Technology
Upside-Down-Ternet: Having Fun With Wireless Interlopers

upsidedownternet_20070329.jpg
I’m a big fan of open wireless access points. As long as my neighbors are respectful, I’ve got more downstream bandwidth than I really need most of the time. That said, I can understand the frustration with having a persistant freeloader, so I can really appreciate this hack which allows you to send a “knock it off” message, without having to close down your blessed open network.

The Upside-Down-Ternet works like this:

  1. You set up a DHCP server to assign addresses from one IP netblock to known MAC addresses, and another “untrusted” netblock to unknown MACs.
  2. The trusted netblock is routed normally, but the untrusted netblock gets all port 80 traffic forwarded to a transparent squid proxy using iptables.
  3. The squid proxy filters all HTTP traffic, looking for URLs ending in jpg or gif.
  4. If a jpg or gif is encountered, the image is flipped using morgrify and the untrusted user is sent the upside down image instead of the original.

This could be easily modified to default to giving normal access. You could then direct known abusers to the crippled network. Another option would be to provide “degraded” access using a blur or desaturate filter on images. This would allow people to make use of the free service, but would require them to ask permission to be on the trusted list before having full access.

How do you like to deal with wireless interlopers? What’s your ideal wireless setup – one that balances security, ease of use for legitimate visitors or passers-by, and quality of service? Give us a shout in the comments!

6 thoughts on “Upside-Down-Ternet: Having Fun With Wireless Interlopers

  1. I run my wireless off a pfSense router and a premium cable connection. I don’t mind providing a signal to guests in my home, but in the past some users had abused my courtesy by parking laptops overnight and downloading enormous torrents. I grit my teeth and firewalled outbound p2p, but this just led to guests demanding that I attend to their “connection problem”.

    To give my visitors a fair warning about firewall restrictions, I broke open /usr/local/captiveportal/index.php and made a few changes. If you replace the line: ‘portal_reply_page($redirurl, “login”);’ with:

    else { /* display captive portal page */
    $banned_services = array(‘445’ => ‘CIFS’, ‘6881’=> ‘Bit Torrent’);
    foreach($banned_services as $banned_port => $banned_service)
    {
    if (@fsockopen($_SERVER[‘REMOTE_ADDR’],$banned_port,$errno,$errstr, 1))
    {
    print “Sorry, Port $banned_port is open. $banned_service is not allowed.
    Try turning the responsible application off before reconnecting. Firewall
    rules will prevent it from connecting anyway. This message is provided
    as a courtesy. -The Mgmt.”;
    exit;
    }
    }
    portal_reply_page($redirurl, “login”);
    }

    then your wireless guests will be gently informed that their p2p traffic can be taken somewhere else. Remember that this isn’t much good unless firewall rules are in effect to actually block traffic later.

    If you’re running a freenet and want to stop bandwidth leeching p2p but still pass all other traffic, you can replace:

    portal_reply_page($redirurl, “login”);

    with:

    { portal_allow($clientip, $clientmac, “unauthenticated”); }

    to automatically pass users who aren’t soliciting p2p client requests.

  2. Inspired a mode of SiteLife, where you can type in the URL of a website, then click on the ‘change view’ button (letter ‘c’ in top right) three times. Changes from normal view to source code, then blurry images (useful to simulate bad eyesight), then inverted images.

Comments are closed.

Tagged