PON’s Vulnerability to Denial of Service (DoS) Attacks

by Shrihari Pandit

Introduction:

The dominant architecture used in fiber optic deployment -Passive Optical Networks (PONs) may be vulnerable to attack. It is important to bring attention to this under-appreciated weakness and discuss what steps are possible to protect fiber infrastructure.

As various PON technologies are long standing and widely deployed, this is a matter of no small concern. PONs are widely deployed by Verizon FiOS, AT&T U-verse and many others.

The PON architecture is a hodgepodge of old and new technologies, hardware and strategy, limited budget and often is not overseen by a single team.

In this article we describe how fiber optic infrastructure based on PONs may be open to potential denial of service (DoS) attacks via optical signal injections. Security experts warn that this is a growing issue, which could take down entire sectors of PON segments.

Considering the ever increasing state-sponsored and non-state-actor cyber attacks, these types of vulnerabilities that allow for massive disruption for large groups of people are very attractive targets.

PON Overview:

The cost advantages of PON architecture make it the overwhelming choice for FTTH deployments. PON allows wireline network providers to deliver service to businesses and homes without having to install costly active electronics on roads, curb-side or even within buildings themselves.

Active electronics, on the other hand, add cost and create operational complexity as deployments scale. The conveniences and differentiators of PONs are precisely what opens up the floodgates to serious vulnerabilities.

PONs are fundamentally susceptible due to the architecture from the passive optical splitter (POS) to the optical network unit (ONU) within the overall network infrastructure. The POS component of the network functions like a bridge, allowing any and all communications to transverse without the ability to filter, limit or restrict flow.

The fiber optic market currently boasts 585.9 million subscribers worldwide, with that number set to grow to 897.8 million subscribers by 2021.

The industry has moved to upgrade 1st generation GPONs and EPONs to next-generation PONs, like NG-PON2 (the favorite), XG-PON1 and XGS-PON.  For example, Verizon uses the Calix AXOS E9-2 Intelligent Edge System for large-scale NG-PON2 deployments that began in the first quarter of 2018.

However, with subscriber density significantly increasing per PON segment, the risks increase as more subscribers are affected by a cyber attack on a single fiber.

Sidebar:  NG-PON2

NG-PON2 combines multiple signals onto a single optical fiber by using the different wavelengths of laser light (wave division multiplexing), and then splits transmission into time slots (time division multiplexing), in order to further increase capacity. NG-PON2 is illustrated in the figure below.

Legend: 

 OLT =Optical Line Termination                                                         ONT =Optical Network Termination

NGPON2 has three key advantages for operators:

1. Cost

Firstly, it can co-exist with existing GPON and NGPON1 systems and is able to use existing PON-capable outside plant. Since the cost of PON FTTH roll out is 70 per cent accounted for by the optical distribution network (ODN), this is significant. Operators have a clear upgrade path from where they are now, until well into the future.

2. Speed

Initially NGPON2 will provide a minimum of 40 Gb/s downstream capacity, produced by four 10 Gb/s signals on different wavelengths in the O-band multiplexed together in the central office with a 10 Gb/s total upstream capacity. This capability can be doubled to provide 80 Gb/s downstream and 20 Gb/s upstream in the “extended” NGPON2.

3. Symmetrical upstream/downstream capacity

Both the basic and extended implementations are designed to appeal to domestic consumers where gigabit downstream speeds may be needed but more modest upstream needs prevail. For business users with data mirroring and similar requirements, a symmetric implementation will be provided giving 40/40 and 80/80 Gb/s capacity respectively.

………………………………………………………………………………………

The Essence of a PON Cyber Attack:

Given the flashpoints around the globe, it doesn’t take much imagination to envision how state and non-state actors might want to cause such a chaotic and widespread disruption.

If a “cyber criminal” gains access to the underlying fiber, they could inject a wideband optical signal to disrupt communications for all subscribers attached to the PON segment.

Alternatively, at your home the adversary could manipulate the ONU’s optical subsystem to transmit abnormal PON signals and impact service to all subs on that segment. Communications including internet, voice and even analog TV signals that operate on nearby wavelengths would be susceptible to these serious DoS attacks.

Possible Solutions, Preventive Methods and Procedures:

So, what can be done with current equipment without a massive and costly fiber optic network overhaul? The unfortunate answer is that an overarching vulnerability will always exist as long as the passive components are in place.  A reactionary process is the best and only option.

The current primary solution for operators is to reduce the number of subscribers per PON segment as a way to manage risks. If an attack was detected, the network operator would be able to localize the source and identify and disconnect the bad actor from the network. But it’s easier said than done.

This sort of manual process is not ideal. Extensive PON outages means spending the time and money to send personnel to optical line terminals to check each individual port until the attacker is found. The installation of active electronics on each PON segment or near PON subscribers is unrealistic and impractical. That undertaking would actually be more costly in terms of time, money and location.

The best ongoing solution is that operators should consider installing passive tap points per PON segment. Each can be independently routed back and managed at a provider’s operations center and allow operators to effectively analyze segments and detect unusual optical light levels that may signal an attack.

At that point the operator could physically dispatch techs on-site to continue the localization and resolution process while ensuring other non-threatening users remain unaffected. This solution is to effectively take a reactionary restriction and make it as automatic and proactive as currently possible.

Conclusions:

P2MP (point to multi-point) architecture has become the most popular solution for FTTH and FTTP.  Yet there needs to be a severe increase in awareness to potential PON vulnerability into the next generation.

If we can catalyze the telecom industry to develop methods and measures to protect infrastructure, such crippling network security issues will be stopped before widespread exploits occur.

The industry needs to address these concerns sooner rather than later or else be left without effective countermeasures against these very real threats.

………………………………………………………………………………………………..

References:

https://www.paloaltonetworks.com/cyberpedia/what-is-a-denial-of-service-attack-dos

https://s2.ist.psu.edu/paper/ddos-chap-gu-june-07.pdf

https://www.youtube.com/watch?v=G93I_v2pa24

……………………………………………………………………………….

About Shrihari Pandit:

Shrihari Pandit is the President and CEO of Stealth Communications, the NYC-based ISP he co-founded in 1995. Stealth, having built its own fiber-optic network throughout the city, provides high-bandwidth connectivity services to a broad roster of customers in business, education and government.

Prior to Stealth, Mr. Pandit was a network-security consultant to various software and telecom companies, including MCI, Sprint and Sun Microsystems. He also served as an independent consultant to several U.S. agencies, including NASA and the National Infrastructure Protection Center (NIPC), now part of the Department of Homeland Security.

Swisscom achieves 50 Gbps on a fixed PON connection – a world first!

Swisscom has achieved transmission speeds of 50 Gbps  in a real PON (Passive Optical Network) environment test – a world first, according to the company.  Swisscom has upgraded existing OLT (Optical Line Termination) hardware with a 50 Gbps PON Line Card prototype to reach a download speed of 50 Gbps and an upload speed of 25 Gbps on a fixed network.

The PON technology can be ready to market and deployed in around two years, according to Swisscom. It can be an option for business customers initially. Progressive network virtualization will enable companies to use the bandwidth they need on a flexible basis in line with their requirements.

The 10 Gbps service is expected to be sufficient for the residential mass market for several years yet, the company said. The 50 Gbps option allows for flexible deployment using existing fibre-optic infrastructure.

Markus Reber, Head of Swisscom Networks, said: “There is no question that the bandwidth need will continue to increase over the coming years. That’s why, here at Swisscom, we are already considering how our technology needs to develop to ensure that Switzerland continues to be ready to take advantage of the latest digital services with the best possible experience in the future. The results of testing based on PON technology and architecture clearly demonstrate that we have some powerful options available.”

“In my opinion, PON with 50 Gbit/s will be an option for the business customer market initially. Progressive network virtualisation will enable companies to use the bandwidth they need on a flexible basis in line with their requirements, for instance. In contrast, the 10 Gbit/s already available in the residential mass market should be more than enough for several years to come. However, the 50 Gbit/s option offers even more opportunities, as it allows the existing fibre optic infrastructure to be deployed in a more versatile way. As an example, the technology will soon facilitate access to mobile communication masts, particularly for 5G, as the same network can be used as the one already built to connect households. With a transmission speed of 50 Gbit/s, there is ample bandwidth available.”

The technology also will support fiber optic access to mobile communication masts, particularly for 5G, since the same network can be used as the one already built to connect households.

Swisscom says that “over the coming years, the development of digital applications will result in a similar growth in bandwidth need as seen in recent years, when it increased more than tenfold within a decade. Swisscom is therefore investing in network expansion on an ongoing basis, deploying the latest innovative technologies to do so and safeguarding Switzerland’s high degree of digital competitiveness.”

…………………………………………………………………………………………………………………………………………………………………………………………………..

In April 2020, market research powerhouse Omdia (owned by Informa) forecast that In the 2018-2025 timeframe, the PON market will see a compound annual growth rate (CAGR) of 4.3% to be worth $8.4 billion by 2025. “This market remains in an upswing as operators continue to expand and upgrade their fiber-based access networks for both residential and non-residential subscribers and applications,” states the Omdia team in their report (published prior to the global impact of COVID-19, it should be noted).

PON and xDSL/Gfast equipment market by major segment, 2017-2025.

Omdia: PON and xDSL/Gfast equipment market by major segment, 2017–2025

Growth in the PON market will be driven by increasing demand for next-generation PON equipment, including 10G GPON, 10G EPON, NG-PON2 and 25G/50G PON, according to Omdia: By 2021, most GPON OLT (optical line terminal) shipments are expected to be 10G.

Omdia expects demand for NG-PON2 equipment (which is expensive because it includes tunable lasers) is expected to be limited, with significant deployments anticipated only by one major operator, Verizon.

In Western Europe, PON investments are only just starting: That market is set for a CAGR of 16.5% to be worth $1.6 billion in 2025.

…………………………………………………………………………………………………………………………………………………………………………………………………

References:

https://www.swisscom.ch/en/about/news/2020/10/08-weltpremiere.html

https://www.swisscom.ch/content/dam/swisscom/en/about/news/2020/10/08-weltpremiere/08-weltpremiere-en.pdf.res/08-weltpremiere-en.pdf

https://www.telecompaper.com/news/swisscom-reaches-50-gbps-in-real-network-environment–1357116

http://www.broadbandworldnews.com/document.asp?doc_id=758638

Dell’Oro Group: PON market to reach $7B by 2022

The global passive optical network (PON)  market is on track to grow to over $7 billion by 2022, driven by adoption of next-generation PON technologies such as 10Gbps EPON, Dell’Oro predicts in a new report.  The market is on track to grow at a five-year CAGR of nearly 40% from 2017 to 2022, the research firm said in a press release.

“Where PON technologies are used for residential broadband services, 2.5 Gbps GPON will remain as the dominant technology due to its lower price and sufficient speeds.  However, for a number of growing use cases such as business services and mobile backhaul, next-generation PON technologies  have capacities and capabilities that current generation technologies lack,” Dell’Oro senior analyst Alam Tamboli explained.

He said 10 Gbps EPON is already seeing strong traction across China, noting that current generation PON has previously been widely deployed across the market.

“10 Gbps EPON has already begun shipping strongly in China where current generation PON is widely deployed.  Shipments of XGS-PON and NG-PON2 remain small for now, but we anticipate that XGS-PON will grow more rapidly. XGS-PON and its 10 Gbps symmetric bandwidth should meet operators’ needs for business services and mobile backhaul,” Tamboli added.

Other next-generation PON technologies set to drive the strong growth for the segment include XGS-PON and NG-PON2.

………………………………………………………………………………………………………………

About the Report

The Dell’Oro Group Broadband Access 5-Year Forecast Report provides a complete overview of the Broadband Access market with tables covering manufacturers’ revenue, average selling prices, and port/unit shipments for Cable, DSL, and PON equipment.  Network infrastructure equipment includes Cable Modem Termination Systems (CMTS), Digital Subscriber Line Access Multiplexers ([DSLAMs] by technology ADSL, ADSL2+, G.SHDSL, VDSL, GFAST), and PON Optical Line Terminals (OLTs).  Customer Premises Equipment (CPE) technology reflects Voice-over-IP (VoIP) or data-only.  To purchase this report, please call Daisy Kwok at +1.650.622.9400 x227 or email Daisy@DellOro.com.