US internet providers hijacking users' search queries

Joe Provo nanog-post at rsuc.gweep.net
Sun Aug 7 11:10:30 CDT 2011


On Sat, Aug 06, 2011 at 01:25:18PM -0500, Jimmy Hess wrote:
> On Sat, Aug 6, 2011 at 12:08 PM, Joe Provo <nanog-post at rsuc.gweep.net>wrote:
> 
> > On Sat, Aug 06, 2011 at 10:41:10AM -0400, Scott Helms wrote:
> > > Correct, I don't believe that any of the providers noted are actually
> > [snip]
> >   Disappointing that nanog readers can't read
> > http://www.paxfire.com/faqs.php and get
> 
> a clue, instead all the mouth-flapping about MItM and https.     a clue,
> > instead all the mouth-flapping about MItM and https. While
> 
> 
> Maybe  instead of jumping to the conclusion NANOG readuers should "get a
> clue",
> you should actually do a little more research than reading a glossyware/
> vacant FAQ  that doesn't actually explain everything Paxfire is reported to
> do, how it works,  and what the criticism is?

I'm not jumping to conclusions, merely speaking to evidence. My 
personal experience involves leaving a job at a network that 
insisted on implementing some of this dreck. There is a well-known, 
long-standing "monetization" by breaking NXDOMAIN. DSLreports 
and plenty of other end-user fora have been full of information 
regarding this since Earthlink starded doing it in ... 2006?

> Changing NXDOMAIN queries to an ISP's  _own_ recursive servers is old hat,
> and not the issue.

That sentence makes no sense. Hijacking NXDOMAIN doesn't have anything
to do with pointing to a recursive resolver, but returning a partner/
affiliate web site, search "helper" site or proxy instead of the 
NXDOMAIN.

> What the FAQ doesn't tell you is that the Paxfire  appliances can tamper
> with DNS
> traffic  received from authoritative DNS servers not operated by the ISP.
> A paxfire box can alter NXDOMAIN queries, and  queries that respond with
> known search engines' IPs.
> to send your HTTP traffic to their HTTP proxies instead.
> 
> Ty,  http://netalyzr.icsi.berkeley.edu/blog/

This is finally something new, and I retract my assertion that the new
scientist got it wrong. Drilling through to actual evidence and details, 
rather than descriptions which match previous behavior, we have both
http://www.usenix.org/event/leet11/tech/full_papers/Zhang.pdf (a little
indirect with 'example.com', etc) and 
http://www.payne.org/index.php/Frontier_Search_Hijacking (with actual 
domains) provide detail on the matter. 

Cheers!

Joe

-- 
         RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG




More information about the NANOG mailing list