Fraud Prevention in DOCSIS Network: Data Sharing

We previously looked at the layers of security required to protect MSPs from theft of service. In this Tips & Tutorial, we’ll dive deeper into how the Incognito solution offers fraud protection with data sharing.

DHCP and CFM Data Sharing for Fraud Protection

The DHCP service shares what is known about the client with the configuration file management (CFM) service by creating a unique filename for the settings required for the device. This data is then stored in a table on the CFM service for 60 seconds, waiting for the modem request, after which it is deleted.

When the modem contacts the CFM service, it requests its configuration file by the name created by DHCP, and CFM looks up the file settings in its table. The file is then generated on request.

The data encoded in the configuration file name is kept private. It is triple DES encrypted using a secret shared between the DHCP and CFM services.

Configuration file names for dynamically generated files appear and look meaningless:


In this scenario, DYNTXT is a user-created mask token set within the DHCP option to help clarify which DOCSIS files are associated with a specific template.

All configuration for DOCSIS file generation is created and stored on the DHCP service and automatically synchronized with whatever clustered CFM services register with the DHCP service.

Comparison to CMTS Dynamic Shared Secret Functionality

How does the security in the Incognito solution compare to the Dynamic Shared Secret feature available on a CMTS? Incognito provides similar security, however, it does so without taxing the CMTS.

CMTS Dynamic Shared Secret functionality automatically creates a unique DOCSIS shared secret on a per-modem basis, creating a one-time use DOCSIS configuration file that is valid only for the current session. This ensures that a DOCSIS configuration file downloaded for one cable modem can never be used by any other modem, nor can the same modem reuse this configuration file at a later time.

The Incognito solution does all of the above using dynamic files, however, this process takes place on the provisioning system. The advantage to this is that there is no additional load placed on the CMTS.

Next week, we’ll dive even deeper into how the Incognito solution uses anti-roaming, duplicate detection and DoS detection to further secure your network.

  • Share: