What keeps you from changing your public IP address and wreaking havok?
Solution 1:
Cable modems aren't like your home router (ie. they don't have a web interface with simple point-and-click buttons that any kid can "hack" into).
Cable modems are "looked up" and located by their MAC address by the ISP, and are typically accessed by technicians using proprietary software that only they have access to, that only runs on their servers, and therefore can't really be stolen.
Cable modems also authenticate and cross-check settings with the ISPs servers. The server has to tell the modem whether it's settings (and location on the cable network) are valid, and simply sets it to what the ISP has it set it for (bandwidth, DHCP allocations, etc). For instance, when you tell your ISP "I would like a static IP, please.", they allocate one to the modem through their servers, and the modem allows you to use that IP. Same with bandwidth changes, for instance.
To do what you are suggesting, you would likely have to break into the servers at the ISP and change what it has set up for your modem.
Could they simply be using static arps? ACLs? Other simple mechanisms?
Every ISP is different, both in practice and how close they are with the larger network that is providing service to them. Depending on those factors, they could be using a combination of ACL and static ARP. It also depends on the technology in the cable network itself. The ISP I worked for used some form of ACL, but that knowledge was a little beyond my paygrade. I only got to work with the technician's interface and do routine maintenance and service changes.
What keeps me from changing this IP address to, let's say, 60.61.62.75 and mess with another consumer's internet access?
Given the above, what keeps you from changing your IP to one that your ISP hasn't specifically given to you is a server that is instructing your modem what it can and can't do. Even if you somehow broke into the modem, if 60.61.62.75 is already allocated to another customer, then the server will simply tell your modem that it can't have it.
Solution 2:
Most modern ISPs (last 13 years or so) will not accept traffic from a customer connection unless it has a source IP address that they would route to that customer were it the destination IP address. This is called "reverse path forwarding". See BCP 38.
ISPs either do not use dynamic routing protocols with their customer connections or filter the routes they receive over these connections. So there would be no effect on what packets you received.
Solution 3:
Your packets are going through your ISP, so I would imagine it compares source IP by using an ACL of some sort then filters accordingly. Spoofing your IP will most likely fail unless the ISP doesn't have the proper security in place. There are supposed horror stories of an ISP in uk letting out private ip's through their network causing a bunch of havoc but it shouldn't happen.
Solution 4:
I'm far from an expert, but I do know using Verizon FIOS, any time I change routers I'm forced to do one of two things:
- Change the MAC address of the new router to the address of the old one (presumably so the system thinks it's the old router)
- Contact Verizon support and request they break the lease on my current IP so that it can be re-assigned to the new router
Whether they consider this to be MAC filtering I'm not sure, but I used to dread going through a router change because I couldn't understand why when my new router is hooked directly to the network cable, I could not get internet connectivity.
It wasn't until I was attempting to hook up an Asus router without success, speaking to Asus support I happened to mention my old router still hooks up fine, but the new Asus would not. He told me to change the MAC address of the new router to that of the old D-Link, rebooted and that worked. He said, 'Okay, so Verizon is doing MAC filtering.'
Verizon support claimed they're not but whatever they call it, this would in effect prevent someone using another's IP since the MAC address would not match that of the router from the true account holder.