errrmmm managed to block DNS tunnelling... crude, but it works On 14 October 2012 17:10, Rocco Radisch <[email protected]> wrote:
> ICMP can be blocked, hence its boring. Look at DNS tunnelling and you > will quickly realise where the real hammer is. Ok, for speed reasons an > openvpn tunnel on udp port 53 might be an alternative if outgoing DNS > traffic is not blocked. DNS tunnelling uses the internal DNS servers to > relay traffic, which is difficult to block. So, with all outbound traffic > blocked and with only access to internal resources it is still possible to > go to Facebook with the help of an internal DNS server ;-) That can only be > mitigated on the DNS server itself and there are not so many options yet. > Snort might be able to tell the difference (if listening on LAN). > Same principles work with local provider's Hotspot - "please load more > credit" sites. Or, for the tech novices, just look up WiFree. It uses all > mentioned methods (udp, tcp, icmp, dns) seemingly together. > > Rocco > > > On 14/10/2012 12:42 PM, [email protected] wrote: > > However, most ops have probably not even heard about ICMP tunnelling. Even > if this one has, examining the contents of the ICMP Echo payload will > probably not be the first thing an ordinary op does. She will probably > think you are ICMP flooding the target, though, and that is probably a > graver offence than a little tunnelling. > > If it's a public hotspot you probably have nothing much to fear, though, > as you are anonymous and practically impossible to trace. > > Phillip Simbwa <[email protected]> <[email protected]> wrote: >> >> >The ICMP tunnelling trick was quite nifty. It will light most pieces of >> >network >>> >>> monitoring softwares up like Christmas trees, though, but chances are public >>> hotspot providers do not monitor traffic that closely. >> >> >> My man is working with just a Linksys wireless router <cough> </cough> >> If i was one of his stress boys, and my casual reconn indicated that >> the Linksys was his strongest weapon; I wouldn't put much effort to it >> (it would be over kill). >> >> But if the wireless router is loaded with ddwrt, i would tread more >> carefully -- the network admin may not be the ordinary nice guy. He >> may have a few surprises up his sleeve (e.g dumping logs from the >> Linksys to some remote server for ana >> lysis). >> In such a situation, >> going with ICMP/DNS tunneling is like carrying a knife to a gun fight. >> >> >> >> > > _______________________________________________ > The Uganda Linux User Group: http://linux.or.ug > > Send messages to this mailing list by addressing e-mails to: [email protected] > Mailing list archives: http://www.mail-archive.com/[email protected]/ > Mailing list settings: http://kym.net/mailman/listinfo/lug > To unsubscribe: http://kym.net/mailman/options/lug > > The Uganda LUG mailing list is generously hosted by INFOCOM: > http://www.infocom.co.ug/ > > The above comments and data are owned by whoever posted them (including > attachments if any). The mailing list host is not responsible for them in any > way. > > > > _______________________________________________ > The Uganda Linux User Group: http://linux.or.ug > > Send messages to this mailing list by addressing e-mails to: > [email protected] > Mailing list archives: http://www.mail-archive.com/[email protected]/ > Mailing list settings: http://kym.net/mailman/listinfo/lug > To unsubscribe: http://kym.net/mailman/options/lug > > The Uganda LUG mailing list is generously hosted by INFOCOM: > http://www.infocom.co.ug/ > > The above comments and data are owned by whoever posted them (including > attachments if any). The mailing list host is not responsible for them in > any way. > -- Mike Of course, you might discount this possibility, but remember that one in a million chances happen 99% of the time. ------------------------------------------------------------
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
