| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 7 Oct 2011 19:38:15 +0000
From: "Hartley, Christopher" <hartley.87@....edu>
To: James Wright <jamfwright@...il.com>
Cc: "<full-disclosure@...ts.grok.org.uk>" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Verizon Wireless DNS Tunneling
I would think that at minimum, thresholds could be set on how many names to resolve, and permitted types for unauthenticated users. Prohibit NULL and TXT records for unauthenticated hosts - or just whitelist A and CNAMEs, reject others. Reject the 50th (or whatever) query from an unauthenticated host/user... I don't think NACs are using DNS tricks in the main anymore anyway. They shouldn't be... there are much better ways.
That said, I'm happy for this condition to exist permanently so long as I'm not responsible for the traffic.
On Oct 7, 2011, at 10:26 AM, James Wright wrote:
Actually, yes, they could provide bad data. I believe (perhaps erroneously) that Comcast does this. Probably other service providers do too. Until you are authenticated to use their network you are redirected to a service page that can help authenticate you. If you have connectivity issues (like bad cached DNS entries) after authenticating you are to reboot (or otherwise clear the local DNS cache).
I don't really see why Verizon could not do similar. All DNS traffic from an unauthenticated user/machine would be redirected to a DNS server that only returned the appropriate service page. Most or all other traffic would be blocked. Much like NAC.
Thanks,
James
On Fri, Oct 7, 2011 at 10:05 AM, Dan Kaminsky <dan@...para.com<mailto:dan@...para.com>> wrote:
One major reason it sticks around is -- what are you supposed to do, return bad data until the user is properly logged in? It might get cached -- and while operating systems respect TTL, browsers most assuredly do not ("well, it MIGHT take us somewhere good").
It's not like there's a magic off switch that makes this go away.
On Fri, Oct 7, 2011 at 4:56 AM, Marshall Whittaker <marshallwhittaker@...il.com<mailto:marshallwhittaker@...il.com>> wrote:
Yes, I've found that DNS tunneling works well at the college I go to on their WIFI. I've never gotten ICMP tunneling to work myself (outside of a virtual machine), but I have some code laying around somewhere that can do it just in case I need it for something sometime. Just thought it would be interesting to some people that it works on such a large provider as Verizon. The only problem with it that I see is that it's quite slow. But if it works, so be it. Good for checking email and browsing the web and such on the road. But I wouldn't try to torrent a linux distro with it, haha.
--oxagast
On Fri, Oct 7, 2011 at 7:39 AM, BH <lists@...ckhat.bz<mailto:lists@...ckhat.bz>> wrote:
This comes in handy when travelling, I also found a few places where ICMP tunnelling works well.
On 7/10/2011 6:35 PM, Dan Kaminsky wrote:
Works mostly everywhere. It's apparently enough of a pain in the butt to deal with, and abused so infrequently, that it's left alone.
On Fri, Oct 7, 2011 at 3:32 AM, Marshall Whittaker <marshallwhittaker@...il.com<mailto:marshallwhittaker@...il.com>> wrote:
I recently noticed that you can tunnel TCP through DNS (I used iodine) to penetrate Verizon Wireless' firewall. You can connect, and if you can hold the connection long enough to make a DNS tunnel, then the connection stays up, then use SSH -D to create a proxy server for your traffic. Bottom line is, you can use the internet without paying. I made a video of it. It can be seen here: http://www.youtube.com/user/Oxagast?blend=2&ob=5#p/u/0/X6oWESQMVd8 I tried to contact Verizon on their security blog about it a few weeks ago at http://securityblog.verizonbusiness.com/ however, I have not had a response. This technique still works as of this posting. Maybe this will help them get their act together ;-)
--oxagast
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists