Network News

X My Profile
View More Activity

More Trouble With Ads on ISPs' Error Pages

Last week, Security Fix examined new research suggesting that some major Internet service providers are exposing their customers to security flaws when they redirect wayward Web surfers to ad-filled pages. I'm revisiting this controversial practice because another major provider of these services (for one of the nation's largest ISPs) was found to be similarly vulnerable.

As noted here last week, Earthlink and a few other ISPs are using a service from a U.K. company called BareFruit, which helps ISPs redirect users to ad-filled pages when they either request a Web site that does not exist or when they mistype a real domain, e.g., (notice the missing "w"). Researcher Dan Kaminsky found that BareFruit's servers contained a security flaw that would have made it easy for hackers and scammers to trick the ISP's customers into visiting phishing sites or downloading malicious software.

Kaminsky presented evidence that Verizon was among the companies quietly using BareFruit services, but that turned out not to be true. In fact, Verizon is using the DNS redirection services of a company based in Sterling, Va., called Paxfire. Shortly after Kaminsky was informed of this, he found that Paxfire's service was similarly vulnerable to attacks that could be used against Verizon's customers.

Paxfire's CEO Mark Lewyn declined to comment on the record for this story. Kaminsky said Paxfire corrected the security vulnerability not long after hearing from him about it.

But the vulnerabilities Kaminsky found in both Paxfire and BareFruit -- known as cross-site scripting flaws -- are some of the most common in almost all types of software. And experts say customers will continue to be at risk from other such flaws when ISPs outsource this portion of their network to third parties.

"These ISPs are treating something that used to be someone else's property or common property held in trust by the community and they are corporatizing it," said Paul Vixie, president of the Internet Software Consortium, which publishes BIND, the software that powers 90 percent of the world's domain name system (DNS) servers (DNS is what translates Web site names like into numeric Internet addresses).

Vixie said that roughly six weeks ago Paxfire's Lewyn approached him with a revenue-sharing proposal to bundle Paxfire's technology into BIND.

"He told me because of the size of the eyeball footprint we'd have together that I'd be getting such a sizeable [amount of revenue] to fund my entire operation at ISC, and all I'd have to do is ship binaries that has his code in it," Vixie told Security Fix.

Vixie said he politely declined, but was privately stunned at the audacity of the request. Lewyn declined to comment about Vixie's statement.

Hijacking errant DNS requests -- particularly those in which a Web browser user asks to see a non-existent page on a legitimate, active domain -- "hurts trademark owners, and consumers, and must not be done," Vixie said. "I think something is going to have to be done to stop this, but it will be done by rules and laws, by various industries getting together to say if you do this the [Federal Trade Commission] or someone else can come along and say this is fraud. I don't think this is going to be solved by the business community."

Kaminsky casts all of this activity as the latest battlefront in the policy debate over "net neutrality," a concept that in policy terms has come to mean enforcement of open access online, so that cable and telecom operators cannot block or delay content that travels over their networks. At the center of this battleground are efforts by major ISPs to make it harder for customers to use services that can suck up huge amounts of Internet bandwidth, such as peer-to-peer (P2P) file-sharing networks like BitTorrent and Limewire.

Interestingly, I learned Monday that RoadRunner -- the high-speed cable Internet company owned by media giant Time Warner -- also is serving up ad pages when customers request an non-existent domain, or a subdomain that does not exist, such as The company providing that service is Ontario-based Sandvine, an entity whose products also include a number of hardware devices designed to help ISPs monitor P2P activity and interfere with downloads from customers found to be exceeding a certain bandwidth threshold set by the ISP.

By Brian Krebs  |  April 30, 2008; 6:00 AM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Delays Windows XP Service Pack 3
Next: Cyber Justice Chronicles

Comments is not a mistyped domain. The dommain is correctly correct. A better example would be where the domain portion,, is mistyped.

Posted by: dick | April 30, 2008 8:41 AM | Report abuse

If anybody approached me with a business proposal and used the term "eyeball footprint" I'd have to smack him into the next county.

Good for Vixie for standing up for what is right. I hope that most of the people in charge of fundamental software like BIND are like him, and not like the greedy admongers.

Posted by: LarryMac | April 30, 2008 9:32 AM | Report abuse

I use Road Runner and have not had this issue since I use the OpenDNS service that Brian has written about several times. I utilize the service for DNS filtering for my kids and it works quite well. OpenDNS does serve up pages for mistyped or blocked domains, but it is very obvious from the page that it is an OpenDNS page as it is a clearly branded search results page using that term.

Posted by: Ithaca, NY | April 30, 2008 9:54 AM | Report abuse

dick, is exemplary of the mistyped domain name problem. Perhaps you think that "domain names" have only two levels. This is not correct, and it's important to understand that these services don't just much with second-level domains; they will redirect any query with an NXDOMAIN response, not just those referring to second-level domains.

This behaviour is a clear violation of DNS semantics, as the nonexistence of a domain name is often meaningful. If I don't define a name for one of my domains, I mean that the domain does not exist. For ISPs to overload my namespace with bogus records infringes on my property rights. It's like someone planting billboards on any free spot in my yard.

This is another reason we need to push forward with DNSSEC, which provides authoritative, unforgeable responses, which ISPs won't be able to hijack.

Moderately skilled people can operate their own DNS caches in the meantime.

Posted by: antibozo | April 30, 2008 11:52 AM | Report abuse

Can I have a 404 please? Please.

Posted by: jason | May 1, 2008 5:14 AM | Report abuse

I BELIEVE if you use OpenDNS, they serve up an in house error page. Not quite a 404, but not a page filled with ads either.

I'm not at home, so I can't test my memory.

Can anyone validate?

Posted by: reswob | May 1, 2008 11:14 AM | Report abuse

As long as there is an opt-out which TWC has, why care? Finding what you want with a error to search redirection instead of a 404 saves time and effort; it's a value add service as proven by those using OpenDNS; you people just hate your ISP

Posted by: Tom | May 1, 2008 7:42 PM | Report abuse

Reswob- yes, that is correct. But that is a service you sign up for, not something your ISP signs you up for.

Posted by: Bk | May 1, 2008 9:08 PM | Report abuse

There's nothing wrong with monetizing unused resources. That is the heart of efficiency, at the end of the day.

There is everything wrong, however, with monetizing other people's property.

Look, if I want to put an ad on, it's my site and I can go ahead and do that. If I don't want to, it's not someone else's place to counterfeit DNS records that appear to come from me, so that their ads go forth. Brand identity matters. You can't even publish an ad with an incorrect Pantone(TM) color without incurring fairly serious wrath -- this goes rather beyond that.

Look. Degrading the fidelity of other people's brands should not be referred to as "corporatizing" anything. If anything, this is decorporatization: An integral element of the incorporated unit is getting someone else's content forcibly attached. It's small, today: just goes to a silent, previously buggy redirector. But asserting the right to do this, asserting that you as the ISP can change whatever you damn well please, is a statement that you don't really control how other people host your brand out there in the last mile.

I would argue that sharply diminishes the business value of the last mile. From a public policy perspective, we need to do something about that.

Posted by: Dan Kaminsky | May 3, 2008 1:51 PM | Report abuse

So Dan, where do you stand on DNSSEC?

Another point to note: this practice creates inconsistent semantics for users on differing ISPs.

Posted by: antibozo | May 4, 2008 10:51 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company