[120014] in North American Network Operators' Group
Re: Breaking the internet (hotels, guestnet style)
daemon@ATHENA.MIT.EDU (Joel Esler)
Tue Dec 8 00:15:00 2009
From: Joel Esler <eslerj@gmail.com>
In-Reply-To: <20091208031800.GA25224@metron.com>
Date: Tue, 8 Dec 2009 00:13:15 -0500
To: Lou Katz <lou@metron.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Dec 7, 2009, at 10:18 PM, Lou Katz wrote:
> On Mon, Dec 07, 2009 at 09:48:25PM -0500, Steven Bellovin wrote:
>>=20
>> On Dec 7, 2009, at 6:00 PM, Jared Mauch wrote:
>>=20
>>>=20
>>> On Dec 7, 2009, at 5:29 PM, John Levine wrote:
>>>=20
>>>>> Will be interesting to see if ISPs respond to a large scale thing =
like
>>>>> this taking hold by blocking UDP/TCP 53 like many now do with =
tcp/25
>>>>> (albeit for other reasons). Therein lies the problem with some of =
the
>>>>> "net neturality" arguments .. there's a big difference between =
"doing it
>>>>> because it causes a problem for others", and "doing it because it =
robs
>>>>> me of revenue opportunities".
>>>>=20
>>>> I do hear of ISPs blocking requests to random offsite DNS servers.
>>>> For most consumer PCs, that's more likely to be a zombie doing DNS
>>>> hijacking than anything legitimate. If they happen also to block
>>>> 8.8.8.8 that's just an incidental side benefit.
>>>=20
>>> I've found more and more hotel/edge networks blocking/capturing this =
traffic.
>>>=20
>>> The biggest problem is they tend to break things horribly and fail =
things like the
>>> oarc entropy test.
>>>=20
>>> They will often also return REFUSED (randomly) to valid well formed =
DNS queries.
>>>=20
>>> While I support the capturing of malware compromised machines until =
they are
>>> repaired, I do think more intelligence needs to be applied when =
directing these systems.
>>>=20
>>> Internet access in a hotel does not mean just UDP/53 to their =
selected hosts plus TCP/80,
>>> TCP/443.
>>=20
>> It's why I run an ssh server on 443 somewhere -- and as needed, I =
ssh-tunnel http to a squid proxy, smtp, and as many IMAP/SSL connections =
as I really need...
Also handy to set up an SSH tunnel. That works for almost everything =
else.
J
