[afnog] ICMP/DNS tunneling mitigation
andy at nosignal.org
Wed Dec 21 10:47:19 UTC 2011
On 20 Dec 2011, at 09:39, Stephane Bortzmeyer wrote:
> On Fri, Dec 16, 2011 at 12:15:32PM -0800, SM <sm at resistor.net> wrote
>> You could block all off-net traffic from non-authenticated clients.
> Won't work (think about how DNS works).
It can work -- you don't need to block traffic from your DNS resolver to the outside world.
You know whether a user is authenticated or not, you know which IP address he has, the rest is a clever script job. You may be able to build a very robust filtering system for your captive portal if your authentication system can talk to your gateway using something like flow-specification.
Merry Christmas to everyone on AFNOG.
More information about the afnog