US internet providers hijacking users' search queries
nanog-post at rsuc.gweep.net
Sun Aug 7 11:10:30 CDT 2011
On Sat, Aug 06, 2011 at 01:25:18PM -0500, Jimmy Hess wrote:
> On Sat, Aug 6, 2011 at 12:08 PM, Joe Provo <nanog-post at rsuc.gweep.net>wrote:
> > On Sat, Aug 06, 2011 at 10:41:10AM -0400, Scott Helms wrote:
> > > Correct, I don't believe that any of the providers noted are actually
> > [snip]
> > Disappointing that nanog readers can't read
> > http://www.paxfire.com/faqs.php and get
> a clue, instead all the mouth-flapping about MItM and https. a clue,
> > instead all the mouth-flapping about MItM and https. While
> Maybe instead of jumping to the conclusion NANOG readuers should "get a
> you should actually do a little more research than reading a glossyware/
> vacant FAQ that doesn't actually explain everything Paxfire is reported to
> do, how it works, and what the criticism is?
I'm not jumping to conclusions, merely speaking to evidence. My
personal experience involves leaving a job at a network that
insisted on implementing some of this dreck. There is a well-known,
long-standing "monetization" by breaking NXDOMAIN. DSLreports
and plenty of other end-user fora have been full of information
regarding this since Earthlink starded doing it in ... 2006?
> Changing NXDOMAIN queries to an ISP's _own_ recursive servers is old hat,
> and not the issue.
That sentence makes no sense. Hijacking NXDOMAIN doesn't have anything
to do with pointing to a recursive resolver, but returning a partner/
affiliate web site, search "helper" site or proxy instead of the
> What the FAQ doesn't tell you is that the Paxfire appliances can tamper
> with DNS
> traffic received from authoritative DNS servers not operated by the ISP.
> A paxfire box can alter NXDOMAIN queries, and queries that respond with
> known search engines' IPs.
> to send your HTTP traffic to their HTTP proxies instead.
> Ty, http://netalyzr.icsi.berkeley.edu/blog/
This is finally something new, and I retract my assertion that the new
scientist got it wrong. Drilling through to actual evidence and details,
rather than descriptions which match previous behavior, we have both
http://www.usenix.org/event/leet11/tech/full_papers/Zhang.pdf (a little
indirect with 'example.com', etc) and
http://www.payne.org/index.php/Frontier_Search_Hijacking (with actual
domains) provide detail on the matter.
RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG
More information about the NANOG