[120009] in North American Network Operators' Group
Re: Breaking the internet (hotels, guestnet style)
daemon@ATHENA.MIT.EDU (Lou Katz)
Mon Dec 7 22:18:55 2009
Date: Mon, 7 Dec 2009 19:18:00 -0800
From: Lou Katz <lou@metron.com>
To: Steven Bellovin <smb@cs.columbia.edu>
Mail-Followup-To: Steven Bellovin <smb@cs.columbia.edu>,
Jared Mauch <jared@puck.nether.net>, nanog@nanog.org
In-Reply-To: <199FCDD1-9A96-4C6C-86B6-B8A4B0090A19@cs.columbia.edu>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, Dec 07, 2009 at 09:48:25PM -0500, Steven Bellovin wrote:
>
> On Dec 7, 2009, at 6:00 PM, Jared Mauch wrote:
>
> >
> > On Dec 7, 2009, at 5:29 PM, John Levine wrote:
> >
> >>> Will be interesting to see if ISPs respond to a large scale thing like
> >>> this taking hold by blocking UDP/TCP 53 like many now do with tcp/25
> >>> (albeit for other reasons). Therein lies the problem with some of the
> >>> "net neturality" arguments .. there's a big difference between "doing it
> >>> because it causes a problem for others", and "doing it because it robs
> >>> me of revenue opportunities".
> >>
> >> I do hear of ISPs blocking requests to random offsite DNS servers.
> >> For most consumer PCs, that's more likely to be a zombie doing DNS
> >> hijacking than anything legitimate. If they happen also to block
> >> 8.8.8.8 that's just an incidental side benefit.
> >
> > I've found more and more hotel/edge networks blocking/capturing this traffic.
> >
> > The biggest problem is they tend to break things horribly and fail things like the
> > oarc entropy test.
> >
> > They will often also return REFUSED (randomly) to valid well formed DNS queries.
> >
> > While I support the capturing of malware compromised machines until they are
> > repaired, I do think more intelligence needs to be applied when directing these systems.
> >
> > Internet access in a hotel does not mean just UDP/53 to their selected hosts plus TCP/80,
> > TCP/443.
>
> It's why I run an ssh server on 443 somewhere -- and as needed, I ssh-tunnel http to a squid proxy, smtp, and as many IMAP/SSL connections as I really need...
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
me too, as well on on port 80
>
> --Steve Bellovin, http://www.cs.columbia.edu/~smb
>
>
>
>
>
>
--
-=[L]=-
Our core competencies are office moves and vocabulary.
