nanog mailing list archives
Re: US internet providers hijacking users' search queries
From: Joe Provo <nanog-post () rsuc gweep net>
Date: Sun, 7 Aug 2011 12:10:30 -0400
On Sat, Aug 06, 2011 at 01:25:18PM -0500, Jimmy Hess wrote:
On Sat, Aug 6, 2011 at 12:08 PM, Joe Provo <nanog-post () rsuc gweep net>wrote:On Sat, Aug 06, 2011 at 10:41:10AM -0400, Scott Helms wrote:Correct, I don't believe that any of the providers noted are actually[snip] Disappointing that nanog readers can't read http://www.paxfire.com/faqs.php and geta clue, instead all the mouth-flapping about MItM and https. a clue,instead all the mouth-flapping about MItM and https. WhileMaybe instead of jumping to the conclusion NANOG readuers should "get a clue", you should actually do a little more research than reading a glossyware/ vacant FAQ that doesn't actually explain everything Paxfire is reported to do, how it works, and what the criticism is?
I'm not jumping to conclusions, merely speaking to evidence. My personal experience involves leaving a job at a network that insisted on implementing some of this dreck. There is a well-known, long-standing "monetization" by breaking NXDOMAIN. DSLreports and plenty of other end-user fora have been full of information regarding this since Earthlink starded doing it in ... 2006?
Changing NXDOMAIN queries to an ISP's _own_ recursive servers is old hat, and not the issue.
That sentence makes no sense. Hijacking NXDOMAIN doesn't have anything to do with pointing to a recursive resolver, but returning a partner/ affiliate web site, search "helper" site or proxy instead of the NXDOMAIN.
What the FAQ doesn't tell you is that the Paxfire appliances can tamper with DNS traffic received from authoritative DNS servers not operated by the ISP. A paxfire box can alter NXDOMAIN queries, and queries that respond with known search engines' IPs. to send your HTTP traffic to their HTTP proxies instead. Ty, http://netalyzr.icsi.berkeley.edu/blog/
This is finally something new, and I retract my assertion that the new scientist got it wrong. Drilling through to actual evidence and details, rather than descriptions which match previous behavior, we have both http://www.usenix.org/event/leet11/tech/full_papers/Zhang.pdf (a little indirect with 'example.com', etc) and http://www.payne.org/index.php/Frontier_Search_Hijacking (with actual domains) provide detail on the matter. Cheers! Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG
Current thread:
- Re: US internet providers hijacking users' search queries, (continued)
- Re: US internet providers hijacking users' search queries Owen DeLong (Aug 06)
- Re: US internet providers hijacking users' search queries Joe Provo (Aug 06)
- Re: US internet providers hijacking users' search queries Jimmy Hess (Aug 06)
- Re: US internet providers hijacking users' search queries Scott Helms (Aug 06)
- Re: US internet providers hijacking users' search queries Damian Menscher (Aug 06)
- Re: US internet providers hijacking users' search queries Christopher Morrow (Aug 09)
- Re: US internet providers hijacking users' search queries Cameron Byrne (Aug 09)
- Re: US internet providers hijacking users' search queries Christopher Morrow (Aug 09)
- Re: US internet providers hijacking users' search queries David Conrad (Aug 09)
- Re: US internet providers hijacking users' search queries Christopher Morrow (Aug 09)
- Re: US internet providers hijacking users' search queries Joe Provo (Aug 09)
- Re: US internet providers hijacking users' search queries Oren Levin (Aug 09)
- Re: US internet providers hijacking users' search queries Christopher Morrow (Aug 09)
- Re: US internet providers hijacking users' search queries Brielle Bruns (Aug 06)