AT&T WiFi spoofs Name Server Responses!

Ben Scott dragonhawk at gmail.com
Tue Jul 18 17:19:00 EDT 2006 

On 7/18/06, Fred <puissante at lrc.puissante.com> wrote:
> This could mean only one thing, of course. AT&T WiFi must be intercepting
> *all* name server requests, no matter where they are destined, and spoofing
> the response!!!!!!!!!

  I've seen similar weirdness before, generally on semi-public
networks such as those at "hot spots".  It's generally there to
facilitate intercepting requests from people who haven't
authenticated, and redirecting them to a front end designed to bring
them into the system (including signing up with credit card, etc.).

  Keep in mind that people are stupid.  I can totally see some luser
(1) using their own, manually configured name servers, and (2)
complaining loudly and longly that the hot spot "doesn't work" (since
their private nameservers bypassed the authentication intercept that
lets them on in the first place).  Easy "fix": Intercept all DNS
queries, proxy them, and redirect lusers who haven't authenticated
yet.

> And on the conversation went. It would appear that, while he understood what
> I was saying, he had no clue what was going on on AT&T's side.

  I expect AT&T doesn't actually run their own "hot spots", but
rather, contracts it out, for both management as well as equipment.
Providers will often buy "appliance" type products to implement hot
spots for them.  So it's entirely possible the hot spot implementation
is a "black box" to AT&T, where you know as much about it as they do.

> At this point, I can't be sure about anything at all.

  If you thought you could be sure about anything on the Internet
*before* this point, you're a lot more naive then your postings would
suggest.  ;-)

> If AT&T spoofs Name Server responses, what else are
> they spoofing? Websites?

  Many providers (and not just hot spots) do all sorts of transparent
proxying, especially for web traffic.  This is not new.  You've
probably experienced the like before and just never noticed.

> Since they are spoofing all name server responses, they could very easily do
> this.

  They *operate the network you're connecting to*.  They could very
easily do just about anything, including sending 10,000 volts down the
Ethernet cable to fry your computer.

  (Yah, yah, wireless -- don't let details ruin a good dramatization. ;-) )

> The average person would be completely unaware.

  And usually is.  "What the American public doesn't know is what
makes them the American public." -- That guy in "Tommy Boy"

> Well, there is only one solution to this madness -- VPN. I'll have to set up
> a VPN on my laptop to  tunnel through to my servers and the Internet at
> large.

  Recommended, if you're concerned about the "purity" of your Internet
connection.  (Although, given that you're a Verizon customer at home,
I'm not sure you're really gaining much...)

> I just never thought I'd needed to secure my work from the WiFi providers
> themselves.

  Well, from a technical implementation stand-point, the network
operators at either end point are the ones in the best position to
mess with you.  Intermediate carriers have far less control.  So it
could be argued that the local operator presents the biggest threat.
(I'm not sure how big a difference it makes in practice.)

> So Off I go into the nether-realms of OpenVPN.

  If you need help, give a yell on this list.  I know there are
several people here familiar with OpenVPN, myself included.

-- Ben

More information about the gnhlug-discuss mailing list