dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
148
share rss forum feed

TheHox

join:2012-05-31
reply to prairiesky

Re: [Bus. Ops] Are you an Wireless ISP looking for more revenue?

Just DNS poisoning

I tested it out, looks like it use forward.rewardfinds.com, which then uses some affiliate code.

»news.ycombinator.com/item?id=1970802


bburley

join:2010-04-30
Cold Lake, AB

I doubt that it is dns poisoning.

One of the traditional ways for advertisers to track users is spyware. With this method they can track your IP address along with every website you have visited without installing anything on your PC.

They might be able to use a simple cookie to get around NAT issues.

They will probably sell targeted advertising which earns more than random ad delivery.



TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5

3 edits

said by bburley:

I doubt that it is dns poisoning.

Maybe not now, but it opens up the possibility for it to happen.

Ive done a couple of "digs" through these two DNS servers, and they appear to be handing back legit records for some domains. e.g.

$ dig @50.57.99.138 www.google.com
 
...
;; ANSWER SECTION:
www.google.com.         211     IN      A       173.194.73.106
www.google.com.         211     IN      A       173.194.73.147
www.google.com.         211     IN      A       173.194.73.99
www.google.com.         211     IN      A       173.194.73.103
www.google.com.         211     IN      A       173.194.73.104
www.google.com.         211     IN      A       173.194.73.105
 

and

$ dig @50.57.99.138 www.microsoft.com
 
...
;; ANSWER SECTION:
www.microsoft.com.      704     IN      CNAME   toggle.www.ms.akadns.net.
toggle.www.ms.akadns.net. 31    IN      CNAME   g.www.ms.akadns.net.
g.www.ms.akadns.net.    31      IN      CNAME   lb1.www.ms.akadns.net.
lb1.www.ms.akadns.net.  124     IN      A       65.55.57.27
 

But if you dig at retailers, you get some different results:

$ dig @50.57.100.29 www.amazon.com
 
...
;; ANSWER SECTION:
www.amazon.com.         10800   IN      A       50.56.52.52
 

Versus my own resolver:

$ dig www.amazon.com
 
...
;; ANSWER SECTION:
www.amazon.com.         60      IN      A       176.32.98.166
 

Traceroute to 50.56.52.52 goes to rackspace, while 176.32.98.166 which belongs to Amazon naturally goes to their network.

Telnet to 50.56.52.52 and ask it for www.amazon.com and it gives you a redirect:

$ telnet 50.56.52.52 80
Trying 50.56.52.52...
Connected to 50.56.52.52.
Escape character is '^]'.
GET / HTTP/1.1
Host: www.amazon.com
 
HTTP/1.0 302 Moved Temporarily
Server: Apache
Cache-Control: no-cache, no-store
Date: Mon Jan  7 20:51:27 2013
Location: http://www.amazon.com/?mcenabled=1
Pragma: no-cache
Connection: Keep-Alive
Set-Cookie: m123gz23523bs=3; domain=www.amazon.com; path=/
Content-Length: 0
 

Ask it again for www.amazon.com with the path as /?mcenabled=1 and you get amazons webpage:

$ telnet 50.56.52.52 80
Trying 50.56.52.52...
Connected to 50.56.52.52.
Escape character is '^]'.
GET /?mcenabled=1 HTTP/1.1
Host: www.amazon.com
 
HTTP/1.1 200 OK
Date: Fri, 11 Jan 2013 20:42:33 GMT
...
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html>
 

Ask amazons own web server for www.amazon.com and it gives it straight up.

Im guessing they are running some kind of proxy server that is looking at what URLs you are browsing to on a retailers domains. Perhaps when you go through certain URLs to make purchases it is able to determine that you bought something, and associate some kind of credit with your account (based on you registering with them and letting them know your IP ranges.)

Pure speculation, but this has potential to be quite evil. MITM attacks with HTTPS capturing bank details??? With all of your DNS going through their servers, poisoning is not out of the question since you are relying on their security, what ever and how ever good it may be...

Also I dont like the way they are playing the whole "dont let others profit off your customers" line... What has a customers retail habits got to do with the operation of your network? This is what the net neutrality debate is all about right? Network operators snooping in on customer activity and looking to profit from it.

BlueC

join:2009-11-26
Minneapolis, MN
kudos:1

said by TomS_:

Also I dont like the way they are playing the whole "dont let others profit off your customers" line... What has a customers retail habits got to do with the operation of your network? This is what the net neutrality debate is all about right? Network operators snooping in on customer activity and looking to profit from it.

Well said!

It's my personal belief if you're going to leverage your customer's activity (e.g. viewing what they are doing) for profit, you have a responsibility to inform your customers of such. It might not be legally required, but it's the ethical thing to do.

I don't know of many consumers who would be comfortable with that type of business practice.

robbin
Premium,MVM
join:2000-09-21
Leander, TX
kudos:1

I totally agree. I would question the morality of using something like this as well as the legality. I would definitely consider it an intrusion into my customer's private affairs and not something I should be messing with as their "last mile" provider.