Schneier on Security

A blog covering security and security technology.

« Reverse-Engineering Exploits from Patches | Main | Designing Processors to Support Hacking »

April 24, 2008

Hacking ISP Error Pages

This is a big deal:

At issue is a growing trend in which ISPs subvert the Domain Name System, or DNS, which translates website names into numeric addresses.
When users visit a website like Wired.com, the DNS system maps the domain name into an IP address such as 72.246.49.48. But if a particular site does not exist, the DNS server tells the browser that there's no such listing and a simple error message should be displayed.

But starting in August 2006, Earthlink instead intercepts that Non-Existent Domain (NXDOMAIN) response and sends the IP address of ad-partner Barefruit's server as the answer. When the browser visits that page, the user sees a list of suggestions for what site the user might have actually wanted, along with a search box and Yahoo ads.

The rub comes when a user is asking for a nonexistent subdomain of a real website, such as http://webmale.google.com, where the subdomain webmale doesn't exist (unlike, say, mail in mail.google.com). In this case, the Earthlink/Barefruit ads appear in the browser, while the title bar suggests that it's the official Google site.

As a result, all those subdomains are only as secure as Barefruit's servers, which turned out to be not very secure at all. Barefruit neglected basic web programming techniques, making its servers vulnerable to a malicious JavaScript attack. That meant hackers could have crafted special links to unused subdomains of legitimate websites that, when visited, would serve any content the attacker wanted.

The hacker could, for example, send spam e-mails to Earthlink subscribers with a link to a webpage on money.paypal.com. Visiting that link would take the victim to the hacker's site, and it would look as though they were on a real PayPal page.

Kaminsky demonstrated the vulnerability by finding a way to insert a YouTube video from 80s pop star Rick Astley into Facebook and PayPal domains. But a black hat hacker could instead embed a password-stealing Trojan. The attack might also allow hackers to pretend to be a logged-in user, or to send e-mails and add friends to a Facebook account.

Earthlink isn't alone in substituting ad pages for error messages, according to Kaminsky, who has seen similar behavior from other major ISPs including Verizon, Time Warner, Comcast and Qwest.

Another article.

Posted on April 24, 2008 at 6:43 AM • 41 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Sean • April 24, 2008 7:27 AM

I've seen this is the UK on AOL and Claranet.

D • April 24, 2008 7:38 AM

Time warner started doing the same thing a while back. They do give you an option to opt out, which is tracked by IP I believe, but they do not advertise it very well.

Anonymous • April 24, 2008 7:53 AM

Just another reason to be running your own cache. While these days the ISPs are delibrately subverting things, in the past their caches were vulnerable to poisoning.
Until they start putting in transparent DNS proxies, running your own caching name server will save you some grief.

Matthew Schinckel • April 24, 2008 7:58 AM

@Anonymous

But who, other than us nerds, is able to actually keep something like a transparent proxy working. I wouldn't encourage my Mum to have one on her net connection. It's much easier to just point her router's DNS at a better one.

Carlo Graziani • April 24, 2008 8:04 AM

"Kaminsky demonstrated the vulnerability by finding a way to insert a YouTube video from 80s pop star Rick Astley into Facebook and PayPal domains."

I like the idea of Rickrolling as a vulnerability demo. Financially harmless yet psyche-scarring, it's a good way to drive home the "you've been had".

Dima • April 24, 2008 8:06 AM

Network Solutions (or was it Verisign?) tried to pull this trick on all of us about 5 years back.

Gordon • April 24, 2008 8:14 AM

Verizon does this, and it pisses me off. I'm used to typing something in the FireFox address bar and getting an I'm-feeling-lucky search.

This is completely aside from the issues that lack of an NXDOMAIN cause for spam filtering. Verizon has a page that supposedly lets you disable it, but when I checked all the links on it were 404 (they're fixed now, but basically they told you to use a different DNS, so I did).

Anonymous • April 24, 2008 8:23 AM

A home user wouldn't want to run a transparent proxy. They can run a caching resolver that starts at the root and works downward. Then they don't need to use anyone else's resolver.
However ISPs may want to use transparent proxies to allow them to keep pulling the same shennagins they do now to make extra money.

Shachar Shemesh • April 24, 2008 8:40 AM

Maybe this is good after all.

At the moment, Google keeps most of its cookies so that they are sent to all subdomains of Google. They do this so they can track your identity as you move through the various Google services. This is also the reason that gmail is read through "mail.google.com", and not "gmail.com".

But if this practice becomes a problem, so does google's practice. Maybe this problem will negate the other one.

Shachar

Rajiv • April 24, 2008 8:56 AM

Domain names are valuable intellectual property to their owners. I believe that a case could be made that an ISP returning a different page for someone else's domain is infringment and theft.

bob • April 24, 2008 9:05 AM

Im glad this has finally caught public attention it has been bugging me for quite a while.

Andy • April 24, 2008 9:07 AM

Why doesn't the target domain return a redirect URL for undefined names within their domain? Ask for "webmale.google.com" and get "www.google.com" back. They can be arbitrarily simple or smart - "music.retailer.com" could take you to the home page or to the music offerings. This puts the control back into the hands of the domain owner. It would also allow "foo.com" to work for as an alias for "www.foo.com" for those lazy typists among us.

Dave • April 24, 2008 9:08 AM

I know that TalkTalk in the UK also do this and what's worse is that you are redirected to the ad-laden page (which means you can't just fix the one-letter typo anymore, you have to re-type the entire domain) and the ad-laden page is horrendously slow.

Of course, I changed my DNS servers and I'm no longer with TalkTalk but this is a scary problem.

Shouldn't there be some legislation about returning inaccurate results to DNS requests ?
There isn't much of a conceptual difference between hijacking mail.google.com and hijacking webmail.google.com. The only difference is that Google have decided that one of them should return NXDOMAIN and the other should return an IP address.

Anonymous • April 24, 2008 9:14 AM

This is the reason why I do not let my ISP resolve the DNS lookup. Instead I use an outside firm in another place and time continuum to do the task.

Trevor Stone • April 24, 2008 9:20 AM

What do these ad sites do in response to non-http traffic? If the ad site was malicious (or compromised) and someone misspells the name of a domain the first time they SSH to it (or if they ignore the warning that they haven't connected before), they could divulge their username and password.

bob • April 24, 2008 9:21 AM

As long as the ISPs dont mind accepting financial liability for the damage they cause; plus lost time and underwriting lost identities incurred when they usurp the 404 mission, its fine with me. I know I never signed a waiver for them to redirect me to their choice of site when I mistyupe something. If they send me to a malware site, they can take some of the revenues they gain through their negligent greed and share it with me to reimburse me for my suffering.

I bet a couple of $M+ lawsuit settlements would quickly put this back the way God and DARPA intended.

Capt. Jean-Luc Pikachu • April 24, 2008 9:29 AM

Verizon lets you "opt out". Figure out what DNS servers you're automagically assigned, then change both so that the last 12 is a 14.

derf • April 24, 2008 9:34 AM

This basically comes down to a problem of choice. If we actually had competition, the company promising not to do this (and keeping that promise) would get all of the business, even if it cost a few cents more per month. Yet because the marketplace can only hold so many ISPs (due to monopoly and expiration of the access agreements that let smaller ISPs have access to the cable plant at reasonable prices) our only choices (in the US) for "high speed" are the phone company DSL (likely AT&T) or the local wired cable television network. In many locations, only one of the two is available.

Competition is a good thing, but monopolies don't see it that way.

Kadin2048 • April 24, 2008 9:58 AM

> What do these ad sites do in response to non-http traffic?

The issue is on the DNS level, it's not in any way specific to HTTP traffic.

If you have an ISP that is hijacking like this, you can test it using the "nslookup" or "host" utilities (Windows and modern Linux distros, respectively). You can type in any bogus domain name you want, and instead of getting a NXDOMAIN, you'll get an A record that corresponds to the advertising server.

So basically, if you're trying to connect via SSH (or some other non-HTTP protocol) and mistype the address, rather than just getting a DNS error, you'll try to connect to the ISP advertising server. What happens at that point depends on how the server is configured; I expect you'll get a 'connection refused' message.

This idea was crap when Verisign tried to pull it a few years ago, it's crap when OpenDNS does it, and it's crap when ISPs do it. Unfortunately, until it's made illegal, I think we'll see people continuing to try it. It's just too lucrative a revenue source; it doesn't matter if it breaks all sorts of software, if it makes them a few quick bucks they're going to do it if they're allowed.

Personally I use the OpenNIC alternate-root nameservers for DNS resolution, and they've been working well for me. It's most of the good things that you can say about OpenDNS, but without wildcarding/typosquatting. They also have a few TLDs that don't exist in the IANA root, which might be good or bad depending on your point of view. I just ignore them, mostly.

Peter Pearson • April 24, 2008 9:59 AM

Three posters have mentioned getting better DNS, but nobody says where. C'mon, guys; share the good news.

Leon Avalos • April 24, 2008 10:10 AM

Paeniteo • April 24, 2008 10:10 AM

Well, I use this for my *own* domains all the time. No matter what subdomain you ask, you will get a valid IP.

If you use HTTP and try a non-existing subdomain, a default virtual host will inform you about this problem. Btw, you wouldn't believe how many people think that host names must start with "www."...
For non-HTTP protocols, you get whatever listens at that port, as hostnames do not matter there.

I originally set this up so that I could conveniently add subdomains (which mostly redirect to subdirectories of the primary website) by only changing Apache configuration.
Now it turns out that my setup even has security benefits ;-D

FDHY • April 24, 2008 10:20 AM

I use Verizon and it's annoying because it's not only for an unknown subdomain but also for when they're having network issues and cannot bring up reliable sites like google.com... Badness... Make it stop!

anonymous • April 24, 2008 10:21 AM

Just thinking aloud. But an interesting if nerdy piece of research would be to query two of a list of different DNS's and compare the results. There'd be some devil in the details but vastly different IPs could be rejected.

You could monitor when your ISP was playing games with you.

Put this in a client and provide feedback to a central site to monitor whos playing games and bring it more out in the open.

skymt • April 24, 2008 10:52 AM

@ Peter Pearson (and anyone else who wants a better DNS server)

Try 4.2.2.1-4.2.2.6. They're run by Level 3 and are quite fast. I've had response times as low as 11 ms.

I also recommend a caching DNS server for high-traffic periods. pdnsd is easy to set up, if you happen to have a Unix box available.

Boogle • April 24, 2008 11:00 AM

I use TimeWarner for me it only returns ads on bad domains & TLD (ie www.gggooooglleee.com. / www.google.edu) but gives me a 404 on bad subdomains (pay.google.com.)
I had never seen the opt out untill I went looking for it after reading this article. I have not yet determined how it tracks prefrences

Pawned! • April 24, 2008 11:03 AM

Well I'm very happy with OpenDNS and it's features, as well as DNS-Omatic for Keeping my no-ip addresses updated.

Infosponge • April 24, 2008 12:16 PM

ISPs are taking such a huge interest in manipulating data in transit, regardless of the ethics or security risks, that this kind of problem isn't going to go away without legislation.

The market can't solve this problem because limited choices for last mile connectivity (phone or cable) mean most ISPs are essentially monopolies.

We need a dumb pipe act to obligate all network providers to pass IP payloads verbatim. Anything less than this and it's only a matter of time until every protocol and connection is subject to inappropriate monetization.

tk. • April 24, 2008 12:43 PM

OpenDNS is a really solid alternative, except that I was having some seriously bizarre issues (lookups failing in odd ways, lookup speed getting very slow) with Comcast a couple of months after I set OpenDNS as my only DNS server on my wireless router.

lol • April 24, 2008 1:04 PM

Googler matt cutts probably wouldn't think that this is cool....
http://www.mattcutts.com/blog/...

But... they do this themselves via their toolbar:
http://seoker.com/2008/02/11/...

Whether it is a "hacker" or a search engine, control of your computer is based on understanding your computer and the intent of both the "do no evil" (right) and evil doers.

Grant • April 24, 2008 1:14 PM

There's also a post at Perimeter Grid about how Kaminsky's script works, and how it could be used to carry out an actual attack.

This is a great example of how the lack of "net neutrality" does more than just give larger, paying websites a "fast lane" -- it also puts all of us at risk by making our own ISPs hostile.

skymt • April 24, 2008 1:56 PM

For what it's worth, OpenDNS also hijacks error pages by default. They also invisibly return one of their own servers for lookups of google.com:

http://forums.opendns.com/comments.php?...
http://blog.opendns.com/2007/05/22/...

Both are features you can opt out of. On the other hand, almost all ISPs let you opt out of their DNS hijacking, so there doesn't seem to be any real advantage to switching to OpenDNS, at least in this context.

John Ridley • April 24, 2008 2:05 PM

Charter Communications does it too. It prompted me to set up my router (which runs dd-wrt) to use OpenDNS instead.

As has been mentioned though, OpenDNS does the same damn thing; instead of returning domain not found or something, I get redirected to guide.opendns.com and what look like google results. Better than my ISP's behavior but still not as good as getting the proper error back.

xd0s • April 24, 2008 4:33 PM

@infosponge

"We need a dumb pipe act to obligate all network providers to pass IP payloads verbatim. Anything less than this and it's only a matter of time until every protocol and connection is subject to *inappropriate monetization*."
(emphasis added by me)

What exactly is inappropriate monetization? A legal term? A moral stance? A technical ideal?

I'm all for net neutrality and pipes being pipes, but how does one go about identifying appropriate vs inappropriate monetization of these things? Let alone how does one enforce it?

From the discussion here (I have not done much research on it yet) it appears that this behavior is common and frequently able to opted out of if you choose to. So independant of the bad security at the Ad Hosting site and some mucking with how they present the resulting page as a child domain vs a separate domain (I think I got that right), what is the great offense to net neutrality that they did?

I'm not trying to defend them as much as understand why this is a net neutrality issue. Would it be ok if they presented the hosting page's domain correctly and included a link to the "real" result page?

Anonymous • April 24, 2008 6:25 PM

I'm surprised that only Rajiv brought up the infringement issue. I'm sure many domain names are trademarked and hijacking nonexistent subdomains sure looks like trademark infringement to me. Of course, I am not a lawyer. I don't even play one on TV.

Otto Defey • April 24, 2008 8:03 PM

It's not only misspellings that Earthlink is harvesting. We commonly omit the initially "www." from a site name, and that almost always works. When I tried "oup.com/us" I got the infernal page of useless suggestions. I retried with "www.oup.com/us", and that got me what I wanted. Thanks for the helpful service, Earthlink.

Colossal Squid • April 25, 2008 5:06 AM

"I'm sure many domain names are trademarked and hijacking nonexistent subdomains sure looks like trademark infringement to me."

Since the sub-domains don't actually exist, how can the trademark be infringed?
Here's the relevant UK law:
The Trade Marks Act 1994 states that "a person infringes a registered trade mark if he uses in the course of trade a sign which is identical with the trade mark in relation to goods or services which are identical with those for which it is registered" (section 10(1) of the Act). A person may also infringe a registered trade mark where the sign is similar and the goods or services are similar to those for which the mark is registered and there is a likelihood of confusion on the part of the public as a result (section 10(2)).

A person also infringes a registered trade mark where a sign is identical but the goods are dissimilar if the trade mark has a reputation in the UK and its use takes unfair advantage of, or is detrimental to, the mark’s distinctive character or reputation (section 10(3)).

Looking at it, you might be able to make a case based on Section 10(3), but it seems a bit of a stretch.

IANAL etc.

@Rajiv
"I believe that a case could be made that an ISP returning a different page for someone else's domain is infringment and theft."

Can you explain what has been 'stolen' here?

roystgnr • April 25, 2008 3:49 PM

"What exactly is inappropriate monetization?"

It's a poorly chosen phrase to describe a very important idea. On the one hand, calling wire fraud "inappropriate" is an incredible understatement, and "monetization" is a red herring when discussing fraud which would be wrong whether done for financial reasons, political or personal reasons, or just for laughs.

On the other hand, the internet works at all only so far as we can trust our ISPs to give us the unedited packets that other users send us, to give us accurate replies to our requests for the services like DNS that they provide, and to never fraudulently impersonate other users. Man-in-the-middle attacks on our network connections are immoral and are supposed to be illegal, even if the attacker is being paid (or perhaps especially if the attacker is being paid) to provide those connections.

argv • August 5, 2009 5:24 AM

I think once one becomes aware of how much income this practice generates (I for one am amazed- it is huge), then this all makes sense.

It has been going on for many years (see Net Sol reference above). Everyone is in the game- they are only human and I suspect the temptation for financial gain is too great- from registrars to browser companies to search engine companies to ISP's to DNS alternative providers to all types of crafty individuals. They are all taking part.

The problem (if there is one) is twofold:
1. DNS (vs /etc/hosts) is not needed; the conditions of 30 yrs ago have changed; GB's for under $1; see above local cache suggestion- /etc/hosts is a digital 'phonebook' and it could easily be centrally distributed as a single file in a secure way); IP addresses do not have to be like shifting sands, updated by the minute- imagine if phone numbers were like that. Imagine if everytime you dialled a wrong number it was redirected to a call center where someone was waiting to try to sell you something to point you to other sellers.

2. Users are too 'dumb' (i.e., unwilling to take an interest in learning about this; they can't stop impulse clicking on screen areas and typing mindlessly into their browser address bars; they fail to see that the internet is similar to telephony: it operates by numbers- IP addresses are no longer than phone numbers, and no more difficult to remember, if typing them out). I still am amazed that users type directly in their address bars (and of course make mistakes) to find sites. Firefox and Google certainly are not trying to stop this.

The money is steadily coming in from the advertisers. It's 99% of Google's income. And from that income comes the imcome of many of the above parties mentioned. All dependent on each other- trickle down. Having 'dumb' users just encourages this to continue. There is no reason anyone (except consumers perhaps) might want to change the situation. It is a cash cow.

Maybe it's unfortunate that we have to endure more DNS follies because by being faulty the system brings in even more ad income. But I doubt those profiting from it would think so.

There's a reason I put 'dumb' in quotes. Users are not dumb; they are actually smarter than we are: what they don't know won't bother them. And they certainly don't concern themselves with DNS. The more one knows about DNS the more annoying it is.

argv • August 7, 2009 2:22 AM

In short:
- do your own lookups
- on your own local cache

Every home user can do this.

There are speed and reliability gains, and all 'problems' identified here would be solved. And there's another 'problem' that has not been mentioned which would be eliminated, relating to privacy. That is, the infamous "DNS leaks" problem.

Using an external DNS provider is like dialling 'directory assistance' every time one wants to make a 'call', despite that one can easily obtain a copy of the 'telephone directory' and keep it near the phone. And in this case, thanks to technology, the later method is actually faster, and no more less convenient.

Key to telepony metaphor:
'directory assistance' = a DNS service
'call' = access a resource via HTTP
'telephone directory' = a DNS cache

There is software to do this (run a local cache) that is simple, open source and free. All you have to do is open your mind, stop thinking in terms of the anti-/etc/hosts, DNS paradigm and have a look. It's been right there all along.

For PC users, here no need to argue the merits of DNS. Sending UDP packets to some foreign server's DNS port 53 every time one wants to 'make a call' is not necessary. All one needs is a copy of the 'telephone directory' (=all hostnames and corresponding IP's, i.e. a modern-day /etc/hosts). The only reason all PC users do not have this already is because we were sold on an alternative that was deemed necessary due in part to hadware constraints, and the usual obsessive compulsiveness about staying 'updated' things almost in realtime. For the non-tecnical user, the 'telephone directory' does not need to be updated every 5min. And having a searchable copy of the directory might encourage users to stick to 'trustworthy' sites, not some dodgy ones that hide their locations using a variety of tricks.

Well, that concludes my pitch for simplicity. I reckon this is a high traffic blog; I hope that maybe my comments get some people thinking outside the box (where 'the box' = the anti-/etc/hosts, DNS paradigm).

Dragon • December 24, 2011 8:43 AM

dont worry guys i will help u, how to remove malicious isp error in ur pc/lappy ....
Step:1 - search ComboFix and download/save software into ur pc/lappy .....
Step:2 - restart ur pc/lappy after run safe mode press F8 .....
Step:3 - run combofix this soft automatically remove ISP error malicious attacker link and .exe also ...... few minutes after if finish u will see log.text and u can read other deletion files lines in top position .... example see my deletion files ....

{(((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
d:\documents and settings\All Users\Application Data\TEMP
d:\documents and settings\All Users\Application Data\TEMP\D1B5B4F1.TMP
d:\documents and settings\Dragon\WINDOWS
d:\windows\kb913800.exe
d:\windows\system32\oobe\isperror
d:\windows\system32\oobe\isperror\ispcnerr.htm
d:\windows\system32\oobe\isperror\ispdtone.htm
d:\windows\system32\oobe\isperror\isphdshk.htm
d:\windows\system32\oobe\isperror\ispins.htm
d:\windows\system32\oobe\isperror\ispnoanw.htm
d:\windows\system32\oobe\isperror\isppberr.htm
d:\windows\system32\oobe\isperror\ispphbsy.htm
d:\windows\system32\oobe\isperror\ispsbusy.htm
)}

if finish combofix then restart ur pc/lappy after ur pc/lappy will work load fast browser 00.648 seconds in 27 queris .....

if u dont understand my english i say to sorry to u bcoz i am indian i will help little to all user normally ...

best regards
Lucky
Superiorz & Kings-Yahoo Staff

Post a comment

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

Subscribe via Kindle

Blog Menu

Search

Powered by DuckDuckGo

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D