dslreports logo

story category
Windstream Gives (Sort Of) Explanation For Google Search Hijack
Though they still aren't giving any real technical explanation
by Karl Bode 03:24PM Friday Apr 09 2010
Earlier this week we noted that Windstream Communications DSL users were surprised to see that the carrier was suddenly hijacking search results from users' Firefox Google toolbar, and redirecting users to Windstream's own ad-laden search portal. After users in our forums complained and we ran our story, Windstream quickly responded -- fixing the problem the very next day. We asked Windstream for an explanation and while the company apologized to users, they still haven't really explained the technical specifics behind what caused the glitch. The company has stopped by our forums to issue this statement:
Windstream implemented a network change on Friday, April 2, that mistakenly re-directed Firefox browser users utilizing their default search boxes to a Windstream landing page. This was not Windstream's intention, and after customers made us aware, we fixed the matter on Monday.

Windstream does not:
* track or monitor any individual customer internet searches;
* impede a customer's ability to access or use any websites, search engines, or any other services or applications on the Internet.

We appreciate all the feedback and support from this forum, and we will continue to address and help resolve any issues with your Internet service.
The statement still doesn't really answer what happened specifically. It also really doesn't answer why this was happening to users who don't use Windstream DNS servers, which suggests that Windstream may have been tinkering with a new flavor of deep packet inspection that goes well beyond DNS redirection. More pointed questions from our users into what technology caused the hijack aren't being answered by Windstream representatives; representatives that are normally much more conversational.

topics flat nest 

Bill Dollar

New York, NY

Come clean Windstream

Accident or not, something out of the ordinary, likely involving deep packet inspection is going on here.

We need all ISPs to be transparent about their network management practices and about their use of DPI, especially when it comes to search data.

Tuscaloosa, AL

Re: Come clean Windstream

Indeed, and the people at Windstream need to come clean on this, or no one is ever going to trust them again.

Fess up guys. We all assume you're using DPI, and, unless you come clean and tell us the DPI box is sitting in the dumpster behind your building, we're going to assume you're still using it.



My cable provider Mediacom also can hijack search results even when using 3rd party DNS servers. It too requires an opt out. Don't know how they do it but would appreciate if someone would shed some light on how this is being done.
I speak for myself, not my employer.

Everybody Lies

Franklin, TN

Re: How?

said by Anonymous:

My cable provider Mediacom also can hijack search results even when using 3rd party DNS servers. It too requires an opt out. Don't know how they do it but would appreciate if someone would shed some light on how this is being done.
A captive portal that intercepts google and modifies your search string. Very easy to implement for an entire network with a single box inline.
Fight Insight Ready (Was NebuAD) and the like:
Click Here to pollute their data



More Information

Karl, thank you so much for exposing this on the front page. To those who asked how, please see »Our Response to Redirect Service Concerns where I went into some technical detail on how they're doing it.

I can elaborate more but this clearly isn't and cannot be DNS tampering without layer 7/DPI since a specific URL structure was targeted. For this to have been DNS (even though users not using Windstream's DNS servers were affected), all of 'www.google.com' would have been impacted and the scope of impact would be limited to users of Windstream's DNS unless they are using DPI to mangle DNS replies from non-Windstream DNS servers.

They are cherry picking, inspecting, transforming, and redirecting search terms based on layer 7 data (HTTP URI) to searchredirect.windstream.net. Take a peek at »searchredirect.windsteam.net. Does this look like a NXDOMAIN landing page? Nope, it's clearly a search engine.

Also note the wording of their explanation, the structure and format of the message, and the inclusion of the word 'individual'.

When they deploy this on a universal scale, targeting all Residential DSL customers as they did, are they still doing any type of "track or monitor any individual customer internet searches"? They're no longer focusing on a specific individual. See my point.

Their refusal to answer the basic questions I asked is the most telling. The biggest issue for me isn't so much that they're doing this, it's that their doing this without admitting it or updating their Privacy Policy to reflect these changes.

It's deceptive and I don't trust them. Not to mention it took them several days to come up with this paper-thin explanation behind their "bug". Note, I am a Windstream DSL customer.


Tomball, TX

Re: More Information

This goes part and parcel with the fact that ISP's do not believe that anyone other than an employee of an ISP can be a network professional.

They can not fathom that their customers could potentially be smarter than their own admins.

Hubris, it's whats for ISP breakfast.


Oops - Typo'd the search page in the URL, see »searchredirect.windstream.net I left out the 'r' in windstream.

Mods - if you can fix my original post many thanks.



OpenDNS needs to offer a new service...

ProxyVPN (by whatever name):

Is your ISP using DPI? We're here to help!


Buffalo, NY

Re: OpenDNS needs to offer a new service...

Im not a Windstream customer but I was still hoping by now they would have fessed up. If its a mistake then tell us. Prove it by explaining what happened. Were sensible people but we are also not bound by innocent until proven guilty unless we are in the courtroom participating in a trial. Outside of a trial we can deem you guilty until you prove your innocence. We can and do have this attitude because quite frankly big business no longer sees the average customer as a partner anymore. They treat us like fools and we are sick of it. Honestly is the best policy. It would be a shame to damage your companies reputation over a mistake. It would a shame for your customers to decide to set a precedent and make an example out of Windstream.



Re: OpenDNS needs to offer a new service...

I don't doubt that it could have been a mistake--at least, a mistake for it to have "just happened" when and the way it did; but the fact that it could happen at all suggests something undesirable (from a user/customer viewpoint) all on its own. As it looks now, one gets the impression that they were preparing something, and it got turned on prematurely, perhaps improperly... so now it looks like a "cat's out of the bag" situation... "Oopsy!" just don't cut it. And, as "undesirable" ISP activities go, I doubt they're alone.


cloud 9

Done on purpose, struck down by someone higher.

I suspect that this was done on purpose, but when it got media attention, someone higher up put the kibosh on it. They need to come clean! Admit that they made a mistake, and show us policy changes to earn back our trust.
"Quit being a bitch. You have to admit, that was pretty funny!"(Someone smarter than I)

Indian Orchard, MA

2 edits

Gag order

A friend of mine who works for this company has let me on "the know".

1.) WindStream is working on new ways to prevent and/or monitor piracy (BitTorrent).
2.) They are also working closely with "someone" for further security.

Employees have been given a Gag Order on the matter. I'm not an employee (don't care for IPS's who spy on their users either).

Jamaica, NY

Re: Gag order

NSA? Australia child porn filter? American family friendly filter (ALA Sky Angel, IED bodies on Fox News and WMD on Discovery Military is fine, but no Communism News Network or FX)?

Tuscaloosa, AL

1 edit
For a minute, I was scratching my head wondering what this incident had to do with stopping piracy, but now I get it. All the ISP has to do is capture the searches users perform at trackers, then they watch to see what files they grab using BitTorrent. Then, BAM!, the RIAA/MPAA not only has your search, but they also have the filename you were downloading, and the best part is--wait for it--they don't have to use a bot to connect to you to try and download anything. The DPI box already has your IP from when you ran the search on the monitored tracker. Hell, if they wanted to, they could have the DPI box redirect your browser straight to the infringement letter within a few seconds. "Congratulations John Smith of 1212 Elm St., Anytown, USA, you've been caught downloading copyrighted material, specifically, 30 Rock, Season 1. To avoid a lawsuit, please input your credit card information in the form below. Thank you."

And for those who couldn't care less about that because pirates are dirty, evil people, there are many other innovative ways that something like this can be used. Maybe someone wants to see who posts information to a site--WikiLeaks, for example. They can try to get the site's logs, but what if there are no logs, or what if the site is hosted overseas? No problem, this solution will get that info. In fact, it will do more than that. It could only pay attention to a single page on the site of interest, and it could do all sorts of other neat tricks, like, once someone visits that page, track the sites and pages they visit afterward. I'm not saying this is happening, but you have to realize that it could happen.

No wonder Windstream is being quiet.



Re: Gag order

I doubt it's anti-piracy, I think it's an extension of potential ROI based on data-mining.

I will say I'm all for copyright enforcement. If you don't like the current copyright law structure, change it, don't violate it. Remember, politicians should be a representation of their constituents. Willful disobedience only invokes enforcement.

Squid across tun0 is laughing. I think I can hear him, if you run 'tcpdump -s0 -A -nn src net 192.168 and tcp port 3128 > /dev/dsp'. Anyone speak raw malformed PCM?

He keeps real quiet when running 'tcpdump -i ppp0 -s0 -A -nn "tcp port 80 or port 53" > /dev/dsp'. I'm sorry Windstream.

Schenectady, NY


Whoa, I thought this was a very isolated incident or a problem with my computer when it started happening a few days ago, I didn't think much of it other than it was annoying.

Maybe it's finally time to ditch Windstream's 3/1 (that's as fast as I can get where I am) for a mid tier Comcast connection? I don't know who is the lesser of two evil's, but I know Windstream's upgrade offerings have been nonexistent.

This incident really grinds my gears.

Tuscaloosa, AL

Re: Yikes

If you do decide to leave, be sure to tell them why. The best way to stop behavior like this and discourage anyone else from trying it is to make it hurt them financially.

Augustus III
If Only Rome Could See Us Now....

Gainesville, GA


couple years ago when i moved my options changed to windstream or comcast.

windstream i couldnt even find their local office, their website wasnt of any use so i went with cc. i made the better choice by far.

all these fly by night little nasty isps need to be gone with already. haven't they been bleeding lies for far too long now?



Calm Down

Man, some people are getting really worked up about this. I don't think it is much more than a simple mistake. There isn't a vast conspiracy, it is just that you want there to be one. It has been fixed and there is no need to fool around with VPN or whatever. It will just slow down your connection anyway. Just my 2 cents.
Expand your moderator at work

Lexington, SC

not an isolated incident

has anyone experienced this more than just the one day? We switched to windstream at the beginning of the year and i have noticed this almost daily. I thought this was isolated to my laptop and desktop since i always am testing our plugins and stuff for Firefox and then usually doing the same on my desktop. I looked for what could be on mine that are not on others, ran all sorts of spyware and malware stuff. Never could fixed it, real frustrating. Then one of the employees had the screen on her computer that said that the url couldn't be found and yadda with the yahoo toolbar stuff. I asked if this had happened before and sure enough it happens a lot to her, she just never told me.
This whole thing is very annoying especially since when it's doing this i can't even go to google.com without being redirected to yahoo toolbar stuff. Now that i know that it's Windstream causing it, it really bugs me. anything i can do about it?