[120015] in North American Network Operators' Group
Re: Breaking the internet (hotels, guestnet style)
daemon@ATHENA.MIT.EDU (Mark Andrews)
Tue Dec 8 00:40:56 2009
To: Joe Greco <jgreco@ns.sol.net>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Mon, 07 Dec 2009 21:32:20 MDT."
<200912080332.nB83WKSo037049@aurora.sol.net>
Date: Tue, 08 Dec 2009 16:39:22 +1100
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In message <200912080332.nB83WKSo037049@aurora.sol.net>, Joe Greco writes:
> > IMHO there is no need for any sort of DNS redirection after user
> > authentication has taken place.
>
> It may be hazardous even before user authentication has taken place.
> Even given a very low TTL, client resolvers may cache answers returned
> during that initial authentication.
>
> > We of course redirect UDP/TCP 53 to one of our servers along with 80
> > (http) 443 (https) 8080, 3128 (proxy) to the local hotspot *before* any
> > authentication has occurred, but once this is completed the only reason
> > any guest would use the local DNS server is if they were assigned a DHCP
> > address.
>
> Which, presumably, many/most of them are. Supplying a functional DNS
> server shouldn't be that difficult, but real world experience shows just
> how well some operators run these services.
>
> > As far as our Routerboard/Mikrotik setup works, it'll masquerade for any
> > non standard IP addresses that appear on the network (guests with static
> > ip's assigned, corporate laptops etc) but once again after the
> > authentication stage anything is allowed to pass unhindered.
> >
> > The only redirection that is used after authentication is for port 25 as
> > 90% of user trying to send mail out via port 25 have no idea how to
> > change their mail server, let alone why they might need to.
> > It can be an issue as some systems use authentication on port 25.
>
> Sounds like an opportunity for a custom proxy. Clients that can
> successfully authenticate to an external mailserver on 25 are probably
> by definition nonproblematic. The remainder probably deserve to get
> jammed through an aggressive spam, virus, and other-crap filter, with
> in-line notification of rejections. You can do some other sanity stuff
> like counting the number of hosts contacted by a client; anything in
> excess of a small number would seem to be a good indicator to stop.
>
> ... JG
> --
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
> "We call it the 'one bite at the apple' rule. Give me one chance [and] then I
> won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CN
> N)
> With 24 million small businesses in the US alone, that's way too many apples.
>
This really should be a DHCP option which points to the authentification
server using ip addresses. This should be return to clients even
if they don't request it. Web browers could have a hot-spot button that
retrieves this option then connects using the value returned.
No need to compromise the DNS or intercept http.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org