FYI: You can blow Intel-powered broadband modems off the 'net with a 'trivial' packet stream

Broadband modems using Intel's bungled Puma 6 chipset can be overloaded and virtually knocked offline by a trivial trickle of packets, it is claimed.

Effectively, if there's someone you don't like, and they are one of thousands upon thousands of people using a Puma 6-powered home gateway, and you know their public IP address, you can kick them off the internet, we're told.

This week, inquisitive netizens discovered that, when presented with even modest amounts of network traffic – as little as a few thousand packets per second spread across various TCP or UDP ports – modems equipped with a Puma 6 slow to an unusable crawl.

According to one engineer who spoke to El Reg on the issue, the flaw would be "trivial" to exploit in the wild, and would effectively render a targeted box useless for the duration of the attack.

"You send a stream of 200Kbps of TCP, UDP or maybe even ICMP to different port numbers, and it has a tiny table to keep track of these that fills up. The device becomes immediately unresponsive. It comes back after you stop," our tipster explained.

"It can be exploited remotely, and there is no way to mitigate the issue."

This is particularly frustrating for Puma 6 modem owners because the boxes are pitched as gigabit broadband gateways: the devices can be potentially choked and knocked out simply by receiving traffic that's a fraction of the bandwidth their owners are paying for.

Specifically, when about three to six thousand small, even zero-size, TCP or UDP packets are sent per second to a device, it exhausts an internal lookup table in Intel's Puma 6 chipset, hammering the overall performance of the hardware as the network processor struggles to keep up. These packets can be spoofed, sent across the internet or internally on the local network, and require no authentication to knacker a gateway.

The overall effect is slow web browsing, sluggish downloads, and spikes in latency that kill online gaming and other time-sensitive connections. This effect has been observed with Arris SB6190 and Netgear CM700 boxes using Intel's vulnerable Puma 6 family.

Here's some proof-of-concept denial-of-service PHP code that fires about 5,000 UDP packets per second at a vulnerable host, spread over random port numbers, ruining the gateway's performance:

<?php

$host = 'A.B.C.D';
$pps = 5000;
$tune = 125;

$sock = socket_create( AF_INET, SOCK_DGRAM, SOL_UDP );
$uslp = (1000000 / $pps) - $tune;

if( $uslp < 0 )
$uslp = 0;

for( $i = 6500000; $i > 0; $i-- )
{
$port = rand( 1025, 65535 );
socket_sendto( $sock, 'LUT2', 4, 0, $host, $port );
usleep( $uslp );
}

?>

The Puma 6 chipset is used in a number of ISP-branded cable modems, including some Xfinity boxes supplied by Comcast in the US and the latest Virgin Media hubs in the UK. Those Brit subscribers, for instance, are already filing complaints over the sluggish performance of the routers.

"Immediately following installation I noticed I was getting significant spikes in latency, resulting in unstable connections on VPN, and poor gaming/streaming performance," writes one Virgin Media customer who's asking for a replacement.

The reports are yet another nail in the coffin of the ill-fated Puma 6 chipset. Shortly after it was released, it was found to be prone to serious latency issues. The problem has already landed one vendor in court on a class action lawsuit. ®