Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major ISPs Injecting Ads, Vulnerabilities Into Web

Posted by timothy on from the do-you-feel-violated dept.

Rebecca Bug writes "Several Web sites (Wired, eWEEK, The Washington Post) are reporting on Dan Kaminsky's Toorcon discussion of a serious security risk introduced when major ISPs serve ads on error pages. Kaminsky found that the advertising servers are impersonating, via DNS, hostnames within trademarked domains. 'We have determined that these injected servers are, in fact, vulnerable to cross-site scripting attacks. Since these servers are being injected into your trademarked domains, their vulnerability can be used to attack your users and your sites,' Kaminsky said, identifying EarthLink, Verizon and Qwest among the ISPs."

11 of 116 comments (clear)

  1. Re:Trademarked[tm](r)(c) Domains ? by Kjella · · Score: 2, Interesting

    Well, I'd say it's domains you can lay claim to by trademark, there's been cases where domain squatters have been forced to turn over domain names. That's generally been when the company has a unique name (i.e. not like apple) that the squatter is basicly just blocking. In any case, I guess the point was just "big, important sides are being faked".

    --
    Live today, because you never know what tomorrow brings
  2. Only mildly illegal. by davolfman · · Score: 5, Interesting

    I can see doing this for nonexistant domains, but doing it for sub-domains is treading on very thin ice. When someone registers a domain they've been entitled to control over all the sub-domains and serving ads on their domain like this could very easily be argued as a major break of trademark law. It was a seriously braindead decision as suddenly it's no longer a victimless crime, and the victims may have the money to afford lawyers in this case.

    1. Re:Only mildly illegal. by Effugas · · Score: 3, Interesting

      I think it's an accident. It's actually tricky to differentiate nonexistent subdomains vs. unregistered domains; what's on the wire is the same, it's just which name server tells you something. See www.publicsuffix.org to see how hard this problem is.

      I'm pretty optimistic that, now that the issue's been identified, everyone will stop violating trademarks.

      --Dan

    2. Re:Only mildly illegal. by jchawk · · Score: 2, Interesting

      I'm not defending ad injection or DNS redirection by any means.

      However if you are on one of these providers and they are hijacking miss typed sub domain traffic you can regain control by using a wild card DNS entry for your domain and handle this with a properly configured web server. I know Apache has supported this for some time now.

    3. Re:Only mildly illegal. by shmert · · Score: 3, Interesting

      I use Earthlink as ISP and phone service (note: I would not recommend this to any sane person who doesn't enjoy long phone conversations with tech support types).

      I assumed that the error pages at least had a 404 error code, but nope, they return a 200, with their own "helpful" content.

      Look at this crap:

      [twonky:~] sbarnum% curl -v "http://zzzslashdot.org"
      * About to connect() to zzzslashdot.org port 80 (#0)
      *   Trying 209.86.66.95... connected
      * Connected to zzzslashdot.org (209.86.66.95) port 80 (#0)
      > GET / HTTP/1.1
      > User-Agent: curl/7.16.3 (powerpc-apple-darwin8.0) libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3
      > Host: zzzslashdot.org
      > Accept: */*
      >
      < HTTP/1.1 200 OK
      < Date: Sun, 20 Apr 2008 05:13:54 GMT
      < Server: Apache
      < Content-Length: 774
      < Connection: close
      < Content-Type: text/html; charset=UTF-8
      <
      <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
      <html xmlns="http://www.w3.org/1999/xhtml">
      <head>
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
      <noscript>
      <meta http-equiv="refresh" content="0;http://earthlink-help.com/main?AddInType=Bdns&Version=1.3.1el&FailureMode=1&ParticipantID=xj6e3468k634hy3945zg3zkhfn7zfgf6&ClientLocation=us&FailedURI=http%3A%2F%2Fzzzslashdot.org%2F"/>
      </noscript>
      <script type="text/javascript">
      window.location.replace("http://earthlink-help.com/main?AddInType=Bdns&Version=1.3.1el&FailureMode=1&ParticipantID=xj6e3468k634hy3945zg3zkhfn7zfgf6&ClientLocation=us&FailedURI=http%3A%2F%2Fzzzslashdot.org%2F");
      </script>
      </head>
      <body>
      </body>
      </html>
      * Closing connection #0
      </pre>

      --
      You drank my drink, you drunk!
  3. fix? by pavera · · Score: 4, Interesting

    Couldn't a company "fix" this by setting up wild card dns so that any "mistyped" url will still get resolved by DNS, thus making this particular attack/injection by the ISPs impossible?

    Also, the company could display ads, or some other thing on THEIR DOMAIN, instead of letting the ISPs do this?

    Would this be horribly wrong if the companies themselves (ebay, paypal, etc) were displaying ad pages for subdomains?

    1. Re:fix? by Effugas · · Score: 2, Interesting

      If the attacker (the ISP!) is willing to replace NXDOMAIN, why not replace any name that isn't www? Or any name that returns a fixed 302? The precedent must be set.

  4. Hit it with the Copyright Stick by heretic108 · · Score: 4, Interesting
    This is one of those times when copyright has a profound moral benefit.

    Any site owners who don't want ads injected into their pages can place a copyright notice in small print at the bottom of each page, saying something like:

    Copyright is hereby granted to Internet Service Providers to deliver the content of this page verbatim as served by the HTTP server hosting this website. Any alteration to the content of this page is a breach of copyright which will incur legal action.

    It would take just a few site owners to add these notices and get injunctions served against any ISPs indulging in page-tampering, for ISPs to give up on the whole deal.

    --
    -- In the beginning was the WORD, and the WORD was UNSIGNED, and the main(){} was without form and void...
    1. Re:Hit it with the Copyright Stick by Guido+von+Guido · · Score: 2, Interesting

      I've been getting these damn DNS redirects for some domains that do exist. Let's say that I want to open a well-known site, such as www.slashdot.org. If the DNS response times out, then I get one of those domain parking sites.

      I know I'm not mistyping the domain name, because if I wait a bit and reload the browser window, then it comes up fine.

      Frankly, this happens way more than it should. The default config Rogers left my router with apparently has the router acting as a forwarding name server. In turn it apparently has only one nameserver. OpenDNS has started sounding a lot better.

  5. Doing their best to obsolete IPv4 by Anonymous Coward · · Score: 1, Interesting

    The end result of this lameness is that we're all going to switch to SSL for everything. Unless the ISPs are ready to roll with IPv6, traffic hijacking is self defeating.

    Even our error pages validate as xhtml strict when they leave our servers. Any ISP injecting ads is fucking with our reputation and distributing an unauthorized derivative work. Oh, and the ad revenue is ours too!

  6. Re:This is NOT new by CSMatt · · Score: 3, Interesting

    Hmmm. I've seen a lot of these troll redirects recently. Is there a way that Slash can display the domain that the link is redirecting to instead of the domain of the link itself? So far all of these links have the redirected domain somewhere in the URL, which is how I've been able to avoid them.