PON’s Vulnerability to Denial of Service (DoS) Attacks
by Shrihari Pandit
The dominant architecture used in fiber optic deployment -Passive Optical Networks (PONs) may be vulnerable to attack. It is important to bring attention to this under-appreciated weakness and discuss what steps are possible to protect fiber infrastructure.
As various PON technologies are long standing and widely deployed, this is a matter of no small concern. PONs are widely deployed by Verizon FiOS, AT&T U-verse and many others.
The PON architecture is a hodgepodge of old and new technologies, hardware and strategy, limited budget and often is not overseen by a single team.
In this article we describe how fiber optic infrastructure based on PONs may be open to potential denial of service (DoS) attacks via optical signal injections. Security experts warn that this is a growing issue, which could take down entire sectors of PON segments.
Considering the ever increasing state-sponsored and non-state-actor cyber attacks, these types of vulnerabilities that allow for massive disruption for large groups of people are very attractive targets.
The cost advantages of PON architecture make it the overwhelming choice for FTTH deployments. PON allows wireline network providers to deliver service to businesses and homes without having to install costly active electronics on roads, curb-side or even within buildings themselves.
Active electronics, on the other hand, add cost and create operational complexity as deployments scale. The conveniences and differentiators of PONs are precisely what opens up the floodgates to serious vulnerabilities.
PONs are fundamentally susceptible due to the architecture from the passive optical splitter (POS) to the optical network unit (ONU) within the overall network infrastructure. The POS component of the network functions like a bridge, allowing any and all communications to transverse without the ability to filter, limit or restrict flow.
The fiber optic market currently boasts 585.9 million subscribers worldwide, with that number set to grow to 897.8 million subscribers by 2021.
The industry has moved to upgrade 1st generation GPONs and EPONs to next-generation PONs, like NG-PON2 (the favorite), XG-PON1 and XGS-PON. For example, Verizon uses the Calix AXOS E9-2 Intelligent Edge System for large-scale NG-PON2 deployments that began in the first quarter of 2018.
However, with subscriber density significantly increasing per PON segment, the risks increase as more subscribers are affected by a cyber attack on a single fiber.
NG-PON2 combines multiple signals onto a single optical fiber by using the different wavelengths of laser light (wave division multiplexing), and then splits transmission into time slots (time division multiplexing), in order to further increase capacity. NG-PON2 is illustrated in the figure below.
OLT =Optical Line Termination ONT =Optical Network Termination
NGPON2 has three key advantages for operators:
Firstly, it can co-exist with existing GPON and NGPON1 systems and is able to use existing PON-capable outside plant. Since the cost of PON FTTH roll out is 70 per cent accounted for by the optical distribution network (ODN), this is significant. Operators have a clear upgrade path from where they are now, until well into the future.
Initially NGPON2 will provide a minimum of 40 Gb/s downstream capacity, produced by four 10 Gb/s signals on different wavelengths in the O-band multiplexed together in the central office with a 10 Gb/s total upstream capacity. This capability can be doubled to provide 80 Gb/s downstream and 20 Gb/s upstream in the “extended” NGPON2.
3. Symmetrical upstream/downstream capacity
Both the basic and extended implementations are designed to appeal to domestic consumers where gigabit downstream speeds may be needed but more modest upstream needs prevail. For business users with data mirroring and similar requirements, a symmetric implementation will be provided giving 40/40 and 80/80 Gb/s capacity respectively.
The Essence of a PON Cyber Attack:
Given the flashpoints around the globe, it doesn’t take much imagination to envision how state and non-state actors might want to cause such a chaotic and widespread disruption.
If a “cyber criminal” gains access to the underlying fiber, they could inject a wideband optical signal to disrupt communications for all subscribers attached to the PON segment.
Alternatively, at your home the adversary could manipulate the ONU’s optical subsystem to transmit abnormal PON signals and impact service to all subs on that segment. Communications including internet, voice and even analog TV signals that operate on nearby wavelengths would be susceptible to these serious DoS attacks.
Possible Solutions, Preventive Methods and Procedures:
So, what can be done with current equipment without a massive and costly fiber optic network overhaul? The unfortunate answer is that an overarching vulnerability will always exist as long as the passive components are in place. A reactionary process is the best and only option.
The current primary solution for operators is to reduce the number of subscribers per PON segment as a way to manage risks. If an attack was detected, the network operator would be able to localize the source and identify and disconnect the bad actor from the network. But it’s easier said than done.
This sort of manual process is not ideal. Extensive PON outages means spending the time and money to send personnel to optical line terminals to check each individual port until the attacker is found. The installation of active electronics on each PON segment or near PON subscribers is unrealistic and impractical. That undertaking would actually be more costly in terms of time, money and location.
The best ongoing solution is that operators should consider installing passive tap points per PON segment. Each can be independently routed back and managed at a provider’s operations center and allow operators to effectively analyze segments and detect unusual optical light levels that may signal an attack.
At that point the operator could physically dispatch techs on-site to continue the localization and resolution process while ensuring other non-threatening users remain unaffected. This solution is to effectively take a reactionary restriction and make it as automatic and proactive as currently possible.
P2MP (point to multi-point) architecture has become the most popular solution for FTTH and FTTP. Yet there needs to be a severe increase in awareness to potential PON vulnerability into the next generation.
If we can catalyze the telecom industry to develop methods and measures to protect infrastructure, such crippling network security issues will be stopped before widespread exploits occur.
The industry needs to address these concerns sooner rather than later or else be left without effective countermeasures against these very real threats.
About Shrihari Pandit:
Shrihari Pandit is the President and CEO of Stealth Communications, the NYC-based ISP he co-founded in 1995. Stealth, having built its own fiber-optic network throughout the city, provides high-bandwidth connectivity services to a broad roster of customers in business, education and government.
Prior to Stealth, Mr. Pandit was a network-security consultant to various software and telecom companies, including MCI, Sprint and Sun Microsystems. He also served as an independent consultant to several U.S. agencies, including NASA and the National Infrastructure Protection Center (NIPC), now part of the Department of Homeland Security.