Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Evil DoS on GPON  (Read 240 times)

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 36443
  • Over the Rainbow Bridge
    • The ELRepo Project
Evil DoS on GPON
« on: July 28, 2022, 06:45:56 PM »

I have been thinking . . . (dangerous, I know  ::)  )

So take a typical UK deployment of GPON, equivalent to that which Alex (A* UK) has recently been connected. Let us consider the hardware of that optical circuit. At the head-end building there are OLTs. Those OLTs have many line-cards. There are many SFP/SFP+ optics plugged into the line-cards. There is one particular optic to which is connected a single-mode fibre that exits the building and, ultimately, reaches a 1:32 splitter. From that splitter one single mode fibre eventually reaches the ONT in Alex's domain (via a CBT and an aerial drop).

If I am remembering correctly, the optics plugged into the OLTs' line-cards use the 1490 nm wavelength for the "go" (transmit) and the 1310 nm wavelength for the "return" (receive). The (up to 30) ONTs use the inverse; the 1310 nm wavelength for the "go" (transmit) and the 1490 nm wavelength for the "return" (receive).

When a new ONT is commissioned its serial number is registered with the OLT to which it is ultimately connected and the ONT is given permission to send (transmit) by its OLT peer in a particular time-slot.

Suppose that there is an evil doer.  >:D  Evil doer wishes to DoS the PON. All evil doer needs to do is to obtain an optic equivalent to that used on the OLT's line-cards. Insert the optic into a simple media convertor (such as a Planet GT-905A). Connect the optic to the fibre where an ONT would normally be connected and power on the media convertor.

If there is sufficient optical coupling across the splitter, Alex's ONT and the (up to) 28 other ONTs connected to the PON will be "blinded" by the signal from the evil doer's optic on the 1490 nm wavelength.

End result -- DoS for all connected to that PON.  >:(
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11060
  • Retd s/w dev; A&A; 3x7km ADSL2 lines; Firebrick
Re: Evil DoS on GPON
« Reply #1 on: July 28, 2022, 11:30:07 PM »

Oh lumme ! Noooo…[/]
Logged

Alex Atkin UK

  • Kitizen
  • ****
  • Posts: 4117
    • Thinkbroadband Quality Monitors
Re: Evil DoS on GPON
« Reply #2 on: July 29, 2022, 02:12:20 AM »

Well sure, but that's not really any different to traditional cable either or WiFi/mobile network jammers.

I'm guessing there would be a mechanism to get an idea of where a signal is coming from to catch anyone doing that.

Even DSL I'd think if you send a strong enough signal down your telephone line you could DoS the whole bundle with crosstalk, until you hit the cabinet filters.  Even worse as you could physically fry the line card if you sent a large enough voltage down the line, though obviously easier to trace who did that.
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Celeron N5105) + CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
My Broadband History & Ping Quality Monitors

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11060
  • Retd s/w dev; A&A; 3x7km ADSL2 lines; Firebrick
Re: Evil DoS on GPON
« Reply #3 on: July 29, 2022, 08:53:58 AM »

I don’t know about FTTC, but I think I was told there is anti-fry hardware in exchanges for lightning protection, gas-discharge tubes maybe.
Logged

XGS_Is_On

  • Member
  • **
  • Posts: 35
Re: Evil DoS on GPON
« Reply #4 on: July 29, 2022, 03:52:08 PM »

Can actually buy light sources from eBay. Get one capable of enough power output at the desired wavelength and the PON is offline.

Get a light source powerful enough and you can force the OLT port to shut down.

Can do the same on cable networks, inject broadband RF noise.

These are both known things and have been a consideration on shared networks a while. They're also a pretty stupid thing to do as catching the perpetrator is trivial, just takes a little while.

Incidentally you wouldn't target the forward path on 1490 you'd target the 1310 return in an attempt to blind the OLT to transmissions from ONTs. The isolation between ports is far too high for any attempt to blind the receive on ONTs to work.
« Last Edit: July 29, 2022, 04:00:29 PM by XGS_Is_On »
Logged

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 36443
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Evil DoS on GPON
« Reply #5 on: July 29, 2022, 04:49:38 PM »

Thinking some more about this vulnerability, I realised that when we talk about a passive optical "splitter" we should also define its class of action.

In this case, considering a GPON deployment, the "splitters" are power splitters when considered in the direction of the OLT to the ONTs but are power combiners when considered in the direction of the ONTs to the OLT.

For more advanced (wider bandwidth) PON deployments, the "splitters" are wavelength splitters when considered in the direction of the OLT to the ONTs but are wavelength combiners when considered in the direction of the ONTs to the OLT.

Incidentally you wouldn't target the forward path on 1490 you'd target the 1310 return in an attempt to blind the OLT to transmissions from ONTs. The isolation between ports is far too high for any attempt to blind the receive on ONTs to work.

Thank you. Your second sentence, which I have just quoted above, clarifies the point of which I was a little uncertain -- the isolation between each individual port to which an ONT is connected.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

XGS_Is_On

  • Member
  • **
  • Posts: 35
Re: Evil DoS on GPON
« Reply #6 on: July 29, 2022, 10:34:57 PM »

Thank you. Your second sentence, which I have just quoted above, clarifies the point of which I was a little uncertain -- the isolation between each individual port to which an ONT is connected.

Welcome - it's a quoted specification on splitters - https://www.fs.com/uk/products/73324.html
Logged
 

anything