Slashdot Mirror
New Jersey's Cablevision Hijacks DNS Error Pages
Selikoff writes "I just noticed Cablevision's Optimum Online service has begun hijacking DNS Error pages with, you guessed it, ad-supported results. Aside from hurting the underlying stability of the Internet, there have been instances where hackers have used such tools against customers. I know Road Runner customers have had to deal with this for a couple months now, although at least they have an outlet to turn it off." Update: 09/30 13:18 GMT by T : Note, as several readers have pointed out, this hijacking is of DNS errors rather than 404 errors as originally presented.
Even on slashdot, we have people who don't know a DNS error (and yes, TFA gets it right) from a 404 (which can't be hijacked without modifying the stream itself)
I was actually scared that they were doing DPI for a minute, then I realized the OP just didn't know what they're talking about.
They probably use a transparent web proxy between the user PC and the web server.
When the web server sends a standard 404 error page, it goes via the proxy which puts its page in place of it.
Gentoo Linux - another day, another USE flag.
The Cablevision and Road Runner services both only hijack DNS no-such-domain errors, not HTTP 404s. Neither is a good thing, but hijacking DNS is much less insidious than the deep-packet inspection or mandatory proxying required to hijack 404 errors.
This sig is certified free of self-referential humour!
New Jersey's Cablevision Hijacks 404 Error Pages
No, they didn't.
If the submitter had read the summary, they would know that it's DNS errors that are being hijacked, not 404s.
It's an important difference - 404 means that they are transparently proxying your connections, which can cause problems with various sites (and that they are recording every URL you visit.)
For example: http://slashdot.org/akasjdflkasdjfl;kajsdl;aksdjfkdjkfdjlkjsdf would not be affected by this, whereas http://sslashhdot.org/ would.
Is it *too* much to ask that a technical news site present technical articles correctly?
It's not a 404 page that's getting hijacked. It's DNS resolution failures.
It's a pretty big difference.
What exactly does "Hijacks 404 Error Pages" mean? Does it mean error pages were hijacked 404 times? It certainly does not mean what the headline implied (to me). Even a cursory glance at TFA makes that clear.
How about the editors actually read the article and correct glaring mistakes for a change? Even before this made it out of the Firehose, there were responses that it was DNS failures and not 404 messages.
The blue screen of russian women 4 U? BSORW4U!
or
Buy Vi4GR@ now! By the way: Syntax error.
"Kill 'em all and let Root sort 'em out"
Don't use your ISP's DNS servers.
Find another public server or run your own.
Corrrect me if i'm wrong but the domain does not exist error page isn't a 404 error right? I thought 404 was the error for when a web server couldn't find the page you requested for it, not for the dns error.
when i first read TFS I thought, wth? what if i have a custom 404 page on my website?
I actually had to RTFA to figure out if they were honest to god hijacking web servers 404 pages.
thankfully it seems they are not.
They're returning adverts for failed DNS lookups, not 404 pages, as others have helpfully pointed out.
How about a script that hammers suitably random fake domain names continuously (different ones every time)? If the scammers^W advertisers are paying per impression this will majorly hurt their pockets.
http://www.optimum.net/DNSRedirect/DoOptOut
...from Verizon (NY, NY). Sometimes even when I don't misspell the url, I get "Sorry, we couldn't find it (...) Please se relevant searches below:"
Nasty :/
I just signed up with optimum because they are the only game in town (even though there is a huge verizon building 2 blocks away from me). Setting this all up was horrible, and I was lied to several times by several different people over the phone.
This 404 thing is not at all surprising from a company so greedy, they actually peddle TV's and phones to their customers: http://www.optimum.com/store/index.jsp
(And yes, I didn't just come across this site - there was a commercial for it)
We started seeing this with Charter in the midwest. Not the 404 errors, but with invalid domain names. The biggest problem for us has been with our VPN software. When our employees are working from home, Charter always returns a valid IP for our internal DNS zones so the DNS lookups are never forwarded over the VPN.
I hope their additional advertising revenue makes up for the lost customers.
ÕÕ
I just redirected my DNS queries to OpenDNS, mostly because of the content/phishing filtering they offer but also some of the statistics on my connection. They make their money, or propose to, by doing this very thing... redirecting Domain Not Found error messages to ad supported pages.
This post brought to you by your friendly neighborhood MBA.
I had this problem with hijacked pages with Comcast. The real pain was it was often a typo in the URL, but the hijacked page URL is not what I typed in, so I can't easily just edit it and get on with my day.
I changed by DNS servers to OpenDNS and this cured the problem.
208.67.222.222
208.67.220.220
I'm glad someone pointed this out.
I opted out of roadrunner's "feature" and I just opted out of this new cablevision "feature".
Why can't these companies leave well-enough alone? I pay for this internet connection- I don't see why they need to skim extra money off the top with advertising revenue.
Pfft. As if it wasn't enough that network advertisements on Fox take up 25% of the screen when I'm watching House!
Since the article is technically wrong (though the actual problem - redirecting failed DNS lookups - is still unsatisfactory), let's instead consider something that really does hijack 404s: Google Chrome (nice to see google.cn doesn't censor criticism of Google too, eh?).
But this is Slashdot, and Google does no evil, so everyone please put your defences as responses to this thread. Oh, and "it doesn't do it for long 404 pages" isn't any more a defence than "oh he only punches short people".
The DNS error hijacking, that is. I was going to consider switching to Charter, but I see someone has posted that they've started doing this as well.
Are there any free DNS services out there that happily return valid results instead of redirecting you?
I'm not sure if they've stopped, but it was a fucking disaster for us. My company's sites and our self-hosted DNS are colo-ed with frontier, and they had a network failure not too long ago. When people tried to get to our sites, they were redirected to their crap search page. Seriously, EPIC FAIL! That wasn't acceptable at all.
This sort of behavior just isn't okay anywhere... some business people really should be bonked on the head for implementing this anywhere.
"Why should I be content to simply live in this world, when I, as a human being, can CREATE it?" - Oertel
Sorry about the 404/DNS mistake, I tried correcting it shortly after submitting the story but the Firehose missed my comment!
I love it when an editor or story writer makes a technical error on /. You can actually hear the simultaneous erections of a thousand anal-retentive techies, each typing as fast as they can without even bothering to check if their fellow anal-retentives hadn't already pointed the same thing out in dozens of posts. It's the best sexual gratification most of them are going to get all day.
SJW: Someone who has run out of real oppression, and has to fake it.
See my post above and the others below. They are not hijacking 404s. They are hijacking DNS errors, same as earthlink et al have been doing forever.
Hey, let's not be too quick to judge here. Sometimes I do look for sex entertainment phentermine college click here now rolex and I'm glad at least one ISP understands that.
http://www.opendns.com/
However this does not solve it for less technical people as they would have no idea what is going on, would have no idea how to solve it and perhaps have not even a clue that there is a problem and that they typed in something wrong.
If I were looking for nekid ladies, this might be help full. If I try to contact my bank it isn't. It could even be dangerous if things I were looking for is something similar to what I get presented as advertisement.
Don't fight for your country, if your country does not fight for you.
This is no different than if Burger King squatted the domain for McDonadls.com (see the typo) and sent traffic to their site instead.
Here's one way to tackle this. If I'm a local business owner in an area served by Cablevision, I would complain to the local utility commission to have Cablevision's franchise dissolved and then file suit against Cablevision if someone tried to go to my company's web site, misspelled the name by one letter and was referred to my competitors through their advertising system.
Bill Clinton: Pimp we can believe in. - The Shirt!!!
How can this hurt the underlying stability of the internet??
Aside from hurting the underlying stability of the Internet, there have been instances where hackers have used such tools against customers.
Yet the page linked in the above statement just details how a security researcher came up with a proof of concept that was specific to a different companies implementation of the same idea.
I dont read
They're hijacking DNS errors. When there is a DNS error, they send a response claiming that the requested domain resolves to their own IP address.
IOW, if you type in nonexistentdomain.com you get their ad page rather than an error.
Sounds to me like a great way to increase revenue while degrading service.
When an Indian judge said that the Scrabulous Brothers couldn't use the Scrabulous name to promote their business, GoDaddy grabbed it and started serving his usual soft-core domain ads promoting his business. :-|
Anyway LEXULOUS.COM is where Scrabulous now lives.
I just confirmed it after trying twice to make up a fake domain name. Making up a fake domain name is harder than it sounds.
As far as evil things that Optimum could do, I wouldn't put this high on the list. They do have a fairly easy to get to opt out link if you click on the about link.
Since they don't complain about my abuse of the bandwidth, I'll give them a slide this one time. I would just prefer that this kind of service was an opt-in and had some sort of benefit to me. Other than this incident, I've been happy with their service. I still wish they didn't do it and won't defend them the next time they pull something like this.
If they hijack my request for a text-only site, and I pay for bandwidth or overuse, do I pay for the graphical ads they attack me with?
I think this question alone is enough cause to call any such modification/hijacking illegal.
dnsmasq has an option to reverse the effect of this sort of thing.
It runs nicely on OpenWRT.
Or you could use maradns instead, and avoid all present and future problems with your ISP's caching DNS servers..
Quite simple: run a mailserver, then use these type of DNS servers. In a few days, you'll have so much mail that doesn't get accepted by xxx.xxx.xxx.xxx (your provider's DNS) that it might fill your storage. Then 7 days later (instead of a few hours later) the e-mail gets sent back with the message that the other server doesn't accept the mail (instead of saying that the domain doesn't exist) after being retried hundreds of times eating up valuable bandwidth and processing time. Then if your end-user isn't smart enough, he'll retry sending it, not noticing he has a typo in his address book, because after all, the other e-mail server DOES exist.
Custom electronics and digital signage for your business: www.evcircuits.com
My employer's ISP (that is - the one that provides service to our office, as opposed to that which has our telehoused machines), a company called Tiscali do this.
This is fairly ironic. We're a domain registry, and we make most of our income on non-existent DNS names, via simple parking pages. You do understand parking don't you?
Dot TK - Renaming the Internet
... and today's pet project has
Rogers Cable high-speed internet has been doing that for the past couple months now too. URL typos get redirected to their own search.rogers.yahoo.com or something like that, disabling toolbar search functions in browsers.
The kicker is that I also think they're actively blocking access to other search engines periodically in order to increase usage of their own. www.Google.com will sometimes time-out while trying to load, but works fine when accessed through Dogpile meta-search.
Since I've moved off of Rogers already, I can't do more experiments to test, but if anyone else is on it, I suggest you keep an eye out.
Easy solution, use OpenDNS.
Oh wait, they also do that.
80 CC D8 AF AE D3 AB 54 B7 2E CE 67 C7
Do you have any idea the number of tech calls 404 pages generate. A lot.
So those that this bothers use 4.2.2.2 or set up your own DNS server. To the rest of those a page saying your site was not found and some alternate links is probably a good idea.
But hey that's my 2 cents worth I could be wrong.
Glen
Linux modi 2.6.26-2-parisc
i think this is the third story on an ISP catching DNS errors :-(. Even the follow-ups seem to be similar.
Personally, my only surprise was when i learned how much money an ISP can make by selling Ads on error landing pages.
Regards, Martin
Earthlink does this in Houston. It has caused me lots of problems with VPN.
A lot of ISPs do this. Many of them recommend simply finding a new DNS host, others provide an option to turn it off (eg. Road Runner, the only broadband ISP in my area)
We don't have many decent alternatives here in Canada. It's either Bell or Rogers. You could pick a small ISP of course, but you'd still be using Bell or Rogers because the two of them rent the bandwidth to all the rest (leaving you stuck with all the same problems as before, such as traffic shaping).
But, I guess if you live out west you'll have the third option of Telus, who isn't much better than Bell or Rogers.
The problem is that there is no reason to assume that just because a machine is making a DNS query it intends opening a TCP connection to port 80 (or 443).
Even if the hostname starts with www ?
And, the reverse that others have mentioned.
If you use a DNS blocking list (DNSBL) for e-mail, you will stop receiving any e-mail, because every lookup will always return a "found", and DNSBLs work by returning NXDOMAIN if the site isn't listed, and returning an IP address if it is.
I know that my DSL provider, Cavalier Telephone has been doing this for years. I called their technical support, and of course they had no idea what I was talking about. After emailing one of their tech guys, they suggested I set my computer to use someone else's DNS. IMHO, this is a network neutrality violation and the FCC should be investigating this. I said that much in my thank-you letter for their ruling against Comcast.
It would not surprise me to find out that this is becoming the norm, rather than the exception.
TDS does this same thing. Very annoying. I called and asked how to turn it off and they said it's not possible on a per user basis. At $50 a month for DSL service I would prefer not to see any ads when I try and see if a domain exists by typing it into the address bar. (yes I know it's not 100% fool proof)
I had this happen once. I use my own DNS server, but I had just moved and was trying to get my new connection up and running. I had typo'd a few things and it kept taking me to these type of adpages. It certainly put me in a bit of a panic thinking I had somehow picked up a browser hijack (very disturbing since the initial box I noticed it on was a Linux box). After some tinkering I realized that all of the typos were resolving to the same IP and only when my ISPs DNS servers were involved.
I am actually not entirely convinced that it was my ISPs DNS servers specifically doing it and not someone upstream of them. They are a small very knowledgable and geeky ISP and are very *nix friendly so I would be a tad surprised by that kind of behavior. (I called once asking for my static IP to be reversed to my own domain expecting a big hastle and a "no" and they did it without batting an eye.)
The only change I can believe in is what I find in my couch cushions.
they first couple of levels of support people in these ISP's do not know networking is and/or are forced to read from scripts. It can take hours to get to the level of support where they not only know what you are talking about but can also throw the switch to turn off the DNS hijacking.
So having a switch is still not easy when you can't just go to your settings page and turn it off yourself.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
This is one of the very reasons I started using OpenDNS, beside the fact it can filter out other garbage.
http://www.opendns.com/
Earthlink also uses a DNS error spam page rather than a real DNS not found error. Very, very lame.
They do have a (little known) method for bypassing this, details here:
http://kb.earthlink.net/case.asp?article=187117
Basically they give you the IP of a non-fucked DNS server, which you can then program into your router, computer etc.
Tired of Political Trolls? Opt Out!
Posting anonymous for obvious reasons.
My company employs software called, "DNS Advantage", for all of it's customers. This software works pretty much the same way. We have voiced our concern about the problems it causes, including causing problems with VPN. These concerns fall on deaf ears. I'm considering taking my complaints higher up.
Captcha is "connects" - always!
I live in Long Island, and they do it here as well.
http://www.opendns.com/homenetwork/solutions - Just use OpenDNS and don't use there servers. Take away their control.
There are a lot of ISP's starting to hijack failed DNS queries (as mentioned repeatedly, we're not talking 404's here).
Most of the ones doing it simply redirect to a search or landing page of some type. A few have opt-out capability, but most do not.
They are also quietly doing this with a blacklist the government puts out for "dangerous" or "illegal" sites. Not the major ones like Pirate Bay, because that would cause an uproar, but for example there are some sites of the darker nature (hacking, wares, etc.) that will resolve DNS if you do lookups outside major US ISP's but fail on their lookup servers.
Most of the companies that have some type of an opt-out plan aren't giving you the option to opt-out of failed DNS hijacks, they are giving you an opt-out for 'targeted advertising'. ie. they are doing DPI and hijacking some of the ad server requests to their own ad servers.
I, of course, use firefox with Noscript, so I pretty much don't see the effects of the ad redirects because they just don't load in the first place.
My point, in the end, is that your ISP is probably already doing this, it's getting pretty standard. I suggest using your own DNS or 3rd party one.
I have road runner service and would really like to turn those damn pages off. Any tips on how to do so would be much appreciated.
I reject your datastream and substitute my own!
Verizon (now FairPoint Communications in these parts) does it too. http://wwwwz.websearch.verizon.net/search?qo=blahblahblah&rn=S6ORMW8T2m7rGJi&rg= That's where you end up if you try to go to an invalid domain name. (Replace 'blahblahblah' with whatever)
Friend: "The NIC is misconfigured..." Me: "No prob, I'll just telnet in and fix it." *Silence*
It isn't highjacking DNS service, it's called DNS assistance and you can opt-out of it if you want to. Most ISPs get allot of customers on the phone who think there internet service is down. With DNS service- it at least informs novice computer users that they are online. This is the following from the DNS site:
"DNS Assistance Service
The preceding search results page is displayed to you as a result of the specific Domain Name Service (DNS) servers used by Optimum Online to look up domain names. If you misspell or mistype a web address, dead-end "no such name" errors can occur. However, the DNS servers used by Optimum Online are designed to eliminate dead-end "no such name" error pages you can encounter as you surf the web. By displaying the preceding search results page, users know that the web site they've attempted to navigate to does not exist, and are presented with suggested sites they may have been seeking. No software is installed on your computer for this search service to work.
What is DNS?
All websites have an address that consists of a series of numbers separated by periods, such as 167.206.112.7. This is known as an IP address. Most websites also have a domain name (such as www.optimum.net) associated with their IP address. With DNS, users don't have to type the complicated IP address into their browser's address bar; instead, they can type the domain name. DNS then acts like a real-time phonebook, looking up the name entered and translating it into the numbers that the computer recognizes so that the desired website can be displayed.
Can I opt-out of the DNS Assistance Service?
Yes, you can opt-out of the service. If you opt-out of the service, you will no longer receive any search based help when you misspell or mistype a web address, but instead you will receive browser error messages. When you opt-out of the service, it will affect all computers that are in your household and accessing the Internet by Optimum Online Service."
Rogers in Canada is one who does that, then forges a search page for your convenience (;-))
Worse, they do the same for many valid .ca and .org sites.
--dave
davecb@spamcop.net
they would know that it's DNS errors that are being hijacked, not 404s.
Don't use their terminology. They're not DNS errors, they're a class of DNS responses.
Calling them errors helps Cablevision support their practices.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Presumably on a PC with Internet Explorer, it looks just like the regular page does, which makes me wonder why they'd even bother to do it in the first place. I don't see any ads nor any information that's any more helpful than the default error page for IE.
Did they only do that specifically so that it would screw up DNS lookups? For laughs? Were they bored one day?
http://search.suddenlink.net/prefs.php
"standard 404 error page"? it wouldn't have to be standard anything; you don't have to parse the page content, unless the web server is doing some really _NOT STANDARD_ mangling (sending a 200 OK with an error page inserted, for instance, which would break a lot of things dependent upon 404s anyway). it only needs to determine the header status code, which squid and other proxies can do.
While i love FIOS's service (that is until the day they decide to cap/throttle and fuck over the customer)...
Verizon is doing this as well on FIOS. Everytime you put in a bad address in a browser window, Verizon's google like page shows up suggesting things.
This kind of scares me. I'm not sure how far they will take this idea. What if they start filtering domains from users so they cant get to them, and suggest others... or perhaps an ISP's own service or partner service? That sounds scary.
Kaminsky demonstrated the vulnerability by finding a way to insert a YouTube video from 80s pop star Rick Astley into Facebook and PayPal domains.
Ryan, Ryan, old buddy, old pal... Haven't you ever heard of the term rickroll?!?!?! Even an old fuddy-duddy such as myself, is familiar with the concept. Here's a Wikipedia entry to get you started: http://en.wikipedia.org/wiki/Rickrolling. Please study up before writing your next Wired article. There will be a pop quiz.
1. Register Domain name but point it nowhere
2. Copyright said domain name
3. Sue ISP for Copyright infringement, for them displaying THEIR content using YOUR copyrighted name instead of your registered non-content
4. Profit!
Support TBI Research: http://www.raisinhope.org
http://redirect.uscable.net/index.php?origURL=http://badlinkherea.com/ Ad supported garbage. "Website Suggestions" Powered by Yahoo search.
broadbandsupport.net nameservers are also doing this. I thought I had malware when I accidentally typed updates.microsoft.com (it's only cingular update.microsoft.com) and it redirected me to an information.com site.
Took some digging to figure out WTF. After that I switched to opendns. At least I get some phishiing/adware blocking with my advertisements for url errors.
It's broken DNS to make money off typos without having to domain squat. Hell they can squat a non existent record on an already purchased domain. It is also completely opt-in. You can even brand your error page with a jpg image of your own.
DNS purists need not apply. It does allow for some screwing around on their part if they wanted to. It also prevents you from resolving fastflux.uberhackers.net. However content filtering does requiring proxy-ing of your connection for some sites ostensibly for some security reason.
What would be funny is if the links rick rolled you on this hijacked DNS error page
You get what you pay for... Try opendns, dyndns. I've been a happy customer of the latter for years. It makse a slow IPS fly, just by eliminating an ISP's DNS bottleneck, which is too tempting for Marketing. I also use private DNS on the road; it helps with hotel/airport ISPs as well.
Quite simple: run a mailserver, then use these type of DNS servers.
No thanks :)
Then 7 days later (instead of a few hours later) the e-mail gets sent back with the message that the other server doesn't accept the mail (instead of saying that the domain doesn't exist)
Why? Surely the sending mail server should first query the MX record for the domain it wants to send to and then do an A record lookup on the name of the machine this returns. Do they spoof MX records as well as there seems very little point in doing this to show people a pretty web page. If they are spoofing MX records this is far more annoying but I have not found any evidence that this is so. If you have some can you post the links?
As an aside this sort of DNS spoofing (A and AAAA records only) can be really useful. We used to a use a similar method to spoof doubleclick and similar ad sites so they could not track any users from within our network in a community project I was involved in. It mapped all DNS requests for known ad farm sites to a local machine that just served up a picture of spam to all requests. This also saved us bandwidth back in the days when this was at premium as we were only on an 64K ISDN connection. We also provided a non-spoofing DNS server to people who asked us but most people were happy at not having to wait for adverts on a page to load from a remote server.
I dont read
Yes, www doesn't mean anything.
So here's another more sophisticated heuristic: On a residential Internet connection, a DNS request for nonexistent something.or.other followed within three seconds by a request from the same IP for www.something.or.other is more likely than not a web browser trying to resolve a hand-keyed hostname.
I live in Sao Paulo, Brazil, and some ISPs here also hijack failed DNS queries. The main problem with that behaviour is that not all internet traffic is HTTP. For example, if you are trying an SSH connection and you input an invalid domain, you don't get the "no dns entry" response, but a valid IP address - which is not the one you're looking for, and that probably won't accept your connection. You won't get a "no dns entry" error, but a "server actively refused the connection", which is incorrect and might cause you to lose an hour or two trying to figure out what is wrong: a simple misspell. Or even worse: the server might even accept your connection and give you an authentication error. Internet service protocols exist for a reason. Simply ignoring them to "help users" will actually do much more harm than good.
Missed this when it was posted, but NY is now also affected. I've called repeatedly and spread the word to opt-out. Posted on my blog as well: http://ineedattention.com/technology/computers/2008/10/03/optimum-online-offering-dns-hijacking-service/ We can't let them get away with this.
Does anyone know if along with their redirect they are also blocking DNS quires to the root servers? I am running BIND 9 in my house and using that for all my DNS queries. I was away last week traveling and when I returned my DNS server couldn't query any of the root servers. The server isn't exposed to the Internet but is strictly used internally to support Kerberos running on the same box. It would really blow if they've also put a stranglehold on local DNS servers. Why in the hell would they do something like that? Anyone else experiencing this?
RFC 2821 sec. 5 clearly states that:
SMTP clients must look up for an MX record;
if no MX record for domain is present, look up for an A RR record, and if such record is present, treat is as an MX record;
if an MX record is present, clients MUST NOT use an A RR record.
Custom electronics and digital signage for your business: www.evcircuits.com