[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Verizon Wireless DNS Tunneling
- To: "Hartley, Christopher" <hartley.87@xxxxxxx>
- Subject: Re: [Full-disclosure] Verizon Wireless DNS Tunneling
- From: Dan Kaminsky <dan@xxxxxxxxxxx>
- Date: Fri, 7 Oct 2011 12:51:19 -0700
You never know what you'll be breaking, but you always know you'll be paying
for support calls.
On Fri, Oct 7, 2011 at 12:38 PM, Hartley, Christopher <hartley.87@xxxxxxx>wrote:
> I would think that at minimum, thresholds could be set on how many names to
> resolve, and permitted types for unauthenticated users. Prohibit NULL and
> TXT records for unauthenticated hosts - or just whitelist A and CNAMEs,
> reject others. Reject the 50th (or whatever) query from an unauthenticated
> host/user... I don't think NACs are using DNS tricks in the main anymore
> anyway. They shouldn't be... there are much better ways.
>
> That said, I'm happy for this condition to exist permanently so long as I'm
> not responsible for the traffic.
>
>
> On Oct 7, 2011, at 10:26 AM, James Wright wrote:
>
> Actually, yes, they could provide bad data. I believe (perhaps
> erroneously) that Comcast does this. Probably other service providers do
> too. Until you are authenticated to use their network you are redirected to
> a service page that can help authenticate you. If you have connectivity
> issues (like bad cached DNS entries) after authenticating you are to reboot
> (or otherwise clear the local DNS cache).
>
> I don't really see why Verizon could not do similar. All DNS traffic from
> an unauthenticated user/machine would be redirected to a DNS server that
> only returned the appropriate service page. Most or all other traffic would
> be blocked. Much like NAC.
>
>
> Thanks,
> James
>
>
> On Fri, Oct 7, 2011 at 10:05 AM, Dan Kaminsky <dan@xxxxxxxxxxx> wrote:
>
>> One major reason it sticks around is -- what are you supposed to do,
>> return bad data until the user is properly logged in? It might get cached
>> -- and while operating systems respect TTL, browsers most assuredly do not
>> ("well, it MIGHT take us somewhere good").
>>
>> It's not like there's a magic off switch that makes this go away.
>>
>> On Fri, Oct 7, 2011 at 4:56 AM, Marshall Whittaker <
>> marshallwhittaker@xxxxxxxxx> wrote:
>>
>>> Yes, I've found that DNS tunneling works well at the college I go to on
>>> their WIFI. I've never gotten ICMP tunneling to work myself (outside of a
>>> virtual machine), but I have some code laying around somewhere that can do
>>> it just in case I need it for something sometime. Just thought it would be
>>> interesting to some people that it works on such a large provider as
>>> Verizon. The only problem with it that I see is that it's quite slow. But
>>> if it works, so be it. Good for checking email and browsing the web and
>>> such on the road. But I wouldn't try to torrent a linux distro with it,
>>> haha.
>>>
>>> --oxagast
>>>
>>> On Fri, Oct 7, 2011 at 7:39 AM, BH <lists@xxxxxxxxxxx> wrote:
>>>
>>>> This comes in handy when travelling, I also found a few places where
>>>> ICMP tunnelling works well.
>>>>
>>>>
>>>> On 7/10/2011 6:35 PM, Dan Kaminsky wrote:
>>>>
>>>> Works mostly everywhere. It's apparently enough of a pain in the butt
>>>> to deal with, and abused so infrequently, that it's left alone.
>>>>
>>>> On Fri, Oct 7, 2011 at 3:32 AM, Marshall Whittaker <
>>>> marshallwhittaker@xxxxxxxxx> wrote:
>>>>
>>>>> I recently noticed that you can tunnel TCP through DNS (I used iodine)
>>>>> to penetrate Verizon Wireless' firewall. You can connect, and if you can
>>>>> hold the connection long enough to make a DNS tunnel, then the connection
>>>>> stays up, then use SSH -D to create a proxy server for your traffic.
>>>>> Bottom
>>>>> line is, you can use the internet without paying. I made a video of it.
>>>>> It
>>>>> can be seen here:
>>>>> http://www.youtube.com/user/Oxagast?blend=2&ob=5#p/u/0/X6oWESQMVd8 I
>>>>> tried to contact Verizon on their security blog about it a few weeks ago
>>>>> at
>>>>> http://securityblog.verizonbusiness.com/ however, I have not had a
>>>>> response. This technique still works as of this posting. Maybe this will
>>>>> help them get their act together ;-)
>>>>>
>>>>> --oxagast
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/