Home page logo
/

nanog logo nanog mailing list archives

Re: US internet providers hijacking users' search queries
From: Joe Provo <nanog-post () rsuc gweep net>
Date: Sun, 7 Aug 2011 12:10:30 -0400

On Sat, Aug 06, 2011 at 01:25:18PM -0500, Jimmy Hess wrote:
On Sat, Aug 6, 2011 at 12:08 PM, Joe Provo <nanog-post () rsuc gweep net>wrote:

On Sat, Aug 06, 2011 at 10:41:10AM -0400, Scott Helms wrote:
Correct, I don't believe that any of the providers noted are actually
[snip]
  Disappointing that nanog readers can't read
http://www.paxfire.com/faqs.php and get

a clue, instead all the mouth-flapping about MItM and https.     a clue,
instead all the mouth-flapping about MItM and https. While


Maybe  instead of jumping to the conclusion NANOG readuers should "get a
clue",
you should actually do a little more research than reading a glossyware/
vacant FAQ  that doesn't actually explain everything Paxfire is reported to
do, how it works,  and what the criticism is?

I'm not jumping to conclusions, merely speaking to evidence. My 
personal experience involves leaving a job at a network that 
insisted on implementing some of this dreck. There is a well-known, 
long-standing "monetization" by breaking NXDOMAIN. DSLreports 
and plenty of other end-user fora have been full of information 
regarding this since Earthlink starded doing it in ... 2006?

Changing NXDOMAIN queries to an ISP's  _own_ recursive servers is old hat,
and not the issue.

That sentence makes no sense. Hijacking NXDOMAIN doesn't have anything
to do with pointing to a recursive resolver, but returning a partner/
affiliate web site, search "helper" site or proxy instead of the 
NXDOMAIN.

What the FAQ doesn't tell you is that the Paxfire  appliances can tamper
with DNS
traffic  received from authoritative DNS servers not operated by the ISP.
A paxfire box can alter NXDOMAIN queries, and  queries that respond with
known search engines' IPs.
to send your HTTP traffic to their HTTP proxies instead.

Ty,  http://netalyzr.icsi.berkeley.edu/blog/

This is finally something new, and I retract my assertion that the new
scientist got it wrong. Drilling through to actual evidence and details, 
rather than descriptions which match previous behavior, we have both
http://www.usenix.org/event/leet11/tech/full_papers/Zhang.pdf (a little
indirect with 'example.com', etc) and 
http://www.payne.org/index.php/Frontier_Search_Hijacking (with actual 
domains) provide detail on the matter. 

Cheers!

Joe

-- 
         RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]