[120036] in North American Network Operators' Group
Re: Breaking the internet (hotels, guestnet style)
daemon@ATHENA.MIT.EDU (Shane Ronan)
Tue Dec 8 11:13:30 2009
From: Shane Ronan <sronan@fattoc.com>
In-Reply-To: <199FCDD1-9A96-4C6C-86B6-B8A4B0090A19@cs.columbia.edu>
Date: Tue, 8 Dec 2009 11:12:30 -0500
To: Steven Bellovin <smb@cs.columbia.edu>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Juniper SSL VPN FTW!
On Dec 7, 2009, at 9:48 PM, Steven Bellovin wrote:
>=20
> On Dec 7, 2009, at 6:00 PM, Jared Mauch wrote:
>=20
>>=20
>> On Dec 7, 2009, at 5:29 PM, John Levine wrote:
>>=20
>>>> Will be interesting to see if ISPs respond to a large scale thing =
like
>>>> this taking hold by blocking UDP/TCP 53 like many now do with =
tcp/25
>>>> (albeit for other reasons). Therein lies the problem with some of =
the
>>>> "net neturality" arguments .. there's a big difference between =
"doing it
>>>> because it causes a problem for others", and "doing it because it =
robs
>>>> me of revenue opportunities".
>>>=20
>>> I do hear of ISPs blocking requests to random offsite DNS servers.
>>> For most consumer PCs, that's more likely to be a zombie doing DNS
>>> hijacking than anything legitimate. If they happen also to block
>>> 8.8.8.8 that's just an incidental side benefit.
>>=20
>> I've found more and more hotel/edge networks blocking/capturing this =
traffic.
>>=20
>> The biggest problem is they tend to break things horribly and fail =
things like the
>> oarc entropy test.
>>=20
>> They will often also return REFUSED (randomly) to valid well formed =
DNS queries.
>>=20
>> While I support the capturing of malware compromised machines until =
they are
>> repaired, I do think more intelligence needs to be applied when =
directing these systems.
>>=20
>> Internet access in a hotel does not mean just UDP/53 to their =
selected hosts plus TCP/80,
>> TCP/443.
>=20
> It's why I run an ssh server on 443 somewhere -- and as needed, I =
ssh-tunnel http to a squid proxy, smtp, and as many IMAP/SSL connections =
as I really need...
>=20
> --Steve Bellovin, http://www.cs.columbia.edu/~smb
>=20
>=20
>=20
>=20
>=20
>=20
