The Five Levels of ISP Evil

August 11, 2011 – 3:24 pm

NOTE: If you’re interested in broadband & policy, you are in the right place!

Read the related post, “Help us, protect your privacy online” and sign the EFF petition. Then, learn “Why U.S. Broadband is so Slow“. If you are concerned about capped Internet consumption, see “Drilling Through the Caps“. Finally, learn more about Sonic.net’s innovative new Fusion Broadband+Phone product, available in the SF Bay Area today, with new regions coming soon. -DJ


 

Recently a number of ISPs have been caught improperly redirecting end-user traffic in order to generate affiliate payments, using a system from Paxfire. A class action lawsuit has been filed against Paxfire and one of the ISPs.

This is a serious allegation, but it’s the tip of the iceberg. I’m not sure if everyone understands the levels of sneakiness that service providers can engage in. So, while I’m no expert (as we are an ISP who doesn’t do these things), but as a broad overview, here is my quick guide to the five levels of ISP evil, and the various “opportunities to monetize customers” that we’ve passed on:

5: Improper NXDOMAIN handling, also known as “Domain Helper” applications. When a customer attempts to visit an invalid site, instead of returning the RFC standard “no such domain” response, the servers provide a search result which includes sponsored links. Sometimes the results are not well matched to the mis-typed domain, and they promote ads instead with broad commercial appeal like insurance, which will generate a high payout if the customer clicks. Extra evil points for making it difficult to opt out of this, requiring opt-out via a cookie or browser setting rather than providing “clean” DNS servers. (Paxfire’s system is positioned as a search/helper application, but these systems can be easily converted, even without the ISP’s awareness, to an affiliate pumping system.) Evil score: 2 evil points, somewhat evil, but now every major access provider provides helpful results for address typos.

A diagram showing how Phorm's "Webwise" system creates copies of its tracking cookie in each domain the end-user visits, based on the report published by Richard Clayton. Wikipedia.

4: Clickstream Tracking. An ISP is in the unique position as the point of traffic origination, creating the opportunity for very in-depth analysis of Internet usage behavior. Tracking the user’s Clickstream, the site to site to site movement as they browse using a set of tools like Phorm allows service providers to create cash out of information about private use of the Internet. Clickstream data buyers are generally ad targetting; if you visited Ford.com and looked at F-250 trucks, then CNN.com, it might make sense to place ads for large Chevy trucks on the CNN page rather than an ad for fabric softener. Absent this prior knowledge that you were a potential truck buyer, the ads might be for something of less interest to you, and thus less likely to be clicked, to “monetize”. Over time, analysis of the complete Clickstream can provide lots of insight to advertisers. Extra evil points for selling the Clickstream data without telling customers. Evil score: 5. What you do online is private!

3: Ad Swapping. Transparently proxy all web traffic, and when ad banners are in transit, perform real-time swaps of the ads for other ads for which the ISP is getting a cut of the revenue. Legitimate advertiser ads are sometimes fetched so that no one notices the decline in impressions. The pitch to ISPs from companies like NebuAd sometimes included claims of “partnerships” with content sites to better target ads. Extra evil points for ISPs who provide demographic data to the firm running the ad-swapping system. Evil score: 6.

Our reply: "No, not interested, thanks. -Dane" Email reply to Mark Lewyn, President, Paxfire Inc., Wednesday, October 29, 2008 3:35 PM

2: Affiliate Program Pumping. As alleged in the Paxfire scheme, ISPs or their accomplices take incomplete or incorrect domain entries into the URL bar and direct them to an intermediate page, which redirects transparently to a URL which includes an affiliate tag. So, a consumer types “amazon”, and rather than returning an NXDOMAIN, or even a search result, the ISP DNS server directs them to an IP address which does a content reload toward a URL of the form amazon.com/affiliate-id=XYZ. Purchases made subsequently are compensated as if it was legitimate traffic from an affiliate. Evil score: 8, with a bonus point for poisoning the affiliate ecosystem.

1: Rolling Over. In an attempt to avoid costs or under pressure from government or content creators, ISPs have handed over customer information, and even subjected customer traffic to broad snooping. Allegations range from service providers simply quietly handing over customer info to law firms with improperly filed lawsuits and incorrectly served supoenas, to the physical wire-tapping of major fiber optic lines. We’ve got your back. Evil score: 10. Potential for human rights violation.

  • ADub

    That last line is quite ominous, and I eagerly await the follow-up to this post!

  • Mike K

    Great summary, and three cheers to Dane and crew for not selling out!

  • graton

    What is the evil score for promising improved internet speeds for your customers, but after years of waiting, being told to seek service elsewhere because if sonic made the improvements they promised it would not be lucrative enough for them? I’m feeling like that’s a 9.

  • http://twitter.com/iansltx Ian Littman

    From a content provider perspective (ad-supported, not MPAA) #1 is definitely a no-no, but from a “how the heck are they able to do this without breaking TOS/laws” #3 and #2 are WAY up there. Even if the ad proxy creates an impression for the original ad when it’s swapped, it still means that the ad doesn’t get clicked, the advertiser doesn’t get the service that they paid for (the original one…couldn’t care less about the deal-with-the-devil replacements) and generally content producers are not happy campers.

    On #2, maybe you could argue that the ISP is driving traffic that normally wouldn’t reach a store’s website, but my bet is that the percentage of traffic that falls into this category is next to none. What the system does do is destroy the trust relationship between stores and affiliates because who knows, they might be pumping traffic instead of providing legitimate affiliate traffic.

    Bonus evil points to ISPs like Frontier who apparently were using Paxfire to swap regular search pages for “sponsored” versions in order to get a cut of everyone’s pay-per-click revenue, for no good reason (for sponsored search a search engine will split revenue with whoever put the search box on their site).

    The clickstream side of things, as a guy who likes relevant ads and who creates content, is more of a grey area. By that I mean that the service should be opt-in and should be offered as a way to decrease user internet bills…but whatever savings is offered should not be built into the advertised price for internet service, and possibly only offered once the customer has signed on just to make sure people aren’t being taken advantage of. Personally, I’d be fine with some automated bot taking my clickstream and using it to serve more relevant ads, assuming I got a $5-$10 per month credit on my Internet bill (enough to pay for a VPN for when I don’t want to be tracked) but many (most?) people will feel differently and as such should be opted out of such a potentially slimy system by default.

    My two cents.

  • http://twitter.com/iansltx Ian Littman

    Oh, and the way that Phorm does its thing is shaky enough that there’s no way I would deploy it on a network that I had any control over. #4 would have to be done some other way, if at all.

  • Pingback: The five levels of ISP evil — Broadband News and Analysis()

  • Joshua Dionne

    Wow, that’s awesome. I love the idea of Sonic.net, unfortunately, I am geographically in the wrong part of the world. I would gladly pay $70/month for fast, reliable, no-nonsense Internet connection from a smaller ISP ’round here.

    Problem is, all we really have is Comcast and Verizon. And to switch from either is a larger investment than I think we would ideally want to make, plus vendo lock-in and all that good stuff the incumbents are known for.

    Long story short; YOU NEED TO EXPAND TO THE EAST COAST! :-)

    Keep up the good work, will now be watching for your next post!

    -Josh

  • Anonymous

    How about THIS one?

    I visit YouTube. Instead of getting the content straight from YouTube, I can see by the status bar that I am not in fact getting my content from YouTube at all, but from Comcast’s cache.

    I would not mind that so much, but Comcast has their cache set up such that I cannot download and save videos from it, even if the video has a Creative Commons license!

    In other words, Comcast has been deliberately controlling my content and interfering with my actions on the Internet. Which is very clearly ILLEGAL.

    Has anybody else experienced this?

  • Anonymous

    NO
    ORGANIZATION need respond to a subpoena without a fight. There are a
    thousand ways that a public or private entity can get a subpoena issued
    for your private information. Basically, a party simply asks the court
    to issue one, and the court does. The receiver or other “affected
    parties” have every right to object to the subpoena and demand a
    hearing. For example, an ISP could insist on a suitable delay in order
    to inform the user of the subpoena and give the user the time and
    information necessary to fight the subpoena. If, after a hearing, the
    court finds the subpoena valid, it will issue a “court order,” that had
    better be followed, or the recipient can be charged with contempt of
    court.
    ISPs, banks, and other organization regularly roll over when issued
    subpoenas, coughing up all the customer’s information without giving the
    customer the opportunity to respond and object. The underlying issue
    might be a nasty divorce, an evil contractor, a whiny neighbor, or a
    gov’t employee fishing for glory. Most large organizations have some
    small print in their terms of use or account contract that says that the
    customer gives up the right to question subpoenas and that the
    organization will obey subpoenas no matter who they are from without
    first warning the customer.
    I know personally of one organization that holds private customer data
    and simply ignores all subpoenas. They have received hundreds over the
    years, but not a single court order. So those lawyer types and account
    PR people who say they “have to” obey subpoenas are not telling the
    (whole) truth.
    Note that attorneys and medical provides have “special rules” protecting client information. Funny how that works, huh?
    For people who care about privacy, many of us would pay a bit extra for
    service from an organization that promises to put our interests first.
    Disclaimers:
    (1) IANAL, so by definition, “this is not legal advice.” Consult your
    attorney.
    (2) Some subpoenas require secrecy, and there are homeland defense
    subpoenas that are different, but these types are actually rare.

  • Hwertz

         How many points for Mediacom’s redirecting of *404s* to their junk site?  That’s right, valid DNS, valid web site that responds, and Mediacom redirects you away from their site entirely to the same junk site they redirect to for NXDOMAIN.  Because of this, I thought two sites were down entirely (well their DNS at any rate), when it tuned out they had just reorganized, because the 404 was hijacked by Mediacom.  As a bonus, the “opt out” page (which is at least the proper kind and not the broken kind that relies on cookies…) doesn’t work for exemtping 404 hijacking!  Oh, second bonus, they reportedly do both NXDOMAIN and 404 hijacking on *business* lines now too!

         It’s possible this 404 hijacking has been discontinued recently (within the last month) due to threat of lawsuit from site owners.

  • http://profiles.google.com/caesartjalbo Caesar Tjalbo

    This isn’t so bad in principle. ISP can cache, say, top 10 most popular vids when it knows that content will be requested a lot and distribute it over its own cdn in advance. Less burden on the network, faster viewing for you. It’s dubious when they do it for all the videos though.

    If you can watch a video, you’ve already downloaded it, regardless wheter it comes from Youtube or Comcast. There’s a thing though: I used to just save a video from my /tmp directory (Linux). That’s gotten a bit harder since Flash unlinks the file immediately after it starts downloading. The data is still there but not as a file anymore.

  • http://justinfreid.com Justin Freid

    What method would you recommend for scoring your ISP’s level of evil?
    It’s sometimes hard to tell at what stage NXDOMAIN results are being hijacked.

  • Ican Hasfiber

    6: ISPs that would likely get your buisness but have no service in your area or anywhere you have ever lived.  Evil Score: 0.3

  • Anonymous

    You completely missed the point. I don’t much care if they cache the video. But they won’t let me DOWNLOAD it, even though it is legal.

    If it were just straight YouTube, I could download the video. Therefore my ISP is INTERFERING with my internet access. That is not legal here.

  • Anon

    This is still happening where I am.  It is infuriating.

  • Anonymous

    I’d think that #’s 1, 2 and 3 would be actionable as tortious interference with contract or the like. Maybe not by the user, but by the advertisers or sites.

    Personally I’d rank #5 as more evil than just 2 points. Think about how improper NXDOMAIN handling affects devices (eg. routers) or software that isn’t a browser, doesn’t know cookies, and just uses HTTP for downloading updates. A standard Web page like the ISP will serve up if the target server’s gone away (which happens) will give things like that major heartburn. In the case of hardware it may even brick it.

  • Anon

    I think I might know another evil thing: I sometimes click on a google research result, and rather than taking me to the intended website, I find myself on the search result page of another search provider. Going back in the browser and clicking on the link (on the google search result page) again then brings me to the originally intended page…

  • Doug

    Don’t forget the evils of your DNS servers!  If you use Google’s DNS services every page and every activity is recorded.  I have a server setup with some undisclosed pages.  Well, after using Google’s DNS they added those pages to their search results and guess what was no longer unpublished!?!

    Google really is evil.

  • http://profiles.google.com/imroykun Ian Tester

    The DNS hijacking is much more insidious than you present – it’s a fairly low-level protocol and not everything making DNS requests is a web browser. So if you make a typo in an email address, that email will go to the ad server instead of immediately being bounced back by (your or) your ISP’s email server. It will probably be bounced anyway, but who knows what else they could do with it.

    And any other protocol/tool (IMAP/POP3, SSH, SVN/Git/Hg/etc) will give confusing “cannot connect” errors instead of the proper “hostname invalid” response.

    Hijacking DNS breaks the Internet. Simple as that.

  • Anonymous

    Well, at least it’s a fraction of a point!

    We are expanding availability of our Fusion service quickly. It’s been very popular.
    -Dane

  • Brad Paulsen

    There are several ways to avoid using your ISP’s DNS Server (for Windows and Linux/Unix users at least — probably Mac too. Unfortunateky, the only Apple product I own is an iPad, but this feature is probably available as well for OSX since OSX is based on Unix).

    First, you can go to this Web site: http://winhelp2002.mvps.org/hosts.htm.  There you can download a well-maintained etc/hosts file.  This file acts as a “local” DNS server.  When you type in a domain name (e.g., http://www.example.com) into your browser (or click a link on a Web page), the TCP/IP software running on your machine will, FIRST, look in the local HOSTS file for a match on the domain name part of the URL.  If it finds one, it will use the IP address associated with that domain name. No external DNS server is ever contacted. 

    The winhelp2002’s HOSTS file is most useful for avoiding malware/tracking sites by directing any match on the domain name of every one of those sites known to the HOSTS file to 127.0.0.1, a/k/a the “bit bucket.” Indeed, you should be using it for that purpose alone.  I do.  But, it can also be modified to include the IP address/domain name paring(s) of sites you regularly visit.  This speeds up surfing becuase your TCP/IP stack won’t have to lookup the IP address using an external DNS server. NOTE: There is a slight performance penalty when you start up your browser for the first time after you make a change to your HOSTS file (especially one this size and at least with Firefox).  This is probably because Firefox (3.5 and later) stores the HOSTS file internally as an SQLite table rather than a simple two dimensional text list (sorted by domain name).  But, this is more than made up for in much faster access to the sites in your HOSTS file (no external DNS server lookup(s) are required, your request goes directly to the site’s server’s IP address). 

    Of course, if you mistype the domain name and there is no mapping of that (misspelled) name to an IP address in your HOSTS file, TCP/IP will, then, consult the external DNS server you have entered in you TCP/IP configuration or your WiFi router configuration.   But, you can map more than one domain name to the same IP address in HOSTS (~500 malware/tracker sites are all mapped to 127.0.0.1 in the HOSTS file from winhelp2002 mentioned above).  So, if you commonly misspell a domain name the same way (e.g., “flatline.org” instead of “faultline.org”) you can enter that misspelling into your HOSTS file mapped to the correct IP address!  It is really very easy to download and install the HOSTS file from winhelp2002, even if you’re not “technically inclined.”  Excellent help is available from the winhelp2002 Web site.

    Another thing you can easily do is NOT USE the DNS server(s) your ISP provides.  Instead, join OpenDNS (it’s free) and use their DNS server(s).  These are 208.67.222.222 and 208.67.220.220. 

    You will need to figure out how to do this with the OS (and OS version) you are currently using.  For Windows Vista, go to the Control Panel and select Network and Sharing Center.  In the left-hand column of the window that opens, select the item entitled “Manage netword connections.”  When the next window opens, right-click on the icon entitled “Local Area Connection.”  Select the appropriate TCP/IP stack from the dialog that appears in the popup dialog (there are two listed: TCP/IPv4 and TCP/IPv6).  You probably want the first of those (TCP/IPv4).  Select it with your mouse then click the “Properties” button at the bottom of the list.  Yet another dialog pops up.  It has two sections, you want the second one (at the bottom of the dialog).  Select the radio button entitled “Use the following DNS server addresses” and, finally, cut and paste the two OpenDNS server addresses into the “primary” and “seconday” fields (in the order I gave them).  Click “OK” until you’re back in the Control Panel.  If you have a WiFi router, you’ll want to enter the DNS address(es) there instead/as well.  This procedure is different for each router brand and model within a brand. So, sorry, but I can’t give you much help with that one (your router should have a help feature built in and you can use that to find out what you have to do to change the DNS server(s) your router uses).

    Hope this helps somebody!

  • Darron

    Uh, dude DNS services don’t go up to the level of a web page.  You’re pages were probably logged by a browser plugin like a search bar.

  • Guest

    That’s a virus on your system.

  • Anonymous

    By viewing a video, you are downloading it. How else would the data get to you?

    Getting the video data into a video file is another matter, however.

  • http://profiles.google.com/caesartjalbo Caesar Tjalbo

    Can you describe how you used to ‘download’ the video and what happens now when you try to, what changed? Why is it Comcast that’s responsible for it? (Like I said, I can’t SAVE downloaded videos easily anymore and I’m definitely not on Comcast.)

    Firefox has a number of video downloader add-ons available, did you try some? Is your software (browser, add-ons, Flash) up-to-date?

  • NonnyTheMouse

    This gets interesting when we try and factor legal jurisdiction.

    In the UK there are specific laws which make it illegal to intercept communications between parties without a valid authorization to do so (RIPA – The Regulation of Investigatory Powers Act). The Act does not distinguish between telephone, radio or computer based communications.

    Therefore, in the eyes of the law, any ISP or internet intermediary that intercepts the web stream between a web site I happen to be surfing and my PC, whether that be to provide “Ad Sense” style activities or, as discussed, in-line advertisement replacements, is breaking the law.

    In the UK, Phorm tried to set up and operate, but they did so *after* the Labour Government rammed through the RIPA bill into law. Protests from citizens were sufficiently intense to prompt withdrawal of the Phorm proposal, especially when it became public just how cozy Phorm were getting with the UK’s Home Office Ministers.

    Here’s where this gets interesting.

    Suppose a US hosting company runs a web site which I browse to. Somewhere between the web server and my workstation, an ISP or network provider wants to intercept and replace advertisement space. If they do that whilst I, as a UK citizen, browse the site, they are breaking UK law. What remains is to determine whether I could implement an effective prosecution from the UK. Depending on how successful UK citizens were in that regard, those intending to intercept would have to develop some intelligence in the mechanisms used. Hopefully this would make the process so complicated that companies would back off.

    We have to put this into context.

    How would people feel about advertising companies volunteering to replace the postal services so that they could steam open your letter mail? Or telephone providers having the right to intercept your phone calls so that they could find out what you were discussing with friends so that they could send you advertising materials? Most people would be mortified.

    So why should we roll over and permit interception of web-based communications?

    Answer: we shouldn’t!

  • Pingback: Five Levels of ISP evilness « Chris Kaleyias()

  • AnonAdmin

    What is the evil score for deceptively advertising services then delivering useless pro-forma facsimiles of the said services?  When my high quality local ISP was bought and destroyed by Earthlink, their “service” was advertised as including USENET.  Earthlink delivered intermittent 5~10 kbps access to a couple of hundred groups, with a post retention of less than 5 days:  Basically a server running on a discarded desktop machine in an office closet somewhere.

  • AnonAdmin

    Oops, missed one:  Award 9 points for blocking all outbound customer traffic headed for port 25 at any IP address.  The claim:  This prevents botnets from broadcasing spam.  The fact:  This forces a significant proportion of illiterate users to send their e-mail through “web mail interfaces” provided by the ISP and including content analysis, user profiling, and banner ads “at no additonal cost.”

  • Anonymous

    How do I defeat these evils?  Please tell us in your next post!

  • Gwtracy

    I’m experiencing ad swaps by Verizon on my Verizon iPhone when browsing over the Verizon wireless network. The swaps don’t seem to happen on WiFi. I’ve  done a number of screen captures of various sites showing the ads that appear when I’m WiFi (which are never for Verizon products) and the Verizon ads that get swapped in when I browse that same site on the Verizon wireless network. Is this not theft of revenue from the companies that legitimately paid for their ads to appear? The companies that are getting shafted should file a class action against Verizon. The whole thing is so seedy. Needless to say my next mobile will not be with Verizon.

  • Gwtracy

    I’m experiencing ad swaps by Verizon on my Verizon iPhone when browsing over the Verizon wireless network. The swaps don’t seem to happen on WiFi. I’ve  done a number of screen captures of various sites showing the ads that appear when I’m WiFi (which are never for Verizon products) and the Verizon ads that get swapped in when I browse that same site on the Verizon wireless network. Is this not theft of revenue from the companies that legitimately paid for their ads to appear? The companies that are getting shafted should file a class action against Verizon. The whole thing is so seedy. Needless to say my next mobile will not be with Verizon.

  • Jippen Faddoul

    Really, Sonic? You say that its bad in section #5 to break RFCs… yet have you looked at your own email servers? When they get under load, they break RFCs for resolving MX records, causing issues for others on the internet who want to filter abusive traffic by sending it to a blackhole, and then you don’t even retry. If you want to not be evil, try not to be hypocritical!

  • http://insertrealname.myopenid.com/ Insert Real Name

    I tried OpenDNS a year or two ago, after setting up a user account on their system to be able to customize some aspects of how their service works.

    However, if I recall correctly, I couldn’t find a way to entirely switch off their own version of NXDOMAIN hijacking–mistyped domain names in my browser still called up a custom Google search page with the usual advertisements.

    Finally I switched to Google’s 8.8.8.8 and 8.8.4.4 public DNS servers–I believe Google makes some effort to refuse to resolve malware/spyware associated names and addresses.

  • Kelsey Cummings

    Dane didn’t say breaking a RFC was bad, he said that not returning an A record instead of NXDOMAIN was.  That said, I’m not clear what behavior you’re referring to.  Our mail servers (I assume you are talking about our outbound servers) retry as required and should be more or less in compliance with the RFC guidelines on timeouts.  If you’d like to talk about this more, please post to the forums at http://forums.sonic.net  where it will be easier to have a dialogue.

  • Pingback: Episode 451 – 5 Types of Evil, WarSploiting, AT&T-mobile, BigBro vs. Proles, GoogleMoto & BART | InfoSec Daily()

  • Pingback: Episode 451 – 5 Types of Evil, WarSploiting, AT&T-mobile, BigBro vs. Proles, GoogleMoto & BART | InfoSec Daily()

  • Randy

    Sorry, blocking outbound port 25 is a good thing.  Users should be sending email via port 587 through any mail server they have a relationship with (be that of their own ISP, their employer, a standalone email provider, etc.)

  • Randy

    Sadly, we switched from Sonic (who wholesaled AT&T DSL) to AT&T in order to get the much faster U-Verse speeds, and a /26 at very reasonable cost.  I hated to give up Sonic’s service.  I really appreciate an ISP who answers their phone with real people who have a clue and are happy to actually help you, instead of robots or humans who are forced to follow scripts (which always start “Reboot your PC.”)  If there was any way we could get faster speeds with Sonic at a reasonable cost, we’d do it.  In a heartbeat.  We even tried two DSL lines, but couldn’t get the traffic to be joined.  So, until Sonic expands to the outer reaches of California, we’re stuck with evil gateways, robots, and script-followers.

  • Pingback: Links – Wind and Nuclear Power, Bing, Patents and other Pollution | Techrights()

  • Pingback: How Evil ISPs Monetize Their Customers | semicolonator;()

  • Anonymous

    Make that Bonus 5 points for ISPs that also block 587 or any of 22, 37, 53, 123, 143, 220, 389, 465,… citing dubious claims of network security.  I am particularly amused by claims that ports 80 and 81 are blocked because they’re being used for peer to peer software.  It’s getting to the point where I’m going to have to set up a VPN over port 80 just so I can get any work done!  

  • Randy

    Who blocks 587?  That seems more like incompetence than evil.

  • Pingback: Episode 147 – Rainbow Connection? | Dyscultured on WordPress()

  • Pingback: Open WiFi, Liability, and EIA’s Two Cents | Eccentric Intelligence Agency()

  • Pingback: ISP ¿Amigo o enemigo? | IP Video surveillance & Cloud Computing blog()

  • Pingback: Panoptic Existentialism – Resistance 101 | Eccentric Intelligence Agency()

  • Pingback: News of Note — After Irene « WISPA()

  • Pingback: V de Vergüenza » Blog Archive » Los cinco niveles de maldad de los ISP()

  • 15151

    Wrong.

  • Pingback: Is Your ISP Doing One Of These Five Evil Things? | Lifehacker Australia()

  • The_steven

    How about dropping News Group access, without reducing prices?  Yeah, I call that evil.

  • The_steven

    How about dropping News Group access, without reducing prices?  Yeah, I call that evil.

  • http://socia.arkaic.com/b/kazriko Kazriko Redclaw

    I’ve found that my ISP is even more insidious about their non existing domain hijacking. I setup an IPv6 tunnel and setup my system to only talk to an IPv6 DNS server through that tunnel. Even with this setup, I was still getting redirects on non-existing pages on my ISP. They were not only hijacking DNS, but doing transparent proxying on HTTP to detect 404 pages and redirect them to ads and searches.

    It’s a lot harder to get around a transparent HTTP proxy.

  • http://jamy015.nl jamy015

    Providers seriously do this shit in the US? Here in the Netherlands, every single provider I know does this:

    – If you type in a website, you get that website. (You don’t see any flaky things going on in the URL bar, just the website you typed.)
    – If the website you wanted to visit doesn’t exist, you get a 404. No ads, just your regular browser 404.

  • http://socia.arkaic.com/b/kazriko Kazriko Redclaw

    Yeah, but it wasn’t always like that.

    My local provider used to be AT&T@Home. No such tricks. @Home folded, and they became AT&TBI, which was then purchased by Comcast. Comcast was the bunch that introduced the changes. After comcast sold this area to another company, it became even worse because nobody was maintaining the proxy software and the opt out and other things stopped working.

  • Chuck

    DNS only sends the domain name; however a hijacked dns query can serve a webpage collecting far more information.

  • Anonymous

    Sounds like Windstream to me, especially the fiber optic taps. The local office is suspected of tapping local businesses in search of PINs and account numbers. Our hick-town racketeers are shirttail kin of a media family which has its own RICO defense lawyers.

  • http://www.domainnoob.com John Humphrey

    Open DNS is a for-profit company that hijacks your error traffic and redirects it to their ‘Open Guide’. You won’t see a 404. You can’t opt out. It’s their business model.

  • Pingback: ISPs are Evil in So many ways… « Daniel C's Tech Beat()

  • Pingback: The public needs to know about ISP Manipulation #internet #infosec « Concise Magazine()

  • Sonic Blog

    ‘dig’ reports which DNS server answered a query

  • http://ehowportal.blogspot.com/ Mr.Bhavesh

    Thanks

  • Mcroft

    how would you rate the practice of inserting javascript popup ads immediately after the <body> tags in web pages, like a few indian ISPs have recently started doing?

  • Pingback: Is Your ISP Doing One of These Five Evil Things? | The Irish Timez - Breaking the truth from Ireland ...()

  • Yun

    Do you guys consider blocking p2p tracker server ip an evil thing? I recently cannot ping certain ips while I can at work.

  • Anonymous

    We don’t engage in any blocking.

    -Dane

  • Anonymous

    me too.

  • Yun

    Back to normal now. Seems like a glitch. Thanks for replying! ~!~

  • Anonymous

    Sure – whatever the issue was, it wouldn’t be us, we don’t block any traffic.

    -Dane

  • Pingback: I Fought My ISP’s Bad Behavior And Won | markn.ca()