Re: Breaking the internet (hotels, guestnet style)

[Joel Esler <eslerj () gmail com>]

On Dec 7, 2009, at 10:18 PM, Lou Katz wrote:

> On Mon, Dec 07, 2009 at 09:48:25PM -0500, Steven Bellovin wrote:
> > On Dec 7, 2009, at 6:00 PM, Jared Mauch wrote:
> >
> > > On Dec 7, 2009, at 5:29 PM, John Levine wrote:
> > >
> > > > > Will be interesting to see if ISPs respond to a large scale thing like
> > > > > this taking hold by blocking UDP/TCP 53 like many now do with tcp/25
> > > > > (albeit for other reasons). Therein lies the problem with some of the
> > > > > "net neturality" arguments .. there's a big difference between "doing it
> > > > > because it causes a problem for others", and "doing it because it robs
> > > > > me of revenue opportunities".
> > > >
> > > > I do hear of ISPs blocking requests to random offsite DNS servers.
> > > > For most consumer PCs, that's more likely to be a zombie doing DNS
> > > > hijacking than anything legitimate.  If they happen also to block
> > > > 8.8.8.8 that's just an incidental side benefit.
> > >
> > > I've found more and more hotel/edge networks blocking/capturing this traffic.
> > >
> > > The biggest problem is they tend to break things horribly and fail things like the
> > > oarc entropy test.
> > >
> > > They will often also return REFUSED (randomly) to valid well formed DNS queries.
> > >
> > > While I support the capturing of malware compromised machines until they are
> > > repaired, I do think more intelligence needs to be applied when directing these systems.
> > >
> > > Internet access in a hotel does not mean just UDP/53 to their selected hosts plus TCP/80,
> > > TCP/443.
> >
> > It's why I run an ssh server on 443 somewhere -- and as needed, I ssh-tunnel http to a squid proxy, smtp, and as 
> > many IMAP/SSL connections as I really need...


Also handy to set up an SSH tunnel.  That works for almost everything else.

J