nanog mailing list archives
Re: US internet providers hijacking users' search queries
From: Damian Menscher <damian () google com>
Date: Sat, 6 Aug 2011 20:03:22 -0700
I can confirm the report is about DNS providers that are doing hijacking by sending the traffic through dedicated proxies, either in the ISP's network or in the DNS provider's network. If you didn't see this happening, it might be because you were testing on www.google.com rather than on Yahoo or Bing traffic. While the hijacking *used* to affect Google also, we took a fairly aggressive stance and got it stopped a while ago. The fact that there are no currently-known cases where it affects Google was unfortunately not made clear in the Netalyzer/EFF reports. If any of you find evidence of hijacking of Google, please shoot me an email with details (DNS server, destination IP, etc) and I'll do what I can to get it stopped. Damian On Sat, Aug 6, 2011 at 7:03 PM, Scott Helms <khelms () ispalliance net> wrote:
Not trying to be obtuse, but none of the technical docs you cite appear to talk about HTTP proxies nor does the newswire report have any technical details. I have tested several of the networks listed in the report and in none of the cases I saw was there HTTP proxy activity. Picking up on WCCP/TCS isn't that hard (I used to install those myself) so unless there is some functionality in IOS and/or JUNOS that allows I don't see it happening. Paxfire can operate all of the proxies they want but the network infrastructure has to be able to pass the traffic over to those proxies and I don't see it (on at least 3 of the networks cited). What the FAQ doesn't tell you is that the Paxfire appliances can tamperwith DNS traffic received from authoritative DNS servers not operated by the ISP. A paxfire box can alter NXDOMAIN queries, and queries that respond with known search engines' IPs. to send your HTTP traffic to their HTTP proxies instead. Ty, http://netalyzr.icsi.berkeley.**edu/blog/<http://netalyzr.icsi.berkeley.edu/blog/> " In addition, some ISPs employ an optional, unadvertised Paxfire feature that redirects the entire stream of affected customers' web search requests to Bing, Google, and Yahoo via HTTP proxies operated by Paxfire. These proxies seemingly relay most searches and their corresponding results passively, in a process that remains invisible to the user. Certain keyword searches, however, trigger active interference by the HTTP proxies. " http://www.icir.org/christian/**publications/2011-satin-**netalyzr.pdf<http://www.icir.org/christian/publications/2011-satin-netalyzr.pdf> http://newswire.xbiz.com/view.**php?id=137208<http://newswire.xbiz.com/view.php?id=137208> -- -JH-- Scott Helms Vice President of Technology ISP Alliance, Inc. DBA ZCorum (678) 507-5000 ------------------------------**-- http://twitter.com/kscotthelms ------------------------------**--
-- Damian Menscher :: Security Reliability Engineer :: Google
Current thread:
- Re: US internet providers hijacking users' search queries, (continued)
- Re: US internet providers hijacking users' search queries Matthew Palmer (Aug 05)
- Re: US internet providers hijacking users' search queries Jimmy Hess (Aug 05)
- Re: US internet providers hijacking users' search queries Bradford Chatterjee (Aug 05)
- Re: US internet providers hijacking users' search queries Valdis . Kletnieks (Aug 05)
- Re: US internet providers hijacking users' search queries Joe Provo (Aug 05)
- Re: US internet providers hijacking users' search queries Scott Helms (Aug 06)
- Re: US internet providers hijacking users' search queries Owen DeLong (Aug 06)
- Re: US internet providers hijacking users' search queries Joe Provo (Aug 06)
- Re: US internet providers hijacking users' search queries Jimmy Hess (Aug 06)
- Re: US internet providers hijacking users' search queries Scott Helms (Aug 06)
- Re: US internet providers hijacking users' search queries Damian Menscher (Aug 06)
- Re: US internet providers hijacking users' search queries Christopher Morrow (Aug 09)
- Re: US internet providers hijacking users' search queries Cameron Byrne (Aug 09)
- Re: US internet providers hijacking users' search queries Christopher Morrow (Aug 09)
- Re: US internet providers hijacking users' search queries David Conrad (Aug 09)
- Re: US internet providers hijacking users' search queries Christopher Morrow (Aug 09)
- Re: US internet providers hijacking users' search queries Scott Helms (Aug 06)
- Re: US internet providers hijacking users' search queries Joe Provo (Aug 09)
- Re: US internet providers hijacking users' search queries Oren Levin (Aug 09)
- Re: US internet providers hijacking users' search queries Christopher Morrow (Aug 09)
- Re: US internet providers hijacking users' search queries Brielle Bruns (Aug 06)