer base started sending all DNS requests to this one dialup user. Sure enough, no one has internet while we worked out wtf happened. The routers now whitelist the IPs per customer. – Mark McDonald – 2013-10-24T21:05:59.943

Answers

35

Cable modems aren't like your home router (ie. they don't have a web interface with simple point-and-click buttons that any kid can "hack" into).

Cable modems are "looked up" and located by their MAC address by the ISP, and are typically accessed by technicians using proprietary software that only they have access to, that only runs on their servers, and therefore can't really be stolen.

Cable modems also authenticate and cross-check settings with the ISPs servers. The server has to tell the modem whether it's settings (and location on the cable network) are valid, and simply sets it to what the ISP has it set it for (bandwidth, DHCP allocations, etc). For instance, when you tell your ISP "I would like a static IP, please.", they allocate one to the modem through their servers, and the modem allows you to use that IP. Same with bandwidth changes, for instance.

To do what you are suggesting, you would likely have to break into the servers at the ISP and change what it has set up for your modem.

Could they simply be using static arps? ACLs? Other simple mechanisms?

Every ISP is different, both in practice and how close they are with the larger network that is providing service to them. Depending on those factors, they could be using a combination of ACL and static ARP. It also depends on the technology in the cable network itself. The ISP I worked for used some form of ACL, but that knowledge was a little beyond my paygrade. I only got to work with the technician's interface and do routine maintenance and service changes.

What keeps me from changing this IP address to, let's say, 60.61.62.75 and mess with another consumer's internet access?

Given the above, what keeps you from changing your IP to one that your ISP hasn't specifically given to you is a server that is instructing your modem what it can and can't do. Even if you somehow broke into the modem, if 60.61.62.75 is already allocated to another customer, then the server will simply tell your modem that it can't have it.

Moses

Posted 2013-10-21T02:20:17.430

Reputation: 10 813

DavidSchwartz's answer is very good too, I forgot about reverse path forwarding. It's still an ongoing issue even 10 years later, and many of the aspects talked about in the document he linked to are still very much relevant. Definitely worth a read! – Moses – 2013-10-21T04:04:00.370

6In the case of the ISP I work for, every incoming connection has its own VLAN, and our core router flat out refuses to route traffic from an IP address that's not supposed to be on that particular VLAN. Problem solved. – Shadur – 2013-10-21T13:47:57.367

23

Most modern ISPs (last 13 years or so) will not accept traffic from a customer connection unless it has a source IP address that they would route to that customer were it the destination IP address. This is called "reverse path forwarding". See BCP 38.

ISPs either do not use dynamic routing protocols with their customer connections or filter the routes they receive over these connections. So there would be no effect on what packets you received.

David Schwartz

Posted 2013-10-21T02:20:17.430

Reputation: 58 310

1consider adding proper punctuation to your answer to make it more understandable. – Harshdeep – 2013-10-21T08:26:03.960

1Sounds like 'forward confirm reverse DNS' verification, which is often used in spam prevention. – deed02392 – 2013-10-21T13:33:05.267

1

I'm far from an expert, but I do know using Verizon FIOS, any time I change routers I'm forced to do one of two things:

  1. Change the MAC address of the new router to the address of the old one (presumably so the system thinks it's the old router)
  2. Contact Verizon support and request they break the lease on my current IP so that it can be re-assigned to the new router

Whether they consider this to be MAC filtering I'm not sure, but I used to dread going through a router change because I couldn't understand why when my new router is hooked directly to the network cable, I could not get internet connectivity.

It wasn't until I was attempting to hook up an Asus router without success, speaking to Asus support I happened to mention my old router still hooks up fine, but the new Asus would not. He told me to change the MAC address of the new router to that of the old D-Link, rebooted and that worked. He said, 'Okay, so Verizon is doing MAC filtering.'

Verizon support claimed they're not but whatever they call it, this would in effect prevent someone using another's IP since the MAC address would not match that of the router from the true account holder.

user266290

Posted 2013-10-21T02:20:17.430

Reputation: 11

1

Your packets are going through your ISP, so I would imagine it compares source IP by using an ACL of some sort then filters accordingly. Spoofing your IP will most likely fail unless the ISP doesn't have the proper security in place. There are supposed horror stories of an ISP in uk letting out private ip's through their network causing a bunch of havoc but it shouldn't happen.

tist

Posted 2013-10-21T02:20:17.430

Reputation: 11

1

There is a little more to it. Your pc or router may obtain an ip thru DHCP or you may pay for a static IP, but either way your ISP isn't loseing IP addresses. The default gateway is used by every IP on a network. The cable modems themselves will talk to the UBRs (Universal Broadband Router) on a private IP network, usually a 10.10.x.x address, this way the ISP isn't paying for as many public IPs. The default gateway for your public IP is on the other end of a network tunnel. If you change the IP on your PC from the DHCP provided address to some other static IP your cable modem simply won't accept traffic from it.

Todd

Posted 2013-10-21T02:20:17.430

Reputation: 11

Asked: 2013-10-21T02:20:17.430

Viewed: 3 333 times

Active: 2013-10-28T18:42:10.700