[afnog] ICMP/DNS tunneling mitigation

Mike Barnard mike.barnardq at gmail.com
Fri Dec 16 15:12:41 UTC 2011


I have a situation that I need to address. Some clue-full persons have
realised that they can by-pass a pay-for-access Internet service by
tunneling traffic through ICMP and port 53 (DNS).

Short of completely blocking ICMP and DNS, are there any forms of
mitigating ICMP and DNS tunneling on ones network?

The service in use to provide this tunneling is wi-free (wi-free.com)

It is possible to tighten down ICMP, but DNS is a little hard. Bandwidth
limiting port 53 also has an impact on legitimate DNS traffic.

Any ideas on how to mitigate ICMP and DNS tunneling or for that matter, any
form of tunneling that allows one access to the Internet without paying for
it and moreover, using someones infrastructure to do so?


Of course, you might discount this possibility, but remember that one in a
million chances happen 99% of the time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://afnog.org/pipermail/afnog/attachments/20111216/0d8583d2/attachment.html>

More information about the afnog mailing list