Slashdot Mirror

← Back to Stories (view on slashdot.org)

Canadian ISP Hijacking DNS Lookup Errors

Posted by Soulskill on from the both-hands-in-the-cookie-jar dept.

Freshly Exhumed tips us to news that Canadian ISP Rogers Cable appears to be redirecting invalid DNS requests to their own search and advertising page. Roadrunner got caught doing the same thing earlier this year. According to the article, "The hijacking appears to be an attempt by Rogers to use its Deep Packet Inspection (DPI) technology to cash in on the mistakes of its users." Freshly Exhumed also reminds us, "As IOActive security researcher Dan Kaminsky has warned in the past, this presents a very serious security problem."

16 of 225 comments (clear)

  1. Good Grief by MightyMartian · · Score: 4, Interesting

    I know one problem it can cause is for a number of spam tests which look for the message coming from a legitimate domain. When the DNS server says "yup, that resolves" even when there's actually no domain, the test is defeated.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
    1. Re:Good Grief by PunkOfLinux · · Score: 4, Informative

      What the hell? Verizon is doing this now, too. Whenever I type in 'slashdot' in firefox, it just takes me to their useless search page, which is getting REALLY old now. I'm getting pretty disgusted now, and they should get it through their thick heads that if they're gonna charge us money for 'net access, they have NO right to make more money off of us by selling ads instead of allowing our browsers to function as expected.

      --
      Show this to your friends and family that don't know what a real hacker is
    2. Re:Good Grief by Anonymous Coward · · Score: 5, Informative

      Verizon has been doing this for a while. I read the Terms of Service, Acceptable Use Policy, etc. every time they update it. It's clearly there, disguised as a 'feature' called DNS Assistance.

      However, Verizon does have non-poisoned DNS servers which you can find in their Help pages, along with instructions for changing your machine's settings. http://netservices.verizon.net/portal/link/help/item&objId=23883

    3. Re:Good Grief by dosius · · Score: 5, Informative

      They tried to get me to use their poisoned servers, and as soon as I found out (btw, they DO report nxdomain, along with their error handling servers), I went back to the old ones.

      The poisoned ones were 68.237.161.12 (nsnyny01.verizon.net) and 71.250.0.12 (nsnwrk01.verizon.net), and the unpoisoned ones are 151.202.0.85 and 151.203.0.85.

      -uso.

      --
      What you hear in the ear, preach from the rooftop Matthew 10.27b
    4. Re:Good Grief by c_g_hills · · Score: 4, Informative

      Verizon's non-poisoned dns servers are vulnerable to the newly discovered dns vulnerability. Shout at them!

      151.202.0.85 is POOR: 26 queries in 2.1 seconds from 22 ports with std dev 19.03

      151.203.0.85 is POOR: 26 queries in 2.4 seconds from 22 ports with std dev 15.08

      Check for your self using `dig porttest.dns-oarc.net. in txt`

    5. Re:Good Grief by c_g_hills · · Score: 4, Funny

      According to Paul Vixie, Level3 operators have said that they plan to restrict access to these servers in future to customers only, so make sure you have an alternative available!

    6. Re:Good Grief by Anonymous Coward · · Score: 4, Informative

      4.2.2.1
      4.2.2.2

    7. Re:Good Grief by Trailwalker · · Score: 4, Informative

      AdBlock gets rid of the Verizon "search" page.

      Clickity, clickity, never see again.

  2. Well I'll be... by Shabbs · · Score: 4, Informative

    This must be brand new. I did a test just now and a bad URL sends you here:

    http://www20.search.rogers.com/search?

    With appropriate variables substituted for what you were typing of course, like this:

    Enter: http://www.rogersblowz.com and you get:

    http://www20.search.rogers.com/search?qo=www.rogersblowz.com&rn=mEelOh0JrKFZejZ

    Let the debate rage on!!!

    --
    Mark
    1. Re:Well I'll be... by Holmwood · · Score: 5, Interesting

      Worse than this even. I've been redirected to Rogers Search pages, replete with advertising, for domains that I know exist, and that I know have been entered correctly (e.g. via a bookmark).

      It used to happen a lot with http://ragnartornquist.com/ (Tornquist is a senior game designer for Funcom). Granted that's a tough name to spell properly for a North American, but since I'd click on a bookmarked link, or a google page, I was sure it wasn't a problem with my typing.

      What started to give it away as being something at Rogers (rather than my computer infected with malware) was that this was happening on every device I connected to the net -- Lynx on BSD, Safari on Apple, Opera on Maemo, Iceweasel on Ubuntu, and, of course, Firefox/IE/Opera on Windows.

      (Yeah, I have a lot of different OS's sitting around!)

      For a while I then became convinced my router had been compromised, but even switching routers didn't fix it.

      Concluding it was unlikely that five different OSes and myriad different browsers had all been compromised, as well as two different routers, I contacted Rogers.

      They said they were experimenting with "Software Improvements" and that the problem should go away for existing domains.

      Well, using a proxy fixed it for me. But not a pleasant solution.

      Software Improvements.

      And the problem did go away for me at least. But I wonder if anyone else is being redirected to Rogers garbage pages for domains which exist.

      Holmwood.

  3. easy solution by FudRucker · · Score: 4, Informative

    http://www.opendns.com/

    basically it is remove your ISP's dns#s and add these

    208.67.222.222
    208.67.220.220

    --
    Politics is Treachery, Religion is Brainwashing
    1. Re:easy solution by tgx · · Score: 5, Informative

      no, they're doing the exact same thing.
      they're redirecting invalid requests to
      http://guide.opendns.com/?url=%5Burl.here%5D

      $ host aoeuidhtns.com
      Host aoeuidhtns.com not found: 3(NXDOMAIN)

      $ host aoeuidhtns.com 208.67.222.222
      aoeuidhtns.com has address 208.69.34.132

    2. Re:easy solution by Shabbs · · Score: 5, Interesting

      Funny thing is that OpenDNS also re-directs bad URLs to their search page. So really, how much better is it? ;)

      --
      Mark
    3. Re:easy solution by TealShark · · Score: 4, Informative

      ... which you can manually stop them from doing by disabling typo corrections in settings.

  4. Ignore their servers by surmak · · Score: 5, Informative

    If the ISP is messing with the DNS service, the best thing to do is to use a different service.

    For Linux/Unix users, you can just run a caching-only server on the desktop system, and it will issue its own name requests from the root on down. I've been doing a slightly more complex version of this at home for VPN purposes. (Forward requests to my employer's net to the private internal DNS server (through the VPN), while querying the public internet for all other servers.)

    I don't know it a similar option is available for Windows users w/o shelling out big bucks, but it is technically feasible

    If you cannot run a caching-only server, another option is to use a third-party DNS server. The only problem here is that it would not be automagically configured by DHCP, and would have to be manually set up.

  5. PaxFire by Effugas · · Score: 5, Insightful

    [This is Dan Kaminsky]

    I took a look at what Rogers is doing. They're using PaxFire, who indeed was directly vulnerable to the attacks I described at Toorcon a few months ago. PaxFire fixed their stuff up, but yes, the security of the web at Rogers is limited to the security of those ad servers at PaxFire.