[143388] in North American Network Operators' Group
Re: US internet providers hijacking users' search queries
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Mon Aug 8 19:25:04 2011
In-Reply-To: <4E3DF274.6050709@ispalliance.net>
Date: Mon, 8 Aug 2011 19:24:35 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Scott Helms <khelms@ispalliance.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sat, Aug 6, 2011 at 10:03 PM, Scott Helms <khelms@ispalliance.net> wrote=
:
> Not trying to be obtuse, but none of the technical docs you cite appear t=
o
> talk about HTTP proxies nor does the newswire report have any technical
> details. =A0I have tested several of the networks listed in the report an=
d in
> none of the cases I saw was there HTTP proxy activity. =A0Picking up on
> WCCP/TCS isn't that hard (I used to install those myself) so unless there=
is
> some functionality in IOS and/or JUNOS that allows I don't see it happeni=
ng.
> =A0Paxfire can operate all of the proxies they want but the network
> infrastructure has to be able to pass the traffic over to those proxies a=
nd
> I don't see it (on at least 3 of the networks cited).
barefruit/paxfire/nominum/etc all do essentially the same thing:
1) install a dns-appliance in-line (some form of in-line, there are
lots of options, it's not really important in the end which is used)
between 'cache resolver' and 'user'. (198.6.1.1 has a paxfire
appliance literally in-line between it's customer facing port and the
world)
2) chose a set/subset of queries to falsify answers for (nxdomain
only? autosearch.msn.com? *.google.com? *?)
3) run a farm of servers somewhere else (in the case of paxfire they
are the jomax.net servers:
;; QUESTION SECTION:
;asdkjad912jd.123adsad.com. IN A
;; ANSWER SECTION:
asdkjad912jd.123adsad.com. 60 IN A 64.158.56.49
asdkjad912jd.123adsad.com. 60 IN A 63.251.179.49
;; AUTHORITY SECTION:
asdkjad912jd.123adsad.com. 65535 IN NS WSC2.JOMAX.NET.
asdkjad912jd.123adsad.com. 65535 IN NS WSC1.JOMAX.NET.
In the case of barefruit it's another complex and in the case of
nominum it's a third complex ...
4) accept http/https/etc on the complex of servers, funnel you an
answer which is essentially 'hostname =3D=3D search-query'. For non-http
most of these complexes are SUPPOSED to not permit a connect to
happen... for jomax at least they don't accept tcp/443, they do accept
25 though :(
5) profit if users click on these results.
It's not black magic, it's annoying and wrong for some versions
(depending upon your ethics I guess?) of wrong :( I wish ISP's would
stop doing this, and it seems that some folk have luck twisting arms
at ISP's to make this stop.
-chris
