Mediacom Using DPI To Hijack Searches, 404 Errors

Verteiron writes "Cable company Mediacom recently began using deep packet inspection to redirect 404 errors, Google and Bing searches to their own, ad-laden 'search engine.' Despite repeated complaints from customers, Mediacom continues this connection hijacking even after the user has opted out of the process. Months after the problem was first reported, the company seems unwilling or unable to fix it and has even experimented with injecting their own advertising into sites like Google. How does one get a company infamous for its shoddy customer service and comfortable, state-wide cable monopolies to act on an issue like this?"

HTTPS

[The+MAZZTer]

Can't touch this!

Re:HTTPS

[cultiv8]

Yes they can. From SonicWall's Press Release:

SonicOS 5.6 adds a new deep packet inspection (DPI) engine for SSL encrypted traffic, which has increasingly become a blind spot in many firewall, content filtering and data leak protection schemes today. Bad guys have begun using encryption technologies against the very security communities that made them popular, using encryption to avoid the HTTPS protocol to bypass filters and expose networks to malware attacks.

Re:HTTPS

[betterunixthanunix]

....and yet, Mediacom is hijacking search queries. Why is adding an MITM attack any more illegal than hijacking the queries in the first place?

Re:HTTPS

[Scott+Laird]

That's not exactly true; SNI allows for HTTPS multihoming, and it's supported by the HTTPS on pretty much every modern platform, *except* for Windows XP. Browsers that use Window's HTTPS code (most of them, IIRC) can't cope with SNI on XP, so no one actually uses it anywhere yet.

Re:HTTPS

[yuna49]

Like it or not, the ISP is treated like a phone company

No, the problem is that ISPs are not treated like a phone company. They're not regulated as common-carriers. The FCC considered re-categorizing ISPs as a "Title II" telecommunications service, but backed away after Congressional opposition. Now the Commission is proposing a "third way" which seems unlikely to satisfy either the ISPs or their critics. Here's a quick summary: http://www.engadget.com/2010/05/06/fcc-outlines-new-third-way-internet-regulatory-plan-will-spli/

To my mind, ISPs shouldn't be able to process traffic based on anything other than packet headers. Their job is to take a packet I create and deliver it to its intended destination. (Yes, yes, QOS, etc. Whatever is in the headers is fine by me.) DPI equipment should be banned. Anything else offers too many opportunities for censorship and manipulation.

File an Anti-Trust Complaint

[techsoldaten]

File an anti-trust complaint and break up the monopoly. That is what those laws are for.

Re:Get another ISP!

[OeLeWaPpErKe]

I'd hope Google would sue them for copyright violation, changing their webpage in transit, and collect damages per changed page. Additionally they create confusion by diluting Google's trademarks (and those of anyone else whose page is changed). I mean this violates so many laws it isn't funny.

You could serve them with a DMCA cease and decist notice as a normal website author. Fight fire with fire.

Re:Get another ISP!

[TheRaven64]

Came to this story to post exactly the same thing. If you take someone else's copyrighted work (i.e. any web page that is not explicitly placed into the public domain) and create a derived work (that page with adverts), which you then distribute for profit (ad revenue), then you are committing wilful copyright infringement for commercial gain. You can be liable for a statutory penalty of up to $150,000 per work (at least per site, possibly per page) in the USA.

FTC Complaint

[hotsauce]

In the short-term, an FTC Complaint (https://www.ftccomplaintassistant.gov/) works wonders due to their power to impose fines for every complaint.

File early, file often.

Re:report them for providing illegal services.

[ewieling]

USA ISPs are not "common carriers" under the law, no matter how much people wish they are.

Solution: Use a different DNS server

[level_headed_midwest]

I have Mediacom's internet service and the solution is to use a different DNS server other than the ones Mediacom provides. I use Level3's DNS servers (4.2.2.2 and 4.2.2.3) for my DNS lookups and I do not get any redirects. You can either manually set the DNS servers on your computer or set them at the router.

Re:Solution: Use a different DNS server

[Frozen-Solid]

This doesn't work. I'm on Mediacom and use Google DNS. None the less if I type in http://validsite.com/invalidurlgoeshere/ rather than being served a proper 404 I get forwarded to Mediacom's private search engine. They're using deep packet inspection to hijack any default apache or iis 404 response from a website and redirect it to themselves. Level3 DNS, Google DNS, and Open DNS all work to fix the issue of my failed DNS queries being hijacked, but it doesn't fix 404s.

Re:Solution: Use a different DNS server

[level_headed_midwest]

Ah, I forgot, you also need to add "127.0.0.1 assist.mediacomcable.com" to your /etc/hosts. assist.mediacomcable.com is the server that does the page display for their NXDOMAIN hijacking. Adding the line to /etc/hosts and not using Mediacom's DNS servers results in a "page not found" error when having a 404 error.

Re:According to the article...

[Mr.+Arbusto]

That isn't the problem.

Being a MediaCom customer I've played with this a few times in the past, complained when the opt out didn't work, and complained about it to people locally. Working for a company that make DPI appliances it was kinda fun to see it in action, but kinda scary to see it on the public internet. CenturyTel also does this exact same thing.

It scans all HTTP traffic looking for 404 errors. So if I go to http://boingboing.net/4in0in4 It will intercept the servers 404 page and redirect to to a mediacom portal site with my 404 URL as the search term and ads all over.