[afnog] ICMP/DNS tunneling mitigation

Andy Davidson andy at nosignal.org
Wed Dec 21 10:47:19 UTC 2011

On 20 Dec 2011, at 09:39, Stephane Bortzmeyer wrote:

> On Fri, Dec 16, 2011 at 12:15:32PM -0800, SM <sm at resistor.net> wrote 
>> You could block all off-net traffic from non-authenticated clients.
> Won't work (think about how DNS works).

It can work -- you don't need to block traffic from your DNS resolver to the outside world.

You know whether a user is authenticated or not, you know which IP address he has, the rest is a clever script job.  You may be able to build a very robust filtering system for your captive portal if your authentication system can talk to your gateway using something like flow-specification.

Merry Christmas to everyone on AFNOG.

Best wishes,
Andy Davidson

More information about the afnog mailing list