relyopenerdns

RedirectingDNSforAdsandProtNicholasWeaverICSInweaver@icir.
orgChristianKreibichICSIchristian@icir.
orgVernPaxsonICSI&UCBerkeleyvern@cs.
berkeley.
eduAbstractInternetServiceProviders(ISPs)increasinglytrytogrowtheirprotmarginsbyemploying"errortrafcmonetization,"thepracticeofredirectingcustomerswhoseDNSlookupsfailtoadvertisement-orientedWebservers.
Asmallindustryofcom-paniesprovidestheassociatedmachineryforISPstoengageinthismonetization,withthecompaniesoftenparticipatinginoperatingtheserviceaswell.
WeconductatechnicalanalysisofDNSerrortrafcmonetizationevidentin66,000Netalyzrsessions,includingngerprintingderivedfrompatternsseenintheresultingadlandingpages.
Weidentifymajorplayersinthisindustry,theirISPafliationsovertime,andavailableuseropt-outmechanisms.
Onemonetizationvendor,Paxre,transgressestheerror-basedmodelandalsoreroutesallusersearchqueriestoBing,Yahoo,and(sometimes)GoogleviaproxyserverscontrolledorprovidedbyPaxre.
1IntroductionErrortrafcmonetizationsolutionsleveragethecon-textprovidedbyISPcustomertrafcinordertorewriteprotocolerrormessagestovalidresponses,redirectinguserstoWebservers—adservers,inthefollowing—thatshowadvertisementsorsearchresultshopefullyofinter-esttotheuser.
ExamplesofsuchprotocolerrorsincludeHTTP404statuscodesand,morecommonly,DNSre-sponseswithreturncode3(NameError),indicatingthatthelooked-upnamecouldnotberesolvedtoanIPad-dress.
RewritingofsuchDNSresponsesalsogoesbythename"NXDOMAINwildcarding,"andisthefocusofthispaper.
ISPscommonlydeploythiscontroversialpracticewiththeassistanceofamonetizationprovider.
Thesethirdpartiessupplytheinfrastructureneededtorewritethenameerrors,andWebserverstoredirecttrafctotheadservers.
OneproviderclaimsthatISPsdeploy-ingtheirsolutionwillseeprotsof1–3USDpercus-tomerperyear[14].
1ICANNhascriticizedthisprac-ticeduetoitspotentialtocausebothsecurityandstabil-ityproblems,andcalledouttheexistenceofthird-partyinvolvement[5].
Securityresearchershaveexploitedcross-sitescriptingvulnerabilitiesintwoproviders'adserverstodemonstratefairlysophisticatedphishingandcookietheftattacks[7].
1Wecurrentlyhavenowayofvalidatingtheseprotclaims.
Thesameproviderpreviouslyclaimed2–4USDpercustomerperyear.
IntheICSINetalyzr[8],ourwidelyusednetworkde-bugginganddiagnostictool,2wehaveemployedtestsforvariousformsofNXDOMAINwildcardingsincewestartedofferingtheserviceinmid-2009.
InthispaperweilluminatetheDNSerrormonetizationmarketbycom-biningNetalyzr'smeasurementswithananalysisoftheredirectionpagescollectedbetweenJanuary2010andMay2011,thelocationandcontentoftheadservers,andthemarketingmaterialprovidedbythecompaniesinvolved.
WeidentifyISPsemployingDNSerrormon-etization,theirchoiceofmonetizationprovider(includ-ingshiftsofproviderandapparentin-houserealization),potentialredirectionpolicycustomizations,aswellasavailabilityofopt-outmechanisms.
WealsoobserveamoreaggressiveformofDNS-driventrafcmanipulation,search-engineproxying.
Onemonetizationprovider,Paxre[11],optionallysup-portsblanketredirectionofusers'entireWebtrafcforwww.
bing.
com,search.
yahoo.
com,andsome-timeswww.
google.
com.
PaxreroutesBingandYa-hoothroughitsownserverswhiletreatmentofGoogledependsonISPpolicy,forwhichweobservethreealter-natives:Google'strafcremainsunmolested;redirectedthroughPaxre'sservers;orredirectedthroughPaxreproxieslocatedwithintheISP'snetwork.
In§2wesketchthetypicalarchitectureusedforerrortrafcmonetization.
In§3wedescribeourmethodol-ogy,includingDNSandHTTPdatacollectionandredi-rectionpagecategorization.
Next,webrieysumma-rizethemonetizationprovidersandtheirmodesofop-eration(§4),alongwiththecorrespondingISPrelation-shipsandmonetizationpolicies(§5).
WethendiscussPaxre'ssearch-engineproxyingandwhichISPsem-ploythisfeature(§6)beforeweconcludethepaper(§7).
2DNSErrorMonetizationDNS-basederrormonetizationtriestoconvertDNSnameerrorsintoclicksonadvertisementsthatarehope-fullyrelevantinthecontextoftheuser'serror-causingtrafc.
Thisconversiongenerallyoperatesundertheas-sumptionthattheerroroccursinWebsurng,astheredirectionoftheotherwisefailingtrafconlysucceedsforWebtrafc.
Forotherapplications,sayVoIP,email,2http://netalyzr.
icsi.
berkeley.
eduFigure1:ThetypicalarchitectureemployedbyISPsintandemwithmonetizationproviderstofacilitateDNSerrormonetization.
orFTP,theadvertisementcontextdoesnotexistandredirectionwouldimplyseriousprivacyimplications.
ISPsandmonetizationprovidersmostcommonlyim-plementtheredirectionprocedureusingfourcompo-nents,showninFigure1:arecursiveDNSresolver,aDNSresponserewriter,aredirectionWebserver,andtheadserveritself.
WhetherISPormonetizationproviderowns,controls,oroperatesthesecomponentsvaries.
TheISPusuallyprovidestherecursiveDNSresolver.
WhenauserentersaURLintothebrowserorclicksonalink(),thebrowsersendsaDNSrequesttothisDNSresolver,whichperformstheactualDNSqueriesonbehalfofthecustomersandactsasacacheforDNSreplies().
Whenthenamelookupfails,itforwardstheresultingNXDOMAINerror()totheresponserewriter,whichconsistsofasoftwaremoduleontheex-istingresolver[9]oranin-pathdeviceplacedbetweentherecursiveresolverandtheuser[11].
TherewriterinspectsincomingDNSresponsesanddependingonitsrule-setrewritesresponsesindicatingnameerrorre-sponsestoregularA-recordresponsescontainingtheIPaddressofaredirectionserver().
Therule-set'scov-eragevaries,andmaytriggeronallnameerrors,onlyonthosefornamesbeginningwithawwwsubdomain,orexcludenameerrorsonlyaffectingthegivensubdo-main.
Whentriggering,theredirectionserverredirectstheclienttotheadserver(),whichprovidestheadver-tisementsandsearchresultstotheclient().
Typically,themonetizationprovideroperatestheredi-rectionserver,asimplewebserverwhoseonlytaskistoexaminetheHostheadersandURLstheWebbrowsersrequest,andtogenerateanHTTP-levelredirectionre-sponsewithasuitableURLpointingthebrowserattheadserver.
Accordingtoourdataset,monetizationproviderstypicallyassignadifferentredirectionserverIPaddresstoeachISP,allowingtheredirectionsevertoFigure2:AtypicalsearchresultspageresultingfromDNSwildcarding.
knowwhichISPsourcedthetrafc.
Onoccasionmon-etizationprovidersalsolocateredirectionserverswithintheISPs'networks.
Finally,theadservermayoperatein-houseattheISPoratthemonetizationprovider.
ItservespagesbrandedtotheISPandcommonlycontainingacombinationof"sponsored"searchresults(i.
e.
,advertisements),actualsearchresultsderivedfromtheattempteddomainnameandanykeywordsitcanextractfromtheoriginalURL,andalinktoopt-outinstructionsforthecustomer.
Fig-ure2showsanexamplesearchpageCoxCommunica-tionspresentstoitsusers.
MonetizationprovidersexplicitlysellthisservicetoISPsasamethodtoincreaserevenue,whileISPsad-vertiseittotheirusersasanavigationalaidpresentingsearchresultsandsometimesalsoprovidingalinkcor-rectingcommonspellingmistakes(e.
g.
alinkonthepageforyahoo.
cmopointingtoyahoo.
com).
Nameerrorrewritingcausessignicantcollateraldamage.
Webbrowserscommonlyrelyontheseerrorstopresentbrowser-specicassistance,suchasfallingbacktoawebsearch.
WildcardingnamesthatdonotbeginwithwwwassumesthataWebbrowsergeneratedthelookup.
Thismaybreaknon-HTTPprotocols,dis-ruptlocalservicesthatrelyonnamesufxesinthelo-calDNSsearchpath,andexposetheusertocross-sitescriptingvulnerabilities[7].
ThereforeitiscriticaltheISPsprovideeffectiveopt-outmechanisms[2].
3WildcardDetectionandRedirectionFingerprintingSincemid-2009wehaveprovidedtheICSINetalyzrser-vice,apopularnetworkdiagnostic,measurement,anddebuggingapplet.
Usersaroundtheworldrunitfromtheirbrowsersinordertodebugorclarifytheirnetworkconnectivity.
Todate,wehavecollected259,000ses-sionsfrom193,000distinctIPaddresseslocatedinvir-tuallyeverycountryoftheworld.
Formoredetails,wereferthereadertoourmainpaperontheservice[8].
NetalyzrincludesteststodetectNXDOMAINwild-carding.
Weemployrandomstringnoncestocom-posenonexistentnamesinthefollowingways.
Net-alyzrrstusesthesystem'sDNSlibrarytocheckifanameoftheformwww.
nonce.
comiswildcarded.
Ifso,itexploresvariationstodeterminethepolicyfornon-Webnames(nonce.
com),alternativeTLDs(nonce.
org),commontypos(www.
yahoo.
cmo),subdomains(nonce.
example.
com),andDNSserverfailures.
InJanuary2010weaddedcodetotheapplettocapturethewebpagecontentwhenitdetectsthepres-enceofNXDOMAINwildcarding.
Inthosecases,theappletsendsanHTTPGETtotheredirectionWebserveranduploadsanyreturnedcontenttotheNetalyzrservers.
Thecodeneitherfollowsredirectsnorinterpretsthecon-tentsinanyway.
Ourdatasetcomprises45,020webpagescapturedinthismanner.
Wemanuallyclassiedthembyiden-tifyingdistinctcontentfeatures,forwhichwedenedregularexpressions.
Weusedcontentfeaturesinclud-ingthestructureoftheredirectiontargetURLs(suchasredirectscontaining/dnserrorurl=)ifthere-sponsewasanHTTPredirect,uniqueJavaScriptsnip-pets,HTTPresponseheaders,andredirectiontech-niques.
Asetof81rulesallowedustocategorize96%oftheuploadedwebpages.
Thetwentymostcommonrulesmatch94%ofpages.
Nopagematchesmorethanonerule.
Weusedneithertheaddressesoftheredirec-tionserversnortheirhostnamesforclassication.
ArelatedNetalyzrDNScheckveriesDNSlookupintegrity.
TheappletlooksuptheIPaddressesforeachofapproximately80DNSnames,includingsearchprop-erties,advertisementsites,banks,nancialinstitutions,IMclients,andotherdomainsofinterest.
ItuploadstheresultingsetofIPaddressestotheNetalyzrservers,whichvalidatethecorrectnessoftheaddressesviare-verselookupsandinspectionoftheresultinghostnames.
WenotethatourmeasurementsareskewedbyNe-talyzr'suserbase:thenatureoftheservicebiasesittowardtechnophileusers.
Inparticular,weobservealargenumberofOpenDNSandComcastusers,mainlybecauseamajortechnologynewssitefeaturedNetalyzrincontextofcoverageofComcast'sDNSpolicy.
Ourdatacollectionisgenerallypronetosuch"ashcrowds,"resultingfromexposurethetoolreceivesontechnicalblogsandnewssites.
4ErrorMonetizationProvidersAllISPsforwhichNetalyzrhasrecordedoverahun-dreddistinctredirectionpageseitheruseoneof6mone-tizationprovidersorimplementanISP-specicsolution.
Whileothercompetitorsmayexist,themajorISPsintheNetalyzrdatasetdonotemploythem.
Thedifferencesbetweenmonetizationprovidersliemostlyintheruledeterminingthesetofnameswhosere-sultingnameerrorstheyrewrite,theimplementationoftheredirection,andtheopt-outmechanism.
Therewrit-ingruleinpracticeeithermatchesallnameerrorsoronlythosewhosenamesbegininwww,andthusreectsdif-ferentlevelsofcollateraldamage.
Theredirectionmech-anismisalsoimportant,asthemethodsvaryinreliabil-ity.
TheHTTPspecicationprovidesforcleanredirec-tionsusingstatuscode302,whichanyHTTPclientun-derstands.
Unfortunately,severalvendorsreturnpagescontainingeitherjustJavaScript,orJavaScriptincom-binationwithanHTMLMetarefreshtag.
Finally,opt-outsareuptotheISP(viamaintenanceofIPaddresswhitelists),themonetizationprovider(viaHTTPcook-iesontheadserver),orthecustomer(viaselectionofanalternateDNSprovider).
Barefruit'sproductsprovideerrormonetizationforDNSandHTTPtrafc[1].
IntheDNSspace,theyofferpatchesfortheBIND,PowerDNS,anddjbdnsDNSserversthataddwildcardingfunc-tionalityandincludeawhitelistbasedonIPad-dresses.
Barefruit'sredirectedURLsincludethestringmainInterceptSource=0,presumablytodistin-guishbetweenDNSandHTTPredirections.
BarefruithasprovidedCox,Earthlink,andQwestwithin-ISPredirectionservers;forotherstheyresideinthreeofBarefruit'saddressblocks.
Theirwebsitecontainsapub-licFAQsectiononoptingout,simplyencouraginguserstosearchtheWebforalternativeDNSresolvers.
FASTSearch&Transfer,ownedbyMicrosoft,isasoftwareandservicescompanyspecializinginenterprise-levelsearch.
Wecouldlocatenoadvertisingmaterialindicatingtheyofferthisservice,sowebasethisvendorassignmentonlyonIPaddressallocations.
TwoISPsuseatotalofveredirectionserversinthreeaddressrangesbelongingtoFASTSearch&Trans-fer.
Comcast'sredirectionserversconstructURLsoftheformcat=dnsr&con=ds&url=domain,whileTimeWarner'susesq=domain&con=nxd,aconstruc-tionthatappearsrelatedbutnotidentical.
ThisistheonlycasewehaveobservedinwhichavendorusesadifferentURLpatternwithdifferentcustomers,necessi-tatingtwoseparatesignatures.
Infospaceprimarilybuilda"meta"searchenginebuttheyalsoprovidemultiplebusinessproducts,includ-ingDNSErrorAssistService[6],whichintegrateswiththeirsearchengine.
Apathcomponentstartingwithdnsassist/main/,fortheir"DNSErrorAssist"ser-vice,providestheredirectionURL'sdistinctsignature.
InfospacehoststheredirectionserversonnineIPad-dresseswithintwoInfospace-ownedsubnets.
Nominumprimarilyconstructslarge-scaleDNSsys-tems.
ManymajorISPsemploytheircachingname-servers.
FortheirVantionameservers,Nominumof-fersNXR[9],amodulethatforwardsNXDOMAINstotheirNavAssistservice.
Nominum'sredirectionURLsbeginwitheithersubscribers/assistorassist.
php,whichmatchestheNavAssistname.
Nominumswitchedfromtheformertothelatterforminthesummerof2010.
Nominumownsthetwoaddressrangesthisserviceuses.
PaxreexclusivelyprovidesDNSerrormonetizationservices[11].
TheyofferthreewaysinwhichISPsmayimplementtheredirection:(i)anin-pathhardwarede-vicethatrewritesDNSreplies,(ii)asoftwaremoduleforvariousDNSresolvers,and(iii)ahostedDNSser-vice.
Theirserviceoperatesonarevenue-sharingbasis.
Paxre,forunknownreasons,employsanobfuscatedJavaScript-onlyredirection.
Theobfuscationusescon-catenationofstaticstringstoproducearedirectiontargetURLthatitplacesintodocument.
location.
Moststringsneverchange,whichallowsustoeasilyrecognizethePaxreredirector.
TheyprovidealocalredirectionserverforVersatelandplaceothersinsevendifferentsubnets.
Thesesub-netsareinaddressrangeswithnoidentifyingWHOISorreverseDNSinformation.
Weconrmedtheredirectionpagesignaturebyqueryingthedemonstrationserverswediscoveredduringourinvestigationofsearch-engineproxying(§6).
Paxreofferstwoopt-outsforISPs.
TherstusesastandardwhitelistofIPaddresses.
ThesecondemploysanHTTPcookieontheadserver'sdomain.
Thiscookieopt-outisctional:therewritercontinuestomaskthecustomer'snameerrors,buttheadservernowreturnsHTMLcontentmatchingthedefaulterrorpageoftheuser'sbrowser.
Xerocole[14]previouslyrealizedSandvine'sDNSwildcardingproduct[13]andspecializesentirelyinDNSerrormonetization.
ItspunofffromSandvineinthesummerof2010.
XerocoleprovidesaDNSserverproxythatexistsbetweentheresolverandthecustomers.
TheirinitialredirectionusedApacheserversusingHTTP-level302redirects.
Inthefallof2010theyswitchedredirectionserverstoNginx.
Theseserversreturnacompressedpagewithanin-pagemetarefreshandJavaScript.
TheydeployredirectionserversinTimeWarner'snetworkbutallotherserversareinvesubnets,threeofwhichareregisteredtoSandvineorXerocole.
Xerocole'sapplianceofferstwooptionsforhandlingDNSSEC.
TherstsuppressesNXDOMAINwildcard-ingifthequeryrequestedDNSSECinformationandthesendersignedtheresponse.
ThesecondsimplyreturnsarewrittenNXDOMAINwithoutasignatureandassumesthatclientswillnotactuallyvalidateDNSSEC.
REWRITINGREDIRECTIONVENDORRULEMECHANISMBarefruitallMeta&JavaScriptFASTSearchwww302redirectInfospacewww302redirectNominumwww302redirectPaxreallJavaScriptXerocolewwwMeta&JavaScriptTable1:Monetizationproviders,theirdefaultrewritingpolicies,andtheiremployedredirectionmechanisms.
NonISP-relatedproviders.
WeobservedtwoclassesofmonetizationnotrelatedtoISPs.
First,voluntarythird-partyDNSproviderssuchasOpenDNS[10]useDNSerrormonetizationastheirpri-maryrevenuestream.
OpenDNS'sredirectionserversissueanHTTP302redirect.
ThewildcardingcoversnotjustNXDOMAINerrorsbutalsoSERVFAIL.
ItwillevencreateIPv4addresstotheirredirectionserverforvalidnameslackinganIPv4address,causingsubstan-tialproblemstoIPv6-onlyservices,asmostclientswillqueryforbothIPv4andIPv6recordssimultaneously.
Second,D-LinkhomegatewaysincludeDNSerrormonetizationintheir"AdvancedDNSService"[3].
Thisservicesetstheuser'sDNSresolveraddresstoD-Link-brandedOpenDNSserversandsuffersfromthesameoverlyaggressivewildcarding.
WedonotknowwhetherD-Linkenablesthisservicebydefault.
Table1summarizestheproviders'defaultchoicesfornamerewritingandredirectionmechanism.
5ISPUsageofErrorMonetizationWorld-wideprevalence.
WeexaminedtheadoptionofNXDOMAINwildcardinginallcountriesforwhichourNetalyzrdatasetcontainsover1,000sessionsfromusersrelyingonISP-providedresolvers.
Mostmonetiza-tionoccursinItaly(40%),theUS(33%),Brazil(33%),Argentina(27%),Germany(25%),andAustria(20%).
TheUK(18%),Canada(15%),andSpain(12%)oc-cupythemediumrange.
ISPsinAustralia,Belgium,Finland,France,Israel,Lithuania,NewZealand,Nor-way,Poland,Russia,Sweden,andSwitzerlanddonotcommonlyuseDNSerrormonetization:thesecountrieshavewildcardingadoptionratesbelow10%.
MajorISPs.
Foreachofthe15ISPsmostprevalentinourNetalyzrdatasetandforwhichNetalyzr'stestsde-tectedwildcarding,weexaminedtheISPs'redirectionpolicy,choiceofmonetizationproviderovertime,opt-outmechanism,andthefractionofNetalyzruserswhohaveoptedoutoftheredirection.
ForfourISPswecouldnotobservethesearchresultspageontheadserverasitisonlyavailabletotheseISPs'customers.
Wecon-siderusersopted-outiftheirsessionsshownoevidenceofwildcardingbutdoemployanISP-operatedresolver.
MONETIZATIONREWRITING—USEROPT-OUT—ISP#SESSIONSCOUNTRYPROVIDERRULEMECHANISM%RATEAliceDSL3,761DE(AOL)wwwAccountSetting25BrazilTelecom569BRwww2Charter2,241USPaxre→XerocolewwwAccountSetting34Comcast17,362USFASTwwwAccountSetting27Cox2,633USBarefruitallAccountSetting18DeutscheTelekom12,671DEallAccountSetting30OptimumOnline1,210USInfospacewwwAccountSetting15Oi657BRBarefruitallCookie25Qwest1,542USBarefruitallAccountSetting33RogersCablesystems1,197CAPaxreallCookie4TelecomItalia1,429ITall33TimeWarner7,287USXerocole→FASTwwwAccountSetting20UPC964NLInfospace→Nominumwww5Verizon4,751USPaxrewwwResolverChange9VirginMedia1,890UKNominumwww28Table2:The15DNS-monetizingISPsmostprevalentinourNetalyzrdataset,theirmonetizationproviders,andmonetizationdetails.
"→"indicatesaproviderswitch,""ISP-internalrealizationofthemonetizationservice.
Table2summarizesourndings.
Atleast8ofthe15ISPsimplementopt-outviaauseraccountsetting.
Aswearenotcustomers,wecannotuniversallyverifytheirreliability.
OiandRogersap-peartoemployHTTPcookies,andVerizonrequiresitsuserstochangetheirresolvercongurationmanually.
Wenotethatdistinguishingopted-outusersfrompartialwildcardingdeploymentwithinanISPisdifcult.
Thusouropt-outnumbersmaybeanupperbound.
WeobservemonetizationproviderswitchesinChar-ter(October2010),TimeWarner(March2010),andUPC(October2010),suggestinglowbarrierstoswitch-ing.
Theswitch-oversmaybegradual,overamonthortwo.
Indeed,Netalyzrcaptured30sessionsbyChar-tercustomersindicatingCharterusedXerocoletowild-cardwww-prexeddomains,andPaxreforallothers.
Thissuggeststhateitherdifferentresolversuseddiffer-entmonetizationproviders,orthatCharterplacedtheXerocolerewriterbeforePaxre'sexistingone.
ISPssometimesoverridemonetizationproviderde-faults.
Verizonseekstoreducecollateraldamagebyap-plyingPaxreonlytowwwnames,whiletwosmallerISPs(Kcom,usingInfospace,andMaxonline,aXero-colecustomer)overridethedefaultstowildcardingofallfailingnames.
Severalnon-USISPsappeartoemploytheirownsys-tems,showingdistinctredirectionservercontent.
Al-iceDSLmayhavedevelopedtheirsinconjunctionwithAOL.
Aliceusesadistinctredirectionpageandmostredirectionserversresideintheiraddressrange.
Wedis-coveredasinglelandingpageservedfromoutsideofAl-iceDSL'snetwork.
ItsserverresidesinAOLspaceandredirectstoanunbrandedAOLsearchpage.
TheotherserversredirecttoAlice-brandedAOLsearchpages.
6Paxre'sSearch-EngineProxyingWepreviouslyreported[8]thatsomeISPsredirectallWebsearchtrafcofpartsoftheircustomerbasethroughproxyserversofunknownpurposeandowner-ship,signicantlytransgressingthecommonerror-basedredirectionmodel.
Zhangetal.
[15]independentlyob-servedthesameeffects.
Wecannowprovidemorein-sightintothephenomenon.
TheaffectedISPsredirectallwebsearchesthataffectedcustomerssendtowww.
bing.
com,www.
google.
com,andsearch.
yahoo.
comviaunrelatedHTTPproxiesthatseeminglydonotalterthecontent.
TheseproxiesredirectHTTPSconnectionstoanyofthethreesearchsitestohttps://www.
google.
com.
3BysendingHTTPrequestsdirectlytotheproxies,weidenti-edthemasSquidproxies.
DeliberatelyinvalidHTTPrequestsyieldHTMLcontentmentioningphishing-warning-site.
com,ananonymouslyregistereddomainparkedatGoDaddy.
InstancesinwhichtheproxieshaveerroneouslyreturnedthisresponsetolegitimaterequestshavetriggeredISPcustomerdiscussionsinonlineforums,whosepuzzledparticipantspostedreports`ala"Googleisdown"andwonderedaboutthedomain'sinvolvement[12].
Atleast12ISPssupportinthissearch-engineproxy-ing:Cavalier,Cogent,DirecPC,Frontier,Fuse,IBBS,4InsightBroadband,Megapath,Paetec,RCN,WideOpenWestandXOCommunications.
Thesubsetofcustomers3TheHTTPSprotocolperformsthekeyexchangebeforetheHosteldisrevealed,forcingtheproxytostaticallydecidewheretorouteencryptedtrafc.
TheproxiescansafelyproxytheencryptedtrafcasonlyGoogleusesHTTPS-basedservicesonthesearchdomain.
4IBBSprovidesDNSandothersupportservicestosmallISPs.
ItisunclearwhethertheseISPsareawareoftheredirection.
affectedvariesfromtemporallocalizeddeploymentstoalmosttheentirecustomerbase.
Charterusedtheser-viceinthepastbutappearstodiscontinuethispracticeastheyswitchNXDOMAINvendors,whileIowaTele-comusedituntilWindstreamacquiredthem.
Theredirectorsalwayssendsearch.
yahoo.
comandwww.
bing.
comtoISP-specicIPaddressesintwoaddressranges.
5www.
google.
com'streatmentvariesamongredirectionthroughPaxreproxies(e.
g.
Fuse),redirectionviain-houseproxies(e.
g.
DirecPC,Frontier,andWideOpenWest),andnoredirection(e.
g.
CharterandCogent).
AfterWHOIS,traceroute,andpassiveDNSanalysesprovedinconclusive,wescannedtheproxies'IPaddressneighborhoodsforHTTPproxiesanddiscoveredthattheycontainseveralNXDOMAINredirectionservers,includingPaxre'sdemonstrationserversandanotherSquidproxywedidnotobserveinourNetalyzrses-sions.
6WealsobeganworkingwiththeEFFduringthisprocess.
Theywereabletoprovideindependentconr-mationthatPaxrewasresponsibleforthisbehavior.
Paxre'ssearch-engineproxyingisnotmandatory,sinceVerizonusesPaxrebutexhibitsonlyNXDO-MAINwildcarding.
Weruleoutperformancereasonsfortheredirection:notonlyaresearchresultspoorlycacheable,thesmallnumberofproxiesalsointroducesafailurepointthatcannotcomeneartheuptimeoftheactualsearchengines'servers.
WesuspectthatPaxreharvestsusersearchbehaviorforcommercialpurposesyieldingrevenuetheysharewithparticipatingISPs.
7FinalThoughtsApotentialrevenueincreaseof1–3USDpercustomerperyear[14]hasresultedinafar-reachingchangetotheworkingsofoneoftheInternet'scoreprotocols.
OuranalysisofthewaymajorISPsinvolvethe6toperrortrafcmonetizationprovidersincentralpartsoftheirtechnicalinfrastructuredemonstratesthatISPsareclearlywillingtoexperimentinthisspace,sometimesevenreroutingsubstantialvolumesoferror-unrelatedtrafcthroughtheseproviders.
DNSlikelywillnotbetheendofit:Barefruitclaimstoofferservicestomon-etizeHTTP404errorsbyrewritingthemtoadserverredirection.
XerocolealsoimpliesthatitoffersthesetoolsintheirdiscussionofDNSSEC.
Wehavealsoob-servedpubliccomplaintsaboutISPsdeployingresolver-independentin-pathNXDOMAINrewriting,whichpre-ventscustomersfromavoidinginterferencebyusingathird-partyresolver.
58.
15.
228.
128/25,partofalargeLevel3block,and69.
25.
212.
0/25,registeredtoAlmarNetworksLLC,aNevadashellcompany.
6Demonstrationservers:8.
15.
228.
241-248,additionalproxy:8.
15.
228.
249.
WehaverecentlyaugmentedNetalyzr'stestsuitetodetectsuchmanipulations.
PreliminaryresultsshowatleastoneISP(Mediacom,incooperationwithInfos-pace)andsomeLinksysNATsperforming404rewrit-ing.
Wehavenotyetobservedanysignicantin-pathNXDOMAINrewriting,butwehaveobservedNATsredirectingallDNSrequeststhroughtheirconguredre-cursiveresolver,whichcreatestheappearanceofin-pathNXDOMAINrewriting[4].
8AcknowledgmentsAsalways,wearedeeplygratefultoourNetalyzrusersforenablingthisstudy.
WeareparticularlygratefultoPeterEckersleyattheEFF.
WethankAmazonforsup-portingourEC2deploymentandacknowledgesupportbytheNationalScienceFoundationundergrantsNSFCNS-0722035,NSF-0433702,andCNS-0905631,withadditionalsupportfromGoogleandComcast.
References[1]BAREFRUIT.
TheBarefruitSolution.
http://www.
barefruit.
com/.
[2]CREIGHTON,T.
,GRIFFITHS,C.
,LIVINGOOD,J.
,ANDWE-BER,R.
DNSRedirectUsebyServiceProviders.
InternetDraftdraft-livingood-dns-redirect-03.
[3]D-LINK.
AdvancedDNS.
http://www.
dlink.
com/support/faqDetail/prod_id=3383&print=1.
[4]PublicDNSDiscuss:Listenon5353toohttp://groups.
google.
com/group/public-dns-discuss/browse_thread/thread/31fa7260772ace32hl=en.
[5]ICANNSECURITYANDSTABILITYADVISORYCOMMITTEE.
SAC032:PreliminaryReportonDNSResponseModication.
[6]INFOSPACE.
DNSErrorAssistService.
http://www.
infospaceinc.
com/business/hp_dnserrorassistservice.
aspx.
[7]IOACTIVE.
EntireWebatRisk:EarthlinkandVerizonAdver-tisingSecurityRevealed.
http://www.
ioactive.
com/news-events/KaminskyEarthlinkPR.
html.
[8]KREIBICH,C.
,WEAVER,N.
,NECHAEV,B.
,ANDPAXSON,V.
Netalyzr:Illuminatingtheedgenetwork.
InProc.
ACMIMC(Melbourne,Australia,Nov.
2010).
[9]NOMINUM.
VantioNXR.
http://www.
nominum.
com/what-we-do/software-systems/vantio-nxr.
[10]OPENDNS.
DNSBasedWebSecurity.
http://www.
opendns.
com/.
[11]PAXFIRE.
GeneratingNewRevenueforNetworkOperators.
http://www.
paxfire.
com/.
[12]PUREZERO.
GoogleSupport:Can'tResolveGoogleThroughmyISP.
http://www.
google.
com/support/forum/p/Web+Search/threadtid=5c10868a8217917d&hl=en.
[13]SANDVINE.
SearchGuide.
http://www.
sandvine.
com/downloads/documents/sandvine_search_guide.
pdf.
[14]XEROCOLE.
Solutions.
http://www.
xerocole.
com/solutions/.
[15]ZHANG,C.
,HUANG,C.
,ROSS,K.
,MALTZ,D.
,ANDLI,J.
In-ightModicationsofContent:WhoaretheCulpritsInWork-shopofLarge-ScaleExploitsandEmergingThreats(LEET'11)(2011).