RedirectingDNSforAdsandProtNicholasWeaverICSInweaver@icir.
orgChristianKreibichICSIchristian@icir.
orgVernPaxsonICSI&UCBerkeleyvern@cs.
berkeley.
eduAbstractInternetServiceProviders(ISPs)increasinglytrytogrowtheirprotmarginsbyemploying"errortrafcmonetization,"thepracticeofredirectingcustomerswhoseDNSlookupsfailtoadvertisement-orientedWebservers.
Asmallindustryofcom-paniesprovidestheassociatedmachineryforISPstoengageinthismonetization,withthecompaniesoftenparticipatinginoperatingtheserviceaswell.
WeconductatechnicalanalysisofDNSerrortrafcmonetizationevidentin66,000Netalyzrsessions,includingngerprintingderivedfrompatternsseenintheresultingadlandingpages.
Weidentifymajorplayersinthisindustry,theirISPafliationsovertime,andavailableuseropt-outmechanisms.
Onemonetizationvendor,Paxre,transgressestheerror-basedmodelandalsoreroutesallusersearchqueriestoBing,Yahoo,and(sometimes)GoogleviaproxyserverscontrolledorprovidedbyPaxre.
1IntroductionErrortrafcmonetizationsolutionsleveragethecon-textprovidedbyISPcustomertrafcinordertorewriteprotocolerrormessagestovalidresponses,redirectinguserstoWebservers—adservers,inthefollowing—thatshowadvertisementsorsearchresultshopefullyofinter-esttotheuser.
ExamplesofsuchprotocolerrorsincludeHTTP404statuscodesand,morecommonly,DNSre-sponseswithreturncode3(NameError),indicatingthatthelooked-upnamecouldnotberesolvedtoanIPad-dress.
RewritingofsuchDNSresponsesalsogoesbythename"NXDOMAINwildcarding,"andisthefocusofthispaper.
ISPscommonlydeploythiscontroversialpracticewiththeassistanceofamonetizationprovider.
Thesethirdpartiessupplytheinfrastructureneededtorewritethenameerrors,andWebserverstoredirecttrafctotheadservers.
OneproviderclaimsthatISPsdeploy-ingtheirsolutionwillseeprotsof1–3USDpercus-tomerperyear[14].
1ICANNhascriticizedthisprac-ticeduetoitspotentialtocausebothsecurityandstabil-ityproblems,andcalledouttheexistenceofthird-partyinvolvement[5].
Securityresearchershaveexploitedcross-sitescriptingvulnerabilitiesintwoproviders'adserverstodemonstratefairlysophisticatedphishingandcookietheftattacks[7].
1Wecurrentlyhavenowayofvalidatingtheseprotclaims.
Thesameproviderpreviouslyclaimed2–4USDpercustomerperyear.
IntheICSINetalyzr[8],ourwidelyusednetworkde-bugginganddiagnostictool,2wehaveemployedtestsforvariousformsofNXDOMAINwildcardingsincewestartedofferingtheserviceinmid-2009.
InthispaperweilluminatetheDNSerrormonetizationmarketbycom-biningNetalyzr'smeasurementswithananalysisoftheredirectionpagescollectedbetweenJanuary2010andMay2011,thelocationandcontentoftheadservers,andthemarketingmaterialprovidedbythecompaniesinvolved.
WeidentifyISPsemployingDNSerrormon-etization,theirchoiceofmonetizationprovider(includ-ingshiftsofproviderandapparentin-houserealization),potentialredirectionpolicycustomizations,aswellasavailabilityofopt-outmechanisms.
WealsoobserveamoreaggressiveformofDNS-driventrafcmanipulation,search-engineproxying.
Onemonetizationprovider,Paxre[11],optionallysup-portsblanketredirectionofusers'entireWebtrafcforwww.
bing.
com,search.
yahoo.
com,andsome-timeswww.
google.
com.
PaxreroutesBingandYa-hoothroughitsownserverswhiletreatmentofGoogledependsonISPpolicy,forwhichweobservethreealter-natives:Google'strafcremainsunmolested;redirectedthroughPaxre'sservers;orredirectedthroughPaxreproxieslocatedwithintheISP'snetwork.
In§2wesketchthetypicalarchitectureusedforerrortrafcmonetization.
In§3wedescribeourmethodol-ogy,includingDNSandHTTPdatacollectionandredi-rectionpagecategorization.
Next,webrieysumma-rizethemonetizationprovidersandtheirmodesofop-eration(§4),alongwiththecorrespondingISPrelation-shipsandmonetizationpolicies(§5).
WethendiscussPaxre'ssearch-engineproxyingandwhichISPsem-ploythisfeature(§6)beforeweconcludethepaper(§7).
2DNSErrorMonetizationDNS-basederrormonetizationtriestoconvertDNSnameerrorsintoclicksonadvertisementsthatarehope-fullyrelevantinthecontextoftheuser'serror-causingtrafc.
Thisconversiongenerallyoperatesundertheas-sumptionthattheerroroccursinWebsurng,astheredirectionoftheotherwisefailingtrafconlysucceedsforWebtrafc.
Forotherapplications,sayVoIP,email,2http://netalyzr.
icsi.
berkeley.
eduFigure1:ThetypicalarchitectureemployedbyISPsintandemwithmonetizationproviderstofacilitateDNSerrormonetization.
orFTP,theadvertisementcontextdoesnotexistandredirectionwouldimplyseriousprivacyimplications.
ISPsandmonetizationprovidersmostcommonlyim-plementtheredirectionprocedureusingfourcompo-nents,showninFigure1:arecursiveDNSresolver,aDNSresponserewriter,aredirectionWebserver,andtheadserveritself.
WhetherISPormonetizationproviderowns,controls,oroperatesthesecomponentsvaries.
TheISPusuallyprovidestherecursiveDNSresolver.
WhenauserentersaURLintothebrowserorclicksonalink(),thebrowsersendsaDNSrequesttothisDNSresolver,whichperformstheactualDNSqueriesonbehalfofthecustomersandactsasacacheforDNSreplies().
Whenthenamelookupfails,itforwardstheresultingNXDOMAINerror()totheresponserewriter,whichconsistsofasoftwaremoduleontheex-istingresolver[9]oranin-pathdeviceplacedbetweentherecursiveresolverandtheuser[11].
TherewriterinspectsincomingDNSresponsesanddependingonitsrule-setrewritesresponsesindicatingnameerrorre-sponsestoregularA-recordresponsescontainingtheIPaddressofaredirectionserver().
Therule-set'scov-eragevaries,andmaytriggeronallnameerrors,onlyonthosefornamesbeginningwithawwwsubdomain,orexcludenameerrorsonlyaffectingthegivensubdo-main.
Whentriggering,theredirectionserverredirectstheclienttotheadserver(),whichprovidestheadver-tisementsandsearchresultstotheclient().
Typically,themonetizationprovideroperatestheredi-rectionserver,asimplewebserverwhoseonlytaskistoexaminetheHostheadersandURLstheWebbrowsersrequest,andtogenerateanHTTP-levelredirectionre-sponsewithasuitableURLpointingthebrowserattheadserver.
Accordingtoourdataset,monetizationproviderstypicallyassignadifferentredirectionserverIPaddresstoeachISP,allowingtheredirectionsevertoFigure2:AtypicalsearchresultspageresultingfromDNSwildcarding.
knowwhichISPsourcedthetrafc.
Onoccasionmon-etizationprovidersalsolocateredirectionserverswithintheISPs'networks.
Finally,theadservermayoperatein-houseattheISPoratthemonetizationprovider.
ItservespagesbrandedtotheISPandcommonlycontainingacombinationof"sponsored"searchresults(i.
e.
,advertisements),actualsearchresultsderivedfromtheattempteddomainnameandanykeywordsitcanextractfromtheoriginalURL,andalinktoopt-outinstructionsforthecustomer.
Fig-ure2showsanexamplesearchpageCoxCommunica-tionspresentstoitsusers.
MonetizationprovidersexplicitlysellthisservicetoISPsasamethodtoincreaserevenue,whileISPsad-vertiseittotheirusersasanavigationalaidpresentingsearchresultsandsometimesalsoprovidingalinkcor-rectingcommonspellingmistakes(e.
g.
alinkonthepageforyahoo.
cmopointingtoyahoo.
com).
Nameerrorrewritingcausessignicantcollateraldamage.
Webbrowserscommonlyrelyontheseerrorstopresentbrowser-specicassistance,suchasfallingbacktoawebsearch.
WildcardingnamesthatdonotbeginwithwwwassumesthataWebbrowsergeneratedthelookup.
Thismaybreaknon-HTTPprotocols,dis-ruptlocalservicesthatrelyonnamesufxesinthelo-calDNSsearchpath,andexposetheusertocross-sitescriptingvulnerabilities[7].
ThereforeitiscriticaltheISPsprovideeffectiveopt-outmechanisms[2].
3WildcardDetectionandRedirectionFingerprintingSincemid-2009wehaveprovidedtheICSINetalyzrser-vice,apopularnetworkdiagnostic,measurement,anddebuggingapplet.
Usersaroundtheworldrunitfromtheirbrowsersinordertodebugorclarifytheirnetworkconnectivity.
Todate,wehavecollected259,000ses-sionsfrom193,000distinctIPaddresseslocatedinvir-tuallyeverycountryoftheworld.
Formoredetails,wereferthereadertoourmainpaperontheservice[8].
NetalyzrincludesteststodetectNXDOMAINwild-carding.
Weemployrandomstringnoncestocom-posenonexistentnamesinthefollowingways.
Net-alyzrrstusesthesystem'sDNSlibrarytocheckifanameoftheformwww.
nonce.
comiswildcarded.
Ifso,itexploresvariationstodeterminethepolicyfornon-Webnames(nonce.
com),alternativeTLDs(nonce.
org),commontypos(www.
yahoo.
cmo),subdomains(nonce.
example.
com),andDNSserverfailures.
InJanuary2010weaddedcodetotheapplettocapturethewebpagecontentwhenitdetectsthepres-enceofNXDOMAINwildcarding.
Inthosecases,theappletsendsanHTTPGETtotheredirectionWebserveranduploadsanyreturnedcontenttotheNetalyzrservers.
Thecodeneitherfollowsredirectsnorinterpretsthecon-tentsinanyway.
Ourdatasetcomprises45,020webpagescapturedinthismanner.
Wemanuallyclassiedthembyiden-tifyingdistinctcontentfeatures,forwhichwedenedregularexpressions.
Weusedcontentfeaturesinclud-ingthestructureoftheredirectiontargetURLs(suchasredirectscontaining/dnserrorurl=)ifthere-sponsewasanHTTPredirect,uniqueJavaScriptsnip-pets,HTTPresponseheaders,andredirectiontech-niques.
Asetof81rulesallowedustocategorize96%oftheuploadedwebpages.
Thetwentymostcommonrulesmatch94%ofpages.
Nopagematchesmorethanonerule.
Weusedneithertheaddressesoftheredirec-tionserversnortheirhostnamesforclassication.
ArelatedNetalyzrDNScheckveriesDNSlookupintegrity.
TheappletlooksuptheIPaddressesforeachofapproximately80DNSnames,includingsearchprop-erties,advertisementsites,banks,nancialinstitutions,IMclients,andotherdomainsofinterest.
ItuploadstheresultingsetofIPaddressestotheNetalyzrservers,whichvalidatethecorrectnessoftheaddressesviare-verselookupsandinspectionoftheresultinghostnames.
WenotethatourmeasurementsareskewedbyNe-talyzr'suserbase:thenatureoftheservicebiasesittowardtechnophileusers.
Inparticular,weobservealargenumberofOpenDNSandComcastusers,mainlybecauseamajortechnologynewssitefeaturedNetalyzrincontextofcoverageofComcast'sDNSpolicy.
Ourdatacollectionisgenerallypronetosuch"ashcrowds,"resultingfromexposurethetoolreceivesontechnicalblogsandnewssites.
4ErrorMonetizationProvidersAllISPsforwhichNetalyzrhasrecordedoverahun-dreddistinctredirectionpageseitheruseoneof6mone-tizationprovidersorimplementanISP-specicsolution.
Whileothercompetitorsmayexist,themajorISPsintheNetalyzrdatasetdonotemploythem.
Thedifferencesbetweenmonetizationprovidersliemostlyintheruledeterminingthesetofnameswhosere-sultingnameerrorstheyrewrite,theimplementationoftheredirection,andtheopt-outmechanism.
Therewrit-ingruleinpracticeeithermatchesallnameerrorsoronlythosewhosenamesbegininwww,andthusreectsdif-ferentlevelsofcollateraldamage.
Theredirectionmech-anismisalsoimportant,asthemethodsvaryinreliabil-ity.
TheHTTPspecicationprovidesforcleanredirec-tionsusingstatuscode302,whichanyHTTPclientun-derstands.
Unfortunately,severalvendorsreturnpagescontainingeitherjustJavaScript,orJavaScriptincom-binationwithanHTMLMetarefreshtag.
Finally,opt-outsareuptotheISP(viamaintenanceofIPaddresswhitelists),themonetizationprovider(viaHTTPcook-iesontheadserver),orthecustomer(viaselectionofanalternateDNSprovider).
Barefruit'sproductsprovideerrormonetizationforDNSandHTTPtrafc[1].
IntheDNSspace,theyofferpatchesfortheBIND,PowerDNS,anddjbdnsDNSserversthataddwildcardingfunc-tionalityandincludeawhitelistbasedonIPad-dresses.
Barefruit'sredirectedURLsincludethestringmainInterceptSource=0,presumablytodistin-guishbetweenDNSandHTTPredirections.
BarefruithasprovidedCox,Earthlink,andQwestwithin-ISPredirectionservers;forotherstheyresideinthreeofBarefruit'saddressblocks.
Theirwebsitecontainsapub-licFAQsectiononoptingout,simplyencouraginguserstosearchtheWebforalternativeDNSresolvers.
FASTSearch&Transfer,ownedbyMicrosoft,isasoftwareandservicescompanyspecializinginenterprise-levelsearch.
Wecouldlocatenoadvertisingmaterialindicatingtheyofferthisservice,sowebasethisvendorassignmentonlyonIPaddressallocations.
TwoISPsuseatotalofveredirectionserversinthreeaddressrangesbelongingtoFASTSearch&Trans-fer.
Comcast'sredirectionserversconstructURLsoftheformcat=dnsr&con=ds&url=domain,whileTimeWarner'susesq=domain&con=nxd,aconstruc-tionthatappearsrelatedbutnotidentical.
ThisistheonlycasewehaveobservedinwhichavendorusesadifferentURLpatternwithdifferentcustomers,necessi-tatingtwoseparatesignatures.
Infospaceprimarilybuilda"meta"searchenginebuttheyalsoprovidemultiplebusinessproducts,includ-ingDNSErrorAssistService[6],whichintegrateswiththeirsearchengine.
Apathcomponentstartingwithdnsassist/main/,fortheir"DNSErrorAssist"ser-vice,providestheredirectionURL'sdistinctsignature.
InfospacehoststheredirectionserversonnineIPad-dresseswithintwoInfospace-ownedsubnets.
Nominumprimarilyconstructslarge-scaleDNSsys-tems.
ManymajorISPsemploytheircachingname-servers.
FortheirVantionameservers,Nominumof-fersNXR[9],amodulethatforwardsNXDOMAINstotheirNavAssistservice.
Nominum'sredirectionURLsbeginwitheithersubscribers/assistorassist.
php,whichmatchestheNavAssistname.
Nominumswitchedfromtheformertothelatterforminthesummerof2010.
Nominumownsthetwoaddressrangesthisserviceuses.
PaxreexclusivelyprovidesDNSerrormonetizationservices[11].
TheyofferthreewaysinwhichISPsmayimplementtheredirection:(i)anin-pathhardwarede-vicethatrewritesDNSreplies,(ii)asoftwaremoduleforvariousDNSresolvers,and(iii)ahostedDNSser-vice.
Theirserviceoperatesonarevenue-sharingbasis.
Paxre,forunknownreasons,employsanobfuscatedJavaScript-onlyredirection.
Theobfuscationusescon-catenationofstaticstringstoproducearedirectiontargetURLthatitplacesintodocument.
location.
Moststringsneverchange,whichallowsustoeasilyrecognizethePaxreredirector.
TheyprovidealocalredirectionserverforVersatelandplaceothersinsevendifferentsubnets.
Thesesub-netsareinaddressrangeswithnoidentifyingWHOISorreverseDNSinformation.
Weconrmedtheredirectionpagesignaturebyqueryingthedemonstrationserverswediscoveredduringourinvestigationofsearch-engineproxying(§6).
Paxreofferstwoopt-outsforISPs.
TherstusesastandardwhitelistofIPaddresses.
ThesecondemploysanHTTPcookieontheadserver'sdomain.
Thiscookieopt-outisctional:therewritercontinuestomaskthecustomer'snameerrors,buttheadservernowreturnsHTMLcontentmatchingthedefaulterrorpageoftheuser'sbrowser.
Xerocole[14]previouslyrealizedSandvine'sDNSwildcardingproduct[13]andspecializesentirelyinDNSerrormonetization.
ItspunofffromSandvineinthesummerof2010.
XerocoleprovidesaDNSserverproxythatexistsbetweentheresolverandthecustomers.
TheirinitialredirectionusedApacheserversusingHTTP-level302redirects.
Inthefallof2010theyswitchedredirectionserverstoNginx.
Theseserversreturnacompressedpagewithanin-pagemetarefreshandJavaScript.
TheydeployredirectionserversinTimeWarner'snetworkbutallotherserversareinvesubnets,threeofwhichareregisteredtoSandvineorXerocole.
Xerocole'sapplianceofferstwooptionsforhandlingDNSSEC.
TherstsuppressesNXDOMAINwildcard-ingifthequeryrequestedDNSSECinformationandthesendersignedtheresponse.
ThesecondsimplyreturnsarewrittenNXDOMAINwithoutasignatureandassumesthatclientswillnotactuallyvalidateDNSSEC.
REWRITINGREDIRECTIONVENDORRULEMECHANISMBarefruitallMeta&JavaScriptFASTSearchwww302redirectInfospacewww302redirectNominumwww302redirectPaxreallJavaScriptXerocolewwwMeta&JavaScriptTable1:Monetizationproviders,theirdefaultrewritingpolicies,andtheiremployedredirectionmechanisms.
NonISP-relatedproviders.
WeobservedtwoclassesofmonetizationnotrelatedtoISPs.
First,voluntarythird-partyDNSproviderssuchasOpenDNS[10]useDNSerrormonetizationastheirpri-maryrevenuestream.
OpenDNS'sredirectionserversissueanHTTP302redirect.
ThewildcardingcoversnotjustNXDOMAINerrorsbutalsoSERVFAIL.
ItwillevencreateIPv4addresstotheirredirectionserverforvalidnameslackinganIPv4address,causingsubstan-tialproblemstoIPv6-onlyservices,asmostclientswillqueryforbothIPv4andIPv6recordssimultaneously.
Second,D-LinkhomegatewaysincludeDNSerrormonetizationintheir"AdvancedDNSService"[3].
Thisservicesetstheuser'sDNSresolveraddresstoD-Link-brandedOpenDNSserversandsuffersfromthesameoverlyaggressivewildcarding.
WedonotknowwhetherD-Linkenablesthisservicebydefault.
Table1summarizestheproviders'defaultchoicesfornamerewritingandredirectionmechanism.
5ISPUsageofErrorMonetizationWorld-wideprevalence.
WeexaminedtheadoptionofNXDOMAINwildcardinginallcountriesforwhichourNetalyzrdatasetcontainsover1,000sessionsfromusersrelyingonISP-providedresolvers.
Mostmonetiza-tionoccursinItaly(40%),theUS(33%),Brazil(33%),Argentina(27%),Germany(25%),andAustria(20%).
TheUK(18%),Canada(15%),andSpain(12%)oc-cupythemediumrange.
ISPsinAustralia,Belgium,Finland,France,Israel,Lithuania,NewZealand,Nor-way,Poland,Russia,Sweden,andSwitzerlanddonotcommonlyuseDNSerrormonetization:thesecountrieshavewildcardingadoptionratesbelow10%.
MajorISPs.
Foreachofthe15ISPsmostprevalentinourNetalyzrdatasetandforwhichNetalyzr'stestsde-tectedwildcarding,weexaminedtheISPs'redirectionpolicy,choiceofmonetizationproviderovertime,opt-outmechanism,andthefractionofNetalyzruserswhohaveoptedoutoftheredirection.
ForfourISPswecouldnotobservethesearchresultspageontheadserverasitisonlyavailabletotheseISPs'customers.
Wecon-siderusersopted-outiftheirsessionsshownoevidenceofwildcardingbutdoemployanISP-operatedresolver.
MONETIZATIONREWRITING—USEROPT-OUT—ISP#SESSIONSCOUNTRYPROVIDERRULEMECHANISM%RATEAliceDSL3,761DE(AOL)wwwAccountSetting25BrazilTelecom569BRwww2Charter2,241USPaxre→XerocolewwwAccountSetting34Comcast17,362USFASTwwwAccountSetting27Cox2,633USBarefruitallAccountSetting18DeutscheTelekom12,671DEallAccountSetting30OptimumOnline1,210USInfospacewwwAccountSetting15Oi657BRBarefruitallCookie25Qwest1,542USBarefruitallAccountSetting33RogersCablesystems1,197CAPaxreallCookie4TelecomItalia1,429ITall33TimeWarner7,287USXerocole→FASTwwwAccountSetting20UPC964NLInfospace→Nominumwww5Verizon4,751USPaxrewwwResolverChange9VirginMedia1,890UKNominumwww28Table2:The15DNS-monetizingISPsmostprevalentinourNetalyzrdataset,theirmonetizationproviders,andmonetizationdetails.
"→"indicatesaproviderswitch,""ISP-internalrealizationofthemonetizationservice.
Table2summarizesourndings.
Atleast8ofthe15ISPsimplementopt-outviaauseraccountsetting.
Aswearenotcustomers,wecannotuniversallyverifytheirreliability.
OiandRogersap-peartoemployHTTPcookies,andVerizonrequiresitsuserstochangetheirresolvercongurationmanually.
Wenotethatdistinguishingopted-outusersfrompartialwildcardingdeploymentwithinanISPisdifcult.
Thusouropt-outnumbersmaybeanupperbound.
WeobservemonetizationproviderswitchesinChar-ter(October2010),TimeWarner(March2010),andUPC(October2010),suggestinglowbarrierstoswitch-ing.
Theswitch-oversmaybegradual,overamonthortwo.
Indeed,Netalyzrcaptured30sessionsbyChar-tercustomersindicatingCharterusedXerocoletowild-cardwww-prexeddomains,andPaxreforallothers.
Thissuggeststhateitherdifferentresolversuseddiffer-entmonetizationproviders,orthatCharterplacedtheXerocolerewriterbeforePaxre'sexistingone.
ISPssometimesoverridemonetizationproviderde-faults.
Verizonseekstoreducecollateraldamagebyap-plyingPaxreonlytowwwnames,whiletwosmallerISPs(Kcom,usingInfospace,andMaxonline,aXero-colecustomer)overridethedefaultstowildcardingofallfailingnames.
Severalnon-USISPsappeartoemploytheirownsys-tems,showingdistinctredirectionservercontent.
Al-iceDSLmayhavedevelopedtheirsinconjunctionwithAOL.
Aliceusesadistinctredirectionpageandmostredirectionserversresideintheiraddressrange.
Wedis-coveredasinglelandingpageservedfromoutsideofAl-iceDSL'snetwork.
ItsserverresidesinAOLspaceandredirectstoanunbrandedAOLsearchpage.
TheotherserversredirecttoAlice-brandedAOLsearchpages.
6Paxre'sSearch-EngineProxyingWepreviouslyreported[8]thatsomeISPsredirectallWebsearchtrafcofpartsoftheircustomerbasethroughproxyserversofunknownpurposeandowner-ship,signicantlytransgressingthecommonerror-basedredirectionmodel.
Zhangetal.
[15]independentlyob-servedthesameeffects.
Wecannowprovidemorein-sightintothephenomenon.
TheaffectedISPsredirectallwebsearchesthataffectedcustomerssendtowww.
bing.
com,www.
google.
com,andsearch.
yahoo.
comviaunrelatedHTTPproxiesthatseeminglydonotalterthecontent.
TheseproxiesredirectHTTPSconnectionstoanyofthethreesearchsitestohttps://www.
google.
com.
3BysendingHTTPrequestsdirectlytotheproxies,weidenti-edthemasSquidproxies.
DeliberatelyinvalidHTTPrequestsyieldHTMLcontentmentioningphishing-warning-site.
com,ananonymouslyregistereddomainparkedatGoDaddy.
InstancesinwhichtheproxieshaveerroneouslyreturnedthisresponsetolegitimaterequestshavetriggeredISPcustomerdiscussionsinonlineforums,whosepuzzledparticipantspostedreports`ala"Googleisdown"andwonderedaboutthedomain'sinvolvement[12].
Atleast12ISPssupportinthissearch-engineproxy-ing:Cavalier,Cogent,DirecPC,Frontier,Fuse,IBBS,4InsightBroadband,Megapath,Paetec,RCN,WideOpenWestandXOCommunications.
Thesubsetofcustomers3TheHTTPSprotocolperformsthekeyexchangebeforetheHosteldisrevealed,forcingtheproxytostaticallydecidewheretorouteencryptedtrafc.
TheproxiescansafelyproxytheencryptedtrafcasonlyGoogleusesHTTPS-basedservicesonthesearchdomain.
4IBBSprovidesDNSandothersupportservicestosmallISPs.
ItisunclearwhethertheseISPsareawareoftheredirection.
affectedvariesfromtemporallocalizeddeploymentstoalmosttheentirecustomerbase.
Charterusedtheser-viceinthepastbutappearstodiscontinuethispracticeastheyswitchNXDOMAINvendors,whileIowaTele-comusedituntilWindstreamacquiredthem.
Theredirectorsalwayssendsearch.
yahoo.
comandwww.
bing.
comtoISP-specicIPaddressesintwoaddressranges.
5www.
google.
com'streatmentvariesamongredirectionthroughPaxreproxies(e.
g.
Fuse),redirectionviain-houseproxies(e.
g.
DirecPC,Frontier,andWideOpenWest),andnoredirection(e.
g.
CharterandCogent).
AfterWHOIS,traceroute,andpassiveDNSanalysesprovedinconclusive,wescannedtheproxies'IPaddressneighborhoodsforHTTPproxiesanddiscoveredthattheycontainseveralNXDOMAINredirectionservers,includingPaxre'sdemonstrationserversandanotherSquidproxywedidnotobserveinourNetalyzrses-sions.
6WealsobeganworkingwiththeEFFduringthisprocess.
Theywereabletoprovideindependentconr-mationthatPaxrewasresponsibleforthisbehavior.
Paxre'ssearch-engineproxyingisnotmandatory,sinceVerizonusesPaxrebutexhibitsonlyNXDO-MAINwildcarding.
Weruleoutperformancereasonsfortheredirection:notonlyaresearchresultspoorlycacheable,thesmallnumberofproxiesalsointroducesafailurepointthatcannotcomeneartheuptimeoftheactualsearchengines'servers.
WesuspectthatPaxreharvestsusersearchbehaviorforcommercialpurposesyieldingrevenuetheysharewithparticipatingISPs.
7FinalThoughtsApotentialrevenueincreaseof1–3USDpercustomerperyear[14]hasresultedinafar-reachingchangetotheworkingsofoneoftheInternet'scoreprotocols.
OuranalysisofthewaymajorISPsinvolvethe6toperrortrafcmonetizationprovidersincentralpartsoftheirtechnicalinfrastructuredemonstratesthatISPsareclearlywillingtoexperimentinthisspace,sometimesevenreroutingsubstantialvolumesoferror-unrelatedtrafcthroughtheseproviders.
DNSlikelywillnotbetheendofit:Barefruitclaimstoofferservicestomon-etizeHTTP404errorsbyrewritingthemtoadserverredirection.
XerocolealsoimpliesthatitoffersthesetoolsintheirdiscussionofDNSSEC.
Wehavealsoob-servedpubliccomplaintsaboutISPsdeployingresolver-independentin-pathNXDOMAINrewriting,whichpre-ventscustomersfromavoidinginterferencebyusingathird-partyresolver.
58.
15.
228.
128/25,partofalargeLevel3block,and69.
25.
212.
0/25,registeredtoAlmarNetworksLLC,aNevadashellcompany.
6Demonstrationservers:8.
15.
228.
241-248,additionalproxy:8.
15.
228.
249.
WehaverecentlyaugmentedNetalyzr'stestsuitetodetectsuchmanipulations.
PreliminaryresultsshowatleastoneISP(Mediacom,incooperationwithInfos-pace)andsomeLinksysNATsperforming404rewrit-ing.
Wehavenotyetobservedanysignicantin-pathNXDOMAINrewriting,butwehaveobservedNATsredirectingallDNSrequeststhroughtheirconguredre-cursiveresolver,whichcreatestheappearanceofin-pathNXDOMAINrewriting[4].
8AcknowledgmentsAsalways,wearedeeplygratefultoourNetalyzrusersforenablingthisstudy.
WeareparticularlygratefultoPeterEckersleyattheEFF.
WethankAmazonforsup-portingourEC2deploymentandacknowledgesupportbytheNationalScienceFoundationundergrantsNSFCNS-0722035,NSF-0433702,andCNS-0905631,withadditionalsupportfromGoogleandComcast.
References[1]BAREFRUIT.
TheBarefruitSolution.
http://www.
barefruit.
com/.
[2]CREIGHTON,T.
,GRIFFITHS,C.
,LIVINGOOD,J.
,ANDWE-BER,R.
DNSRedirectUsebyServiceProviders.
InternetDraftdraft-livingood-dns-redirect-03.
[3]D-LINK.
AdvancedDNS.
http://www.
dlink.
com/support/faqDetail/prod_id=3383&print=1.
[4]PublicDNSDiscuss:Listenon5353toohttp://groups.
google.
com/group/public-dns-discuss/browse_thread/thread/31fa7260772ace32hl=en.
[5]ICANNSECURITYANDSTABILITYADVISORYCOMMITTEE.
SAC032:PreliminaryReportonDNSResponseModication.
[6]INFOSPACE.
DNSErrorAssistService.
http://www.
infospaceinc.
com/business/hp_dnserrorassistservice.
aspx.
[7]IOACTIVE.
EntireWebatRisk:EarthlinkandVerizonAdver-tisingSecurityRevealed.
http://www.
ioactive.
com/news-events/KaminskyEarthlinkPR.
html.
[8]KREIBICH,C.
,WEAVER,N.
,NECHAEV,B.
,ANDPAXSON,V.
Netalyzr:Illuminatingtheedgenetwork.
InProc.
ACMIMC(Melbourne,Australia,Nov.
2010).
[9]NOMINUM.
VantioNXR.
http://www.
nominum.
com/what-we-do/software-systems/vantio-nxr.
[10]OPENDNS.
DNSBasedWebSecurity.
http://www.
opendns.
com/.
[11]PAXFIRE.
GeneratingNewRevenueforNetworkOperators.
http://www.
paxfire.
com/.
[12]PUREZERO.
GoogleSupport:Can'tResolveGoogleThroughmyISP.
http://www.
google.
com/support/forum/p/Web+Search/threadtid=5c10868a8217917d&hl=en.
[13]SANDVINE.
SearchGuide.
http://www.
sandvine.
com/downloads/documents/sandvine_search_guide.
pdf.
[14]XEROCOLE.
Solutions.
http://www.
xerocole.
com/solutions/.
[15]ZHANG,C.
,HUANG,C.
,ROSS,K.
,MALTZ,D.
,ANDLI,J.
In-ightModicationsofContent:WhoaretheCulpritsInWork-shopofLarge-ScaleExploitsandEmergingThreats(LEET'11)(2011).
百纵科技:美国高防服务器,洛杉矶C3机房 独家接入zenlayer清洗 带金盾硬防,CPU全系列E52670、E52680v3 DDR4内存 三星固态盘阵列!带宽接入了cn2/bgp线路,速度快,无需备案,非常适合国内外用户群体的外贸、搭建网站等用途。官方网站:https://www.baizon.cnC3机房,双程CN2线路,默认200G高防,3+1(高防IP),不限流量,季付送带宽美国洛杉矶C...
搬瓦工vps(bandwagonhost)现在面向中国大陆有3条顶级线路:美国 cn2 gia,香港 cn2 gia,日本软银(softbank)。详细带宽是:美国cn2 gia、日本软银,都是2.5Gbps~10Gbps带宽,香港 cn2 gia为1Gbps带宽,搬瓦工是目前为止,全球所有提供这三种带宽的VPS(云服务器)商家里面带宽最大的,成本最高的,没有第二家了! 官方网站:https...
LOCVPS发来了新的洛杉矶CN2线路主机上线通知,基于KVM架构,目前可与香港云地、香港邦联机房XEN架构主机一起适用7折优惠码,优惠后最低美国洛杉矶CN2线路KVM架构2GB内存套餐月付38.5元起。LOCPVS是一家成立较早的国人VPS服务商,目前提供洛杉矶MC、洛杉矶C3、和香港邦联、香港沙田电信、香港大埔、日本东京、日本大阪、新加坡、德国和荷兰等机房VPS主机,基于KVM或者XEN架构。...
openerdns为你推荐
aspweb服务器ASP是什么?centos6.5怎么用u盘安装centos6.5sqlserver数据库电脑如何找到sql server数据库字节跳动回应TikTok易主抖音字节跳动是什么意思?degradeios抢米网什么意思抢小米手机即时通平台寻找娱乐高科技产品可信网站可信网站认证怎么做?贵不?价格大概是多少?什么是通配符DOS命令具体讲的是什么?discuz伪静态求虚拟主机Discuz 伪静态设置方法
怎样注册域名 域名抢注工具 80vps ixwebhosting 360抢票助手 免费美国空间 河南移动m值兑换 德隆中文网 贵阳电信 域名转入 tracker服务器 防盗链 web服务器有哪些 文件传输 ssd kosskeb79 中国最年轻博士 最好的空间留言 web服务器软件 杭州主机托管 更多