[120015] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Breaking the internet (hotels, guestnet style)

daemon@ATHENA.MIT.EDU (Mark Andrews)
Tue Dec 8 00:40:56 2009

To: Joe Greco <jgreco@ns.sol.net>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Mon, 07 Dec 2009 21:32:20 MDT."
	<200912080332.nB83WKSo037049@aurora.sol.net> 
Date: Tue, 08 Dec 2009 16:39:22 +1100
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org


In message <200912080332.nB83WKSo037049@aurora.sol.net>, Joe Greco writes:
> > IMHO there is no need for any sort of DNS redirection after user 
> > authentication has taken place.
> 
> It may be hazardous even before user authentication has taken place.
> Even given a very low TTL, client resolvers may cache answers returned
> during that initial authentication.
> 
> > We of course redirect UDP/TCP 53 to one of our servers along with 80 
> > (http) 443 (https) 8080, 3128 (proxy) to the local hotspot *before* any 
> > authentication has occurred, but once this is completed the only reason 
> > any guest would use the local DNS server is if they were assigned a DHCP 
> > address.
> 
> Which, presumably, many/most of them are.  Supplying a functional DNS
> server shouldn't be that difficult, but real world experience shows just
> how well some operators run these services.
> 
> > As far as our Routerboard/Mikrotik setup works, it'll masquerade for any 
> > non standard IP addresses that appear on the network (guests with static 
> > ip's assigned, corporate laptops etc) but once again after the 
> > authentication stage anything is allowed to pass unhindered.
> > 
> > The only redirection that is used after authentication is for port 25 as 
> > 90% of user trying to send mail out via port 25 have no idea how to 
> > change their mail server, let alone why they might need to.
> > It can be an issue as some systems use authentication on port 25.
> 
> Sounds like an opportunity for a custom proxy.  Clients that can
> successfully authenticate to an external mailserver on 25 are probably
> by definition nonproblematic.  The remainder probably deserve to get
> jammed through an aggressive spam, virus, and other-crap filter, with
> in-line notification of rejections.  You can do some other sanity stuff
> like counting the number of hosts contacted by a client; anything in
> excess of a small number would seem to be a good indicator to stop.
> 
> ... JG
> -- 
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
> "We call it the 'one bite at the apple' rule. Give me one chance [and] then I
> won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CN
> N)
> With 24 million small businesses in the US alone, that's way too many apples.
> 

This really should be a DHCP option which points to the authentification
server using ip addresses.  This should be return to clients even
if they don't request it.  Web browers could have a hot-spot button that
retrieves this option then connects using the value returned.

No need to compromise the DNS or intercept http.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org


home help back first fref pref prev next nref lref last post