AT&T WiFi spoofs Name Server Responses!

Fred puissante at lrc.puissante.com
Wed Jul 19 13:13:01 EDT 2006


On Tuesday 18 July 2006 17:18, Ben Scott uttered thusly:
> On 7/18/06, Fred <puissante at lrc.puissante.com> wrote:
> > This could mean only one thing, of course. AT&T WiFi must be
> > intercepting *all* name server requests, no matter where they are
> > destined, and spoofing the response!!!!!!!!!
>
>   I've seen similar weirdness before, generally on semi-public
> networks such as those at "hot spots".  It's generally there to
> facilitate intercepting requests from people who haven't
> authenticated, and redirecting them to a front end designed to bring
> them into the system (including signing up with credit card, etc.).

Interception I can understand. Spoofing -- especially AFTER I've 
authenticated -- I don't understand.

>   Keep in mind that people are stupid.  I can totally see some luser
> (1) using their own, manually configured name servers, and (2)
> complaining loudly and longly that the hot spot "doesn't work" (since
> their private nameservers bypassed the authentication intercept that
> lets them on in the first place).  Easy "fix": Intercept all DNS
> queries, proxy them, and redirect lusers who haven't authenticated
> yet.

Of course, if a luser is that stupid, he probably wouldn't even know what a  
nameserver is! Unless, of course, he knows "just enough to be dangerous." 
Many of my past managers fell into that category.

> > And on the conversation went. It would appear that, while he understood
> > what I was saying, he had no clue what was going on on AT&T's side.
>
>   I expect AT&T doesn't actually run their own "hot spots", but
> rather, contracts it out, for both management as well as equipment.
> Providers will often buy "appliance" type products to implement hot
> spots for them.  So it's entirely possible the hot spot implementation
> is a "black box" to AT&T, where you know as much about it as they do.

Quite possibly the case since it used to be SBC (and still bears that name). 
Ah, the joy of big corporate bureaucracies.

> > At this point, I can't be sure about anything at all.
>
>   If you thought you could be sure about anything on the Internet
> *before* this point, you're a lot more naive then your postings would
> suggest.  ;-)

I'm not naive. Far from it. I just play one on T.V. :-) Quite seriously, I 
actually sometimes *pretend* to be naive in certain specific circumstances 
when I think it will work to my advantage. "What, Officer, I was going THAT 
fast?" You'd be surprised how many times that old Jedi mind trick works. And 
besides, there's nothing to be gained looking like a smartass to a cop who 
has all kinds of options -- legal and not-so-legal -- on what to do with  
you. But I digress.

> > If AT&T spoofs Name Server responses, what else are
> > they spoofing? Websites?
>
>   Many providers (and not just hot spots) do all sorts of transparent
> proxying, especially for web traffic.  This is not new.  You've
> probably experienced the like before and just never noticed.

I know proxying goes on for web traffic, or rather caching. If I hit the 
provider's nameservers I expect some caching to go on there as well. I just 
never expected nameserver responses to be completely spoofed. I can just see 
trying to do something else on that port and ripping my hair out trying to 
understand why it didn't work!!!!!

Running nmap on these services always turn up surprising results, and 
confounded me the first times I tried it loooong ago. I just *knew* I didn't 
have any Microsoft services running on my *Linux* servers! Later I found out 
they were *blocking* those ports to keep, say, all the Windows machines of 
their customers from discovering each other!

> > Since they are spoofing all name server responses, they could very
> > easily do this.
>
>   They *operate the network you're connecting to*.  They could very
> easily do just about anything, including sending 10,000 volts down the
> Ethernet cable to fry your computer.
>
>   (Yah, yah, wireless -- don't let details ruin a good dramatization. ;-)
> )

Well, actually, Tesla might have some thoughts on that! I can see the big 
sizzling discharges jumping from the access point to my laptop, and oh, my 
body just happened to be in the path. :-)

> > The average person would be completely unaware.
>
>   And usually is.  "What the American public doesn't know is what
> makes them the American public." -- That guy in "Tommy Boy"

Humanity in general are 90% Mindless Vessels of Belief. A topic for a 
different thread. We just happen to notice the Americans since we are stewed 
in it every day. Most people merely execute their beliefs not too unlike 
computers executing software. Few actually take the time to *question* those 
beliefs.

> > Well, there is only one solution to this madness -- VPN. I'll have to
> > set up a VPN on my laptop to  tunnel through to my servers and the
> > Internet at large.
>
>   Recommended, if you're concerned about the "purity" of your Internet
> connection.  (Although, given that you're a Verizon customer at home,
> I'm not sure you're really gaining much...)

I know Verizon is impure to the max. It'll make for a cool weekend project -- 
when I get a weekend's worth of time to actually do it.

BTW, anyone expert in Nagios? I'd like to set that up, and actually started 
on it, and found out it was worthy of a major project all its own. I was 
hoping it would *save* me time using it vs. rolling my own, but now I am not 
so sure.

>...
> > So Off I go into the nether-realms of OpenVPN.
>
>   If you need help, give a yell on this list.  I know there are
> several people here familiar with OpenVPN, myself included.

Thanks, Ben. I've been doing some quick and dirty stuff with ssh port 
forwarding, which works like a champ, but now I need a more comprehensive 
solution. Well, after I complete the 50 million other projects in my 
queue...!

-Fred




More information about the gnhlug-discuss mailing list