Sniffing or DoS attacking a Passive Optical Network?
Context
I blame my curiosity. Even when things work perfectly fine I often still want to understand how it actually works. Learning stuff makes me happy.
Since last Thursday I finally have a fiber internet connection. Thanks a lot Open Dutch Fiber for your network! I'm one of those old people that still remembers using PSTN in the eighties, ISDN in the nineties, then ADSL and bonded VDSL2 and now finally away from the copper cable pairs.
Now that I have a fiber connection I want to understand it a bit better. There are just few details shared on the website of my provider ODIDO so therefore I read through some of the generic docs. Most intriguing for me now is how multiplexing is done to serve multiple customers over the same fiber link - much like multiplexed data networks that existed even before I was born (some things never change)...
Technology
From the website of my provider I understand that I am connected via XGS-PON which stands for 10 Gigabit Synchronous Passive Optical Network. So let's start with an oversimplified reference architecture diagram:
From left-to-right there is the Aggregation Switch (AS) from the telecom provider, which is serving a number of Optical Line Terminals (OLT). A modern OLT chassis does support various PON implementations and older standards such as GPON and XGS-PON can be used together on the same fiber as they use different light wavelengths.
Then we enter the Passive Optical Network. Conceptually it is a Point to MultiPoint (P2MP) network and the single fiber that comes from the OLT is optical splitted into a tree of fibers so that many customers can be served without the need to have a separate fiber for all of them at the provider side. Those optical splitters work based on refraction, like the photo on top of this article. From the docs I read that within XGS-PON the maximum split ratio is 1:256 so I'll guess that the rest of my street and probably the neighborhood is all on the same fiber - I come back to that later.
At the customer site there is the Optical Network Unit (ONU) which in the docs is also sometimes called ONT (Optical Network Terminal). This ONU typically has an ethernet interface (1, 2.5 or 10Gbps) which is connected to a gateway (GW) device, often that is a many-in-one device that is doing routing, firewall, WiFi and what not. (In my home setup I have of course made things more complex with additional firewalls, VLANs etc.)
Now that we learned that we can have up to 256 ONUs sharing the same fiber and OLT, how does that work? For the downstream traffic that is rather simple, the traffic from the OLT is just broadcasted everywhere and the ONU filters out all traffic that is not tagged for that device.
This obviously means that I will put an effort in figuring out if I can sniff any traffic that is not intended for my own ONU. I hope there is proper encryption so that it is not possible to actually capture data, but I am already thinking on measuring how many customers are on the same fiber just my counting the unique ONU addresses. Or measure the signal-to-noise ratio, assuming that each time the fiber is splitted that will result an another few dB attenuation?
For the upstream traffic things get a bit more tricky. As the splitters in the PON will merge the traffic (light) together the timing is super crucial so that after each merge the packets are perfectly in sequence.
So the trick here is that all ONUs send their upstream data in bursts that are carefully orchestrated via Time Division Multiple Access (TDMA) so that after each merge (splitter) there are no collisions in the traffic.
Sniffing and Denial of Service?
So now that I understand a little bit on how this works, I started to think how I can abuse it (not sure why that is but I do have this more often).
I don't directly have intentions to eavesdrop on the traffic of my neighbors, but doing something with the metadata is always cool. Like being able to see what amount of ONUs are active on the PON, such things.
And - apart from the confidentiality - I am now wondering how resilient the overall PON solution availability is against an attack where someone would intentionally modulate light into the fiber from the customer site. (I would not be surprised if the whole PON stops working).
And the physical implementation model is that every house gets the fiber mounted (regardless if it is actually used) so that imposes a risk (or opportunity, depends how you look at it) that people tamper with the network. I am using only one fiber and I noticed that there are two fibers actually mounted, so I will likely buy another ONU for 'experimentation' (and yes I will behave and not try to bring down the network).
My current knowledge on this topic is - 2 days since I looked into it - still very limited but if you are reading this and have true knowledge and expertise in this area, feel free to share, I much appreciate if you complete or correct me, and I will update this article accordingly.
领英推荐
Glossary
AS | Aggregation Switch
GEM | GPON Encapsulation Mode
GPON | Gigabit PON (2.5 Gigabit downstream, 1.25 Gigabit upstream)
ODN | Optical Distribution Network
OLT | Optical Line Terminal
ONT | Optical Network Terminal (also called ONU)
ONU | Optical Network Unit (also called ONT)
P2MP | Point To MultiPoint
PON | Passive Optical Network
SNI | Service Node Interface
T-CONT | Transmission Container
TDMA | Time Division Multiple Access
UNI | User Network Interface (typically 1, 2.5 or 10 Gigabit ethernet)
XG | 10 Gigabit | XG-PON = 10 Gigabit downstream, 2.5 Gigabit upstream
XGS | 10 Gigabit Symmetric | XGS-PON = 10 Gigabit downstream, 10 Gigabit upstream
goed bezig :-)