AT&T WiFi spoofs Name Server Responses!
Fred
puissante at lrc.puissante.com
Wed Jul 19 13:13:01 EDT 2006
On Tuesday 18 July 2006 17:18, Ben Scott uttered thusly:
> On 7/18/06, Fred <puissante at lrc.puissante.com> wrote:
> > This could mean only one thing, of course. AT&T WiFi must be
> > intercepting *all* name server requests, no matter where they are
> > destined, and spoofing the response!!!!!!!!!
>
> I've seen similar weirdness before, generally on semi-public
> networks such as those at "hot spots". It's generally there to
> facilitate intercepting requests from people who haven't
> authenticated, and redirecting them to a front end designed to bring
> them into the system (including signing up with credit card, etc.).
Interception I can understand. Spoofing -- especially AFTER I've
authenticated -- I don't understand.
> Keep in mind that people are stupid. I can totally see some luser
> (1) using their own, manually configured name servers, and (2)
> complaining loudly and longly that the hot spot "doesn't work" (since
> their private nameservers bypassed the authentication intercept that
> lets them on in the first place). Easy "fix": Intercept all DNS
> queries, proxy them, and redirect lusers who haven't authenticated
> yet.
Of course, if a luser is that stupid, he probably wouldn't even know what a
nameserver is! Unless, of course, he knows "just enough to be dangerous."
Many of my past managers fell into that category.
> > And on the conversation went. It would appear that, while he understood
> > what I was saying, he had no clue what was going on on AT&T's side.
>
> I expect AT&T doesn't actually run their own "hot spots", but
> rather, contracts it out, for both management as well as equipment.
> Providers will often buy "appliance" type products to implement hot
> spots for them. So it's entirely possible the hot spot implementation
> is a "black box" to AT&T, where you know as much about it as they do.
Quite possibly the case since it used to be SBC (and still bears that name).
Ah, the joy of big corporate bureaucracies.
> > At this point, I can't be sure about anything at all.
>
> If you thought you could be sure about anything on the Internet
> *before* this point, you're a lot more naive then your postings would
> suggest. ;-)
I'm not naive. Far from it. I just play one on T.V. :-) Quite seriously, I
actually sometimes *pretend* to be naive in certain specific circumstances
when I think it will work to my advantage. "What, Officer, I was going THAT
fast?" You'd be surprised how many times that old Jedi mind trick works. And
besides, there's nothing to be gained looking like a smartass to a cop who
has all kinds of options -- legal and not-so-legal -- on what to do with
you. But I digress.
> > If AT&T spoofs Name Server responses, what else are
> > they spoofing? Websites?
>
> Many providers (and not just hot spots) do all sorts of transparent
> proxying, especially for web traffic. This is not new. You've
> probably experienced the like before and just never noticed.
I know proxying goes on for web traffic, or rather caching. If I hit the
provider's nameservers I expect some caching to go on there as well. I just
never expected nameserver responses to be completely spoofed. I can just see
trying to do something else on that port and ripping my hair out trying to
understand why it didn't work!!!!!
Running nmap on these services always turn up surprising results, and
confounded me the first times I tried it loooong ago. I just *knew* I didn't
have any Microsoft services running on my *Linux* servers! Later I found out
they were *blocking* those ports to keep, say, all the Windows machines of
their customers from discovering each other!
> > Since they are spoofing all name server responses, they could very
> > easily do this.
>
> They *operate the network you're connecting to*. They could very
> easily do just about anything, including sending 10,000 volts down the
> Ethernet cable to fry your computer.
>
> (Yah, yah, wireless -- don't let details ruin a good dramatization. ;-)
> )
Well, actually, Tesla might have some thoughts on that! I can see the big
sizzling discharges jumping from the access point to my laptop, and oh, my
body just happened to be in the path. :-)
> > The average person would be completely unaware.
>
> And usually is. "What the American public doesn't know is what
> makes them the American public." -- That guy in "Tommy Boy"
Humanity in general are 90% Mindless Vessels of Belief. A topic for a
different thread. We just happen to notice the Americans since we are stewed
in it every day. Most people merely execute their beliefs not too unlike
computers executing software. Few actually take the time to *question* those
beliefs.
> > Well, there is only one solution to this madness -- VPN. I'll have to
> > set up a VPN on my laptop to tunnel through to my servers and the
> > Internet at large.
>
> Recommended, if you're concerned about the "purity" of your Internet
> connection. (Although, given that you're a Verizon customer at home,
> I'm not sure you're really gaining much...)
I know Verizon is impure to the max. It'll make for a cool weekend project --
when I get a weekend's worth of time to actually do it.
BTW, anyone expert in Nagios? I'd like to set that up, and actually started
on it, and found out it was worthy of a major project all its own. I was
hoping it would *save* me time using it vs. rolling my own, but now I am not
so sure.
>...
> > So Off I go into the nether-realms of OpenVPN.
>
> If you need help, give a yell on this list. I know there are
> several people here familiar with OpenVPN, myself included.
Thanks, Ben. I've been doing some quick and dirty stuff with ssh port
forwarding, which works like a champ, but now I need a more comprehensive
solution. Well, after I complete the 50 million other projects in my
queue...!
-Fred
More information about the gnhlug-discuss
mailing list