derwiki · May 3, 2011 00:02
diff --git a/gistfile1.txt b/gistfile1.txt
 shivaram
 the whole thing is vaguely surprising because i would have thought that until you're through the paywall, you're talking to a fake DNS server that simply redirects all hostname requests to the paywall page

 4:26
 evan
 shivaram: it may just set a dns server using dhcp, so if you connect directly to another ip on port 53 your udp traffic will go through
 it depends on the software, some of it is smart enough to do layer 3/4 stuff, some of it is at layer 7

 4:27
 shivaram
 application-layer awareness sounds "smart"
 network-layer awareness sounds "dumb"

 4:27
 evan
 well if it's layer 7 then it's easy to work around it

 4:27
 shivaram
 right
 i guess i have no idea how any of this is implemented; it sounds like until your MAC is whitelisted by the paywall, DHCP should assign you an IP address with no routes to external IPs and no outside DNS

 4:30
 evan
 if it
 's done right it's not just a dhcp thing, since you can statically give yourself another ip address and dns entries

 4:31
 Kyle
 If you want to look at the code for an implementation lots seem to be based on... http://nocat.net/

 4:32
 evan
 i think the right thing to do is until your mac address is whitelisted/authenticated to the web portal, all routes outside of the internal network are closed to you (i.e. the ip packets will be flat out rejected), and an http proxy on the default gateway will respond with a temporary http redirect to the portal page, for all URLs
 i'm pretty sure that's how it was implemented at berkeley

 4:33
 shivaram
 that sounds good
 so yeah, why would someone let you have DNS before passing the paywall?
 this must be a pretty common mistake if someone made a solution to exploit it

 4:35
 evan
 i think a lot of this captive portal software is implemented kind of shoddily though because the problem is a huge mess of OSI-model layer violations, so it's tricky to get everything communicating the right way. and there are all kinds of nasty things clients can do to try to subvert you anyway, like doing bad ARP things and trying to steal the mac addresses of other clients that are connected, so you have to write software that
 protects against all of that stuff too
 implementing it in a crappy way works for most users and is a lot simpler

 4:40
 shivaram
 how do you protect against mac address theft?
	shivaram
	the whole thing is vaguely surprising because i would have thought that until you're through the paywall, you're talking to a fake DNS server that simply redirects all hostname requests to the paywall page

	4:26
	evan
	shivaram: it may just set a dns server using dhcp, so if you connect directly to another ip on port 53 your udp traffic will go through
	it depends on the software, some of it is smart enough to do layer 3/4 stuff, some of it is at layer 7

	4:27
	shivaram
	application-layer awareness sounds "smart"
	network-layer awareness sounds "dumb"

	4:27
	evan
	well if it's layer 7 then it's easy to work around it

	4:27
	shivaram
	right
	i guess i have no idea how any of this is implemented; it sounds like until your MAC is whitelisted by the paywall, DHCP should assign you an IP address with no routes to external IPs and no outside DNS

	4:30
	evan
	if it
	's done right it's not just a dhcp thing, since you can statically give yourself another ip address and dns entries

	4:31
	Kyle
	If you want to look at the code for an implementation lots seem to be based on... http://nocat.net/

	4:32
	evan
	i think the right thing to do is until your mac address is whitelisted/authenticated to the web portal, all routes outside of the internal network are closed to you (i.e. the ip packets will be flat out rejected), and an http proxy on the default gateway will respond with a temporary http redirect to the portal page, for all URLs
	i'm pretty sure that's how it was implemented at berkeley

	4:33
	shivaram
	that sounds good
	so yeah, why would someone let you have DNS before passing the paywall?
	this must be a pretty common mistake if someone made a solution to exploit it

	4:35
	evan
	i think a lot of this captive portal software is implemented kind of shoddily though because the problem is a huge mess of OSI-model layer violations, so it's tricky to get everything communicating the right way. and there are all kinds of nasty things clients can do to try to subvert you anyway, like doing bad ARP things and trying to steal the mac addresses of other clients that are connected, so you have to write software that
	protects against all of that stuff too
	implementing it in a crappy way works for most users and is a lot simpler

	4:40
	shivaram
	how do you protect against mac address theft?
No results found