AT&T WiFi spoofs Name Server Responses!

Fred puissante at lrc.puissante.com
Tue Jul 18 16:16:01 EDT 2006


Hello, all.

I've been doing the Internet Cafe WiFi scene for quite some time now. I do 
currently T-Moble at Borders, AT&T WiFi at Barnes&Noble, and the freebie at 
Panaera Bread. 

Since I do server management and web development from my laptop at these 
venues, I have come to notice many peculiarities with each venue. Some 
subtle, some not so subtle. Most of them I can live with.

But very recently at B&N, I needed to change the IP address pointing to my 
home servers on Verizon Fios -- which has its own peculiarities, btw -- 
because Verizon, unlike Comcast, forcibly change the IP address about once 
or twice a month. Forcibly as in dropping any connections that are open. 
Aside from killing my ssh sessions -- which I use for monitoring --, not too 
annoying. I have a script that updates my name servers periodically with the 
correct IP address. Simple, effective, and it works. Step aside DynDNS! :-)

Anyway, at some point the cron job for this script got munged, and so I had 
to do it by hand. I logged into my server and corrected the problem. I did 
this the other day whilst at B&N.

Except it didn't seem to work. Name Resolution from my laptop kept returning 
the bad IP address. Strange.

So, I logged directly into the server running the Name Server and checked it 
there with the 'host' command. All was as expected there.

Then I tried the host command from my laptop again. It gave the wrong IP 
address.

Then I tried the host command again explicitly specifying the name server to 
use. Still the wrong address was returned!

I tried it again on the remote server, same name sever. Correct IP address!

Puzzled, I tried it on my laptop, this time specifying "yahoo.com" (and its 
IP address directly) as the name server on my  laptop. It returned a result, 
and still the wrong IP address!!!!

It returned a result? Surely Yahoo would not have an open name server off of 
its main IP address. I tried the same from the remote server and it failed 
as it was supposed to.

This could mean only one thing, of course. AT&T WiFi must be intercepting 
*all* name server requests, no matter where they are destined, and spoofing 
the response!!!!!!!!!

Jaw dropping!

I called tech support at AT&T WiFi, and after enduring many automated voice 
menus and a totally clueless tech, I finally got to a person who had half a 
clue of what I was asking him. The conversation went something like:

Me: Sir, Why are you guys spoofing name server responses?

Tech: What do you mean?

Me: I have verified that your network is spoofing responses to my NS 
requests. I ... [lengthy discussion of how I verified this]

Tech: Well, we have an open network. [I was to hear him repeat that many 
times] It is your responsibility to secure your connections.

Me: But that's not the issue. The issue is that you guys are spoofing name 
server responses. Why?

Tech: I'm not aware of what's going on.

Me: I consider this very serious. For instance, you could easily do a 
"man-in-the-middle" attack and unless I were paying attention to the actual 
IP addresses, I'd have no idea that was going on. With that spoofing in 
place, someone *could* compromise your spoofing and do all sorts of damage.

Tech: It is your responsibility...

Me: again, you miss my point. Why would you spoof in the first place? What's 
the point?

...

And on the conversation went. It would appear that, while he understood what 
I was saying, he had no clue what was going on on AT&T's side. He seemed 
kinda lost in the conservation, and basically stated there was nothing he 
could do about it.

Well, I know there is no expectation of privacy on these networks. I know 
that AT&T, T-Mobile, Verizon, and the others could be monitoring and 
capturing every packet I send out and receive. For that reason, I use ssh 
for most of my serious work.

But now, I find I can't even be sure about NS queries I send *specifically* 
to various name servers on the Internet. At this point, I can't be sure 
about anything at all. If AT&T spoofs Name Server responses, what else are 
they spoofing? Websites? VoIP? Would they engage in content spoofing? Since 
they are spoofing all name server responses, they could very easily do this. 
The average person would be completely unaware.

Well, there is only one solution to this madness -- VPN. I'll have to set up 
a VPN on my laptop to  tunnel through to my servers and the Internet at 
large. Yes, I can do this, but I have so many things on my plate right 
now...

But security requires eternal vigilance, I know. I just never thought I'd 
needed to secure my work from the WiFi providers themselves. So Off I go 
into the nether-realms of OpenVPN. Well, I'll have to fit it into my busy 
schedule somewhere.

-Freedom Fred



More information about the gnhlug-discuss mailing list