[120010] in North American Network Operators' Group
Re: Breaking the internet (hotels, guestnet style)
daemon@ATHENA.MIT.EDU (Joe Greco)
Mon Dec 7 22:33:24 2009
From: Joe Greco <jgreco@ns.sol.net>
To: andrew@accessplus.com.au (Andrew Cox)
Date: Mon, 7 Dec 2009 21:32:20 -0600 (CST)
In-Reply-To: <4B1DAAB4.8060802@accessplus.com.au> from "Andrew Cox" at Dec 08,
2009 11:54:04 AM
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> IMHO there is no need for any sort of DNS redirection after user
> authentication has taken place.
It may be hazardous even before user authentication has taken place.
Even given a very low TTL, client resolvers may cache answers returned
during that initial authentication.
> We of course redirect UDP/TCP 53 to one of our servers along with 80
> (http) 443 (https) 8080, 3128 (proxy) to the local hotspot *before* any
> authentication has occurred, but once this is completed the only reason
> any guest would use the local DNS server is if they were assigned a DHCP
> address.
Which, presumably, many/most of them are. Supplying a functional DNS
server shouldn't be that difficult, but real world experience shows just
how well some operators run these services.
> As far as our Routerboard/Mikrotik setup works, it'll masquerade for any
> non standard IP addresses that appear on the network (guests with static
> ip's assigned, corporate laptops etc) but once again after the
> authentication stage anything is allowed to pass unhindered.
>
> The only redirection that is used after authentication is for port 25 as
> 90% of user trying to send mail out via port 25 have no idea how to
> change their mail server, let alone why they might need to.
> It can be an issue as some systems use authentication on port 25.
Sounds like an opportunity for a custom proxy. Clients that can
successfully authenticate to an external mailserver on 25 are probably
by definition nonproblematic. The remainder probably deserve to get
jammed through an aggressive spam, virus, and other-crap filter, with
in-line notification of rejections. You can do some other sanity stuff
like counting the number of hosts contacted by a client; anything in
excess of a small number would seem to be a good indicator to stop.
... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.