Forgot your password?
typodupeerror
The Internet News Technology

How One Man Fought His ISP's Bad Behavior and Won 181

Posted by Soulskill
from the i-bet-he-had-lasers dept.
An anonymous reader writes "Eric Helgeson documents his experience with an unscrupulous ISP that was injecting affiliate IDs into the URLs for online retailers. 'It appears that the method they were using was to poison the A record of retailers and do a 301 redirect back to the www cname. This is due to the way apex, or 'naked' domain names work.' Upon contacting the ISP, they offered him access to two DNS servers that don't perform the injection, but they showed no indication that they would stop, or opt-out any other subscribers. (It was also the only wireless provider in his area, so he couldn't just switch to a competitor.) Helgeson then sent the data he gathered to the affiliate programs of major retailers on the assumption that they'd be upset by this as well. He was right, and they put a stop to it. He says, 'ISP's ask you to not do crummy things on their networks, so how about they don't do the same to their customers?'"
This discussion has been archived. No new comments can be posted.

How One Man Fought His ISP's Bad Behavior and Won

Comments Filter:
  • Use public DNS (Score:5, Informative)

    by DigiShaman (671371) on Wednesday January 01, 2014 @12:21AM (#45834829) Homepage

    Google DNS is 8.8.8.8. and 8.8.4.4
    Open DNS is 208.67.222.222 and 208.67.220.220

    Norton Safe Connect (personal use, not for business) is 199.85.126.10 and 199.85.127.10. Supposed to protect against malware, phishing sites, and scams.
    https://dns.norton.com/dnsweb/homePage.do [norton.com]

    • Re: Use public DNS (Score:4, Informative)

      by corychristison (951993) on Wednesday January 01, 2014 @12:30AM (#45834865)

      Personally use 4.2.2.[1-6]
      I think they are provided by Level 3. Get great response time here in the Canadian Prairies.

      I've never trusted my ISP's DNS servers.

      • by Bert64 (520050)

        Even if you don't use your ISPs DNS servers, your requests are passing in the clear over their network so they could intercept or modify them should they so wish.

    • Those work a bit slower as they are not in your network.
      • Depends. For many small ISPs, they are closer in hop count in the network, but often hosted on slower hardware or the cache has expired due to TTL; in which case they look up to the root servers anyways. In the case of Comcast, they're moving away from local managed DNS servers to public ones for their subscribers. In their case, that would be 75.75.75.75 and 75.75.76.76. In short, the turn around in packet responsiveness may be slower to Googles DNS servers by 20 to 30ms, but the CPU response on the backen

      • by adolf (21054)

        Those work a bit slower as they are not in your network.

        Not necessarily.

        Google's DNS, along with some/all of the L3 servers use Anycast [wikipedia.org] to automagically find the closest one (of many), network-wise.

        And in any event, they work faster than my own ISP's nameservers.

    • by bloodhawk (813939)
      seriously you are suggesting someone concerned about abuse of information use a google DNS Server?
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Other dns servers as well.

      Cisco
      128.107.241.185
      192.135.250.69

      Verizon (Level3) Nameservers
      4.2.2.1
      4.2.2.2
      4.2.2.3
      4.2.2.4
      4.2.2.5
      4.2.2.6

      SpeakEasy Nameservers
      66.93.87.2
      216.231.41.2
      216.254.95.2
      64.81.45.2
      64.81.111.2
      64.81.127.2
      64.81.79.2
      64.81.159.2
      66.92.64.2
      66.92.224.2
      66.92.159.2
      64.81.79.2
      64.81.159.2
      64.81.127.2
      64.81.45.2
      216.27.175.2
      66.92.159.2
      66.93.87.2

      ORSC Public Access DNS Nameservers
      199.166.24.253
      199.166.27.253
      199.166.28.10
      199.166.29.3
      199.166.31.3
      195.117.6.25
      204.57.55.100

      Sprintlink General DNS
      204.117.214.10
      199.2.2

      • by AK Marc (707885)
        198.6.1.3

        NS1 for the former great UUNET. No idea who runs it now after the MCI buyout and possible transfers since, but it's never let me down.
    • by matria (157464)
      Well that was interesting. I don't know exactly what was going on, but when I changed by router's DNS from the default (ISP-provided) to one of these, there was a startling improvement in initial page load speeds for several sites that I checked.
    • Re: (Score:3, Interesting)

      by Pichu0102 (916292)

      Downside of using shared DNS servers is that some servers, like those for Sony's PSN, try to get you to download from servers based on your DNS server.

      Why? I have no clue. However, it kills your connection speed until you reset it to your local ISP's DNS servers. Be wary.

    • Re:Use public DNS (Score:4, Interesting)

      by Centurix (249778) <centurix@@@gmail...com> on Wednesday January 01, 2014 @02:56AM (#45835275) Homepage

      Nope, even using Google's DNS won't save you: ISP's hijack DNS that aren't theirs [hackercodex.com]

      For me I had to use DNSMASQ on my router and add: bogus-nxdomain=209.222.14.3 to stop Telstra from "helping" my DNS requests when using 8.8.8.8 and 8.8.4.4...

    • by karnal (22275)

      Looks like they have 3 different sets. https://dns.norton.com/dnsweb/huConfigureRouter.do [norton.com] -- link shows up after clicking on home user; configure router etc. the 3 sets differ in that they attempt to help with malware, malware+pornography, and malware+porn+non-family-friendly. .10, .20, .30 for the last octet, respectively.

    • by mysidia (191772)

      Google DNS is 8.8.8.8. and 8.8.4.4
      Open DNS is 208.67.222.222 and 208.67.220.220

      And when the ISP does this on their router facing you?

      ip nat outside source static udp 8.8.8.8 53 [ISP's DNS Server IP 1] 53
      ip nat outside source static udp 8.8.4.4 53 [ISP's DNS Server IP 2] 53
      ip nat outside source list 140 dnspool
      access-list 140 permit udp any any eq 53

      Or (rough Linux equivalent)

      iptables -t nat -A PREROUTING -p udp --dport 53 -d [ISP's DNS server IP 1] -j ACCEPT
      iptables -t nat

  • DNSSEC (Score:4, Insightful)

    by tepples (727027) <{tepples} {at} {gmail.com}> on Wednesday January 01, 2014 @12:21AM (#45834831) Homepage Journal
    From the featured article: "There is currently no way to validate the DNS record you’re being served is what the person hosting the website intended." Apparently the author hasn't heard of DNSSEC.
    • Re:DNSSEC (Score:5, Funny)

      by SuricouRaven (1897204) on Wednesday January 01, 2014 @04:12AM (#45835479)

      It's scheduled for widespread deployment some time between the domestic service rollout of IPv6 and the year of linux on the desktop.

    • by fredan (54788)
      please do tell us where the weakest link in DNSSEC are?
  • Not wireless (Score:5, Informative)

    by Anonymous Coward on Wednesday January 01, 2014 @12:33AM (#45834881)

    (It was also the only wireless provider in his area, so he couldn't just switch to a competitor.)

    No, the blog says:

    You may be asking why don’t I switch ISPs? Well they are the only one besides a wireless provider in my area.

    Which means there are 2 ISPs. The one he's using is not wireless, and the other one is wireless.

    • OK, so it means it was less of a pain to fight his dirt bag ISP than to switch to the one that is inherently shitty.

      Yes, that's how shitty wireless ISPs are.

  • by jones_supa (887896) on Wednesday January 01, 2014 @12:44AM (#45834919)
    Name of the ISP please?
  • by Anonymous Coward on Wednesday January 01, 2014 @12:51AM (#45834953)

    Being from the part of Minnesota that Arvig is based in, I can tell ya, this behavior is very typical of them.

    When I had gotten set up upon moving into the area, the install tech bragged how all the homes (over 200 of them) on this part of town were all connected on 1 cable loop. It was a heads up from the tech that I should have paid attention to. I ended up cancelling my service early due to a consistent 1mb down every Friday and Saturday when I was paying for 10mb. Customer service actually said "we guarantee up to 10mb" "10mb is the maximum you will get"

    So many have switched over to 4g hotspots, they actually cut the offices hours here.

  • by kriston (7886) on Wednesday January 01, 2014 @12:57AM (#45834977) Homepage Journal

    Saw this in Reddit this morning but thanks for reposting it.

    Seriously, the drawback to using public DNS like OpenDNS and Google DNS is that they present a serious performance problem.

    Even though the physical DNS servers are "anycast" and geographically diverse, the IP addresses are still the same. Threrefore, the large content delivery networks (CDNs) like Akamai and LimeLight still use the IP address of the DNS server to judge your location.

    Therefore, any service that uses a CDN (even Google's use them in spite of their own network) will really serve your content out of a data center that is not geographically or logically near your machine's location.

    The article (if you read it) mentions that his ISP, like most that have similar revenue-extracting services, really does offer alternative DNS servers that do not pack affiliate cookies. You should use those if you want to enjoy high-performance, edge-serve content via Akamai (AKAM) and LimeLight (LLNW).

    Otherwise, you'll all get your edge content served from some random data center in the central USA.

    • by jd2112 (1535857)

      >

      Otherwise, you'll all get your edge content served from some random data center in the central USA.

      Unless you happen to be in central USA, in which case content will be served from a server somewhere near Timbuctu.

      • by Bert64 (520050)

        Or even from a local one which just happens to be heavily overloaded due to serving content to thousands of far away users.

    • by MarkRose (820682)

      In my experience, using public DNS has solved far more problems. Quite often ISP DNS servers are slower to respond, do nasty things like wildcard unresolvable addresses to some dumb search page, and, as you mention, cause CDN requests to be directed to overloaded and bandwidth starved edge servers (and the YouTube CDN in particular when the ISP has its own video service...).

    • by drmofe (523606) on Wednesday January 01, 2014 @01:54AM (#45835133)
      I commented on the reddit thread in the same vein as you and got downvoted. So I did some research. Several contributors to that thread suggest that Google DNS has solved the CDN problem by adding and original IP field that the CDN can use to geolocate the subscriber. This is due to Google implementing edns-client-subnet EDNS0 extensions as of late-2011.
      • by kriston (7886)

        Yes, that is, if the CDN has also implemented EDNS0 extensions, which some have not.

        Thanks for the info!

    • by kriston (7886)

      For public wireless networks, there is a popular solution to extract revenue, aptly named the Revenue eXtraction Gateway, or rXg, by http://www.rgnets.com/ [rgnets.com]. It explicitly and effectively works by filtering content and inserting advertisements along with the usual wireless gateway tricks.

      This is an honest revenue extraction service and, while it can be done at the ISP level, it does not pack affiliate cookies. It's probably one of the more legitimate ones available. It does require a significant back-end

    • by kasperd (592156) on Wednesday January 01, 2014 @12:02PM (#45837171) Homepage Journal

      Even though the physical DNS servers are "anycast" and geographically diverse, the IP addresses are still the same. Threrefore, the large content delivery networks (CDNs) like Akamai and LimeLight still use the IP address of the DNS server to judge your location.

      Let's get this misunderstanding sorted out. Because that sentence is indeed describing a non-existent problem. In reality anycast DNS is not part of the problem, it is part of the solution.

      Anycast DNS works by having a large number of resolvers spread throughout the world with the same IP address on each of them. A request from a client to this IP will reach the closest of those resolvers. What happens next is that the resolver will query authoritative servers (unless it already has a cached result). If the request from the resolver to the authoritative server was send using the anycast IP as source IP, it would not work. The reason it would not work is, that the reply from the authoritative server would be sent to the closest resolver, which is not necessarily the same as the one, which is closest to the client. You'd have most replies end up at the wrong resolver, which would simply discard it, as it would look like a failed poisoning attempt.

      In order to solve that problem you have to give each of those resolvers two IP addresses. It will have the anycast IP address (which is the same on all servers in the pool) and a unicast IP address, which is different on each of those resolvers. The client will still use the anycast IP in order to send a query to the resolver, but the resolver will then use its unicast IP when sending the request to the authoritative server. That way the reply from the authoritative server will make it back to the correct resolver.

      Incidentally this also solves the geolocation problem mentioned. The authoritative servers will indeed see different IP addresses depending on which resolver in the pool the request came through. The content providers just have to figure out the geographic location of each of those resolvers, which is mostly the same they have to do for the resolvers for any ISP. Additionally providers of resolvers such as Google do have an incentive to make this easy to figure out, since that will make their resolvers provide a faster overall experience.

      The above is of course slightly simplified, because any well operated resolver is dual stack. That means it need both IPv4 and IPv6 addresses. The anycast addresses can be separate pools such that each resolver has only one anycast address, which is either IPv4 or IPv6. Alternatively you can let one resolver be part of one IPv4 anycast pool and of one IPv6 anycast pool. However the unicast side of these resolvers need to be dual stack, so each resolver needs at least two unicast addresses, one IPv4 and one IPv6.

      You could even assign multiple unicast addresses to each resolver. The extra addresses could be used to provide additional protection against poisoning. An attack would then have to not only guess a request ID and port number, but also the IP address. Alas that is really not feasible with IPv4 due to shortage of addresses, but for IPv6 you could easily affort a /64 for each resolver.

      If you want to know the IPv6 unicast address of the resolver you are currently using, I have a special domain for that. If you look up the AAAA record for the domain mydnsv6.kasperd.net, it will actually respond with the IPv6 unicast address of the resolver you are using (or server error if the resolver has no IPv6 address). I could have made an identical service to find the IPv4 unicast address of the resolver, but I didn't have a spare IPv4 address to host the authoritative server on.

    • Except that is slightly wrong.

      Sure, they all share the same anycast IP address, but they also all need to be uniquely addressable too (at the very lease for management purposes). Otherwise how does an anycast server perform any kind of look up to an external server and guarantee that it will get the response back?

      If an anycast DNS resolver sent out a request to resolve an IP from an authoritative server on the other side of the country and soured it from its anycast address, how does that authoritative

  • VPN.

    Not much else you can do.

    • by rubycodez (864176)

      your vpn is going to have another end, which could have the same problems as your end

      • your vpn is going to have another end, which could have the same problems as your end

        Really depends on if and how your VPN handles DNS leakage. As always, caveat emptor. I picked mine on the basis that I had a choice of whether and how it was handled before I paid.

  • Illegal behavior (Score:5, Insightful)

    by WaffleMonster (969671) on Wednesday January 01, 2014 @01:22AM (#45835049)

    It would have been better to contact FBI and report this fraud. Whoever the hell runs fwdsnp.com needs to spend some time in jail.

    • Re: (Score:3, Informative)

      by eladts (1712916)

      It would have been better to contact FBI and report this fraud. Whoever the hell runs fwdsnp.com needs to spend some time in jail.

      This isn't just plain fraud, it's wire fraud [cornell.edu]. The penalty for it is up to 20 years in prison.

    • Re:Illegal behavior (Score:4, Informative)

      by Anonymous Coward on Wednesday January 01, 2014 @02:59AM (#45835285)

      I think you are confused.

      It was a CORPORATION that was scamming money out of affiliate links, so everything is A-OK!

      Of course, we punish the little people for exactly the same thing:

      http://www.justice.gov/usao/can/news/2012/2012_06_19_kennedy.sentenced.press.html

  • Do a search for "DNSjumper". It's a great little tool that lets one well...uh...jump around various DNS servers and arrange them in any order you want, ping them much easier and more often and makes it comfortable to change one or all if you feel your current list isn't to your liking. (I'm not sure of the author's or company's official website, so I don't want to push one source over another).

  • Is any of the P2P DNS solutions (and which one?) a viable alternative to the Google DNS or OpenDNS? Does anyone have experiences that they would like to share?
  • I'm in a worse situation - my apartment complex signed a deal with a certain niche ISP by the extremely vague name of "Telcom", to provide internet at a fixed rate (the base package is part of my rent, so I don't even know what they're charging). While we're officially allowed to buy our own if we so choose, a) I'd still be paying Telcom for their TV/Phone/Internet deal, and b) not a single other ISP is actually offering anything to this apartment. Every building bordering it, sure, but even in the months-l

  • Your ISP can still spoof the DNS responses. That's what hotels do.

    But assuming they don't, no reason not to just run your own cacheing DNS resolver on your local network. It's very easy to do and might even be faster than third parties like GOOG, OpenDNS or Nominum. Certainly faster for people who determine your location via DNS resolver address.

    (That Hiroku article is bizarre. Tip: "root domain" means something different. You can put a CNAME on any name. And why would one sort require hard coding yo

  • I don't know what the exact laws on net neutrality is where this happened. However, if an ISP were to do this in the Netherlands, they would get hit with fraud, net neutrality and "criminal organization" charges. You'd have to have some pretty good lawyers to be able to stay in business at all
  • Fraud (Score:5, Insightful)

    by anne on E. mouse cow (867445) on Wednesday January 01, 2014 @07:33AM (#45835939) Journal

    To be clear, the ISP has committed a criminal act (fraud), it is obtaining financial gain by deception - the concealment of the fact that no person willingly used an affiliate link.

    I think that if they weren't prosecuted then they committed a crime and got away with it. The victims being the retailers and any legitimate affiliates who lost out (if that is the case).

"There is no distinctly American criminal class except Congress." -- Mark Twain

Working...