-1

We can get connected to those public WiFi hotspot without the account but can access to no website but the login page. As I tested, all those login website would respond to my ping even I was an unauthorized user. I wonder if there are some any restrictions that forbid the captive portal system to block the ICMP echo packet, or blocking it can cause any serious problem . After all the echo packet is the main cause of DDos attack , it should be blocked if there is no necessity for them.

chenglong fu
  • 11
  • 3
  • Have you got a source regarding the assumption that "echo packet is the main cause of DDos attack"? I think that most modern OSes now implement by default a limit on ICMP packets sent, so effective DDos are switching to either TCP or UDP. Regarding your question, ping remains a useful diagnose tool, so to allow or block it is merely a matter of choice from the administrator. – WhiteWinterWolf Apr 30 '15 at 09:15

2 Answers2

2

On the one hand, as it has been stated, I think that the DDoS risk is definitely not the reason why you should block ICMP.

On the other hand, if ICMP or DNS is allowed, you can open a tunnel with a remote host over this protocol and totally bypass the captive portal. If those protocols are not blocked (or at the very least monitored), you basically have free access. There are tons of tools to do that even on the wikipedia page about ICMP tunneling..

Those protocols are usually not blocked because of negligence, they should be.

Dillinur
  • 468
  • 3
  • 7
  • You said it, I'm working on a paper that demonstrate the utility of fake ping to carry user's data in its payload to create lan access among unauthorized users. But I suddenly came into dilemma for that I can't find the evidence that the wifi provider can't block ICMP packet. Maybe the DNS tunnel could realize the same function and the DNS packet can never be blocked because its the prerequisite for user client to find the login page. – chenglong fu Apr 30 '15 at 12:51
  • You can totally block ICMP. You should not block DNS per se, but you have to be sure that you actually respond to every DNS request with the address of your portal (instead of allowing the DNS request & just redirecting the HTTP request afterwards - that's often the case & it's a free pass for DNS tunneling). – Dillinur Apr 30 '15 at 12:59
  • 1
    Just rephrasing to be sure everyone understands the same thing, ICMP and DNS can be used as a tunnel only if a wrongly configured captive portal let them pass through, ie. you cannot use your browser to access some remote sites but you can still ping these remote sites successfully. If ping is limited to the authentication portal itself there is no tunneling possibilities (however, with a standard Wifi hotspot identifying connected clients relying only upon the MAC address, I would not even bother to create such an ICMP tunnel...). – WhiteWinterWolf Apr 30 '15 at 13:03
  • @WhiteWinterWolf: What i need is only the ping permission to the authentication portal. I can create a Lan based on the reflection by the portal server if the server could respond the echo packet and the AP let the ICMP echo pass. – chenglong fu Apr 30 '15 at 14:01
  • I'm not sure to follow you, if you can only ping the authentication portal, how do you communicate with the rest of the world? – Dillinur Apr 30 '15 at 15:21
0

I don't know where to you get the information about ICMP as the main cause of DDoS (I really doubt it), but

  • There must be a way for the client to access the capture portal, because otherwise login would not be possible. Which means that the client can send data to the capture portal and that these data gets processed there. In this case it does not matter if ICMP is blocked, because the client might still mount a TCP based attack against the server on the capture portal.
  • There are usually not much clients behind a capture portal (compared to the number of the system on the internet) so the "distributed" DoS is not very effective anyway.
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • yeah, I admit that it's not objective to regard the ICMP echo as the main inducement of DDoS, thanks for your reminding. – chenglong fu Apr 30 '15 at 11:34
  • What i really want to ask is whether the ICMP echo is necessary in the hotspot service process and that bunch of protocols like DHCP ,DNS and HTTP. In other words ,if there is reason that prevent the ICMP echo being blocked theoretically . – chenglong fu Apr 30 '15 at 11:36
  • @chenglongfu: It is not strictly necessary but still useful as a debugging help. And since it does not harm it don't need to be disabled. – Steffen Ullrich Apr 30 '15 at 11:49