

I fought my ISP's bad behavior and won - helfire
http://erichelgeson.github.io/blog/2013/12/31/i-fought-my-isps-bad-behavior-and-won/

======
JoshTriplett
Very nicely done: reporting this as abuse to the companies offering these
affiliate programs seems quite appropriate, and it sounds like they reacted
appropriately. One person complaining to an ISP is noise; one person making an
abuse report is all it takes to get that ISP banned from the affiliate
program.

~~~
helfire
Thanks! I was in a state of hopelessness for a week or so till I had that
idea.

~~~
chris_wot
I was very impressed with your firm but polite tone! We'll done.

~~~
cclogg
Totally agree lol. Reading his final email felt like I was watching Erin
Brockovich's ending again... f yeah! haha

------
afhof
Cox does something similar but bypasses the the DNS records and just
slipstreams in a response. I noticed Cox would redirect javascript requests to
their own HTTP server and put in their own snippets, effectively doing mass
javascript injection.

The snippet ended up being some sort of alert about upcoming maintenance, but
using a malicious technique for a benign purpose is the path to the dark side.
Use HTTPS!

(I use 8.8.8.8, it didn't help)

~~~
RKearney
Comcast also injects JavaScript into HTML responses if they feel the need to
send you a message.

Here's the code they use:
[https://gist.github.com/ryankearney/4146814](https://gist.github.com/ryankearney/4146814)

And here's my (extremely short) writeup on it:
[http://blog.ryankearney.com/2013/01/comcast-caught-
intercept...](http://blog.ryankearney.com/2013/01/comcast-caught-intercepting-
and-altering-your-web-traffic/)

~~~
venomsnake
Isn't that CFAA abuse on their side?

------
sloop
If your ISP and/or Aspira were making any significant amount of affiliate
commissions, I would be surprised if the merchants do not take action against
them for fraud.

This sounds like the same behaviour that Shawn Hogan got in trouble for with
cookie stuffing
[http://en.wikipedia.org/wiki/Shawn_Hogan](http://en.wikipedia.org/wiki/Shawn_Hogan)

~~~
helfire
I chatted with a company that investigates affiliate fraud, they may have a
blog post up after the new year about this. Will submit it if/when they do.

------
gpcz
The cynical side of me says that the ISP is just going to redirect the
author's traffic to the "pure" DNS server in the future (even when he or she
directs traffic to the main one) unless they get in serious enough trouble
with one of the companies this first time.

If anyone wants to do this in the future, I'd recommend just sending affiliate
abuse emails with no notice to the ISP. Also, the future person may want to
revise the [2] script to scan in a more surreptitious manner (change the
order, add delays, simulate legit web traffic, etc).

------
zquestz
Eric, I am very sorry to see this happen to you. Unfortunately more and more
companies are using our data for marketing purposes.

All is not lost though.

There are several ways you can protect yourself from these practices. The
first thing I would do is get a router capable of using dnscrypt-proxy
([http://www.opendns.com/technol...](http://www.opendns.com/technol...). Then
you can be confident that your DNS traffic is not being modified by your ISP.
It does require that you have trust in a 3rd party DNS provider like OpenDNS,
but at the end of the day you have to trust someone to provide DNS lookups.

The second option is to setup DNSSEC so that you can verify where your DNS
responses are coming from. While people will still be able to intercept what
sites you're looking up, at least you know you're getting valid responses
which is better than your situation is currently.

Third is to use both. =)

Anyhow, really awesome to see people standing against these practices. It
takes users complaining to make change. The sad truth of the matter.

~~~
jlgaddis
_> It does require that you have trust in a 3rd party DNS provider like
OpenDNS ..._

The same OpenDNS that hijacks NXDOMAIN responses?

~~~
webmonkeyuk
Only for the unregistered accounts IIRC. Can't you disable it after going
thought the simple registration and claiming of IP address?

~~~
reginaldjcooper
So only if you help them associate all of your internet traffic with a
registration. Hm, sounds privacy-conscious.

------
jauer
As a ISP when we were considering using Aspira they claimed that no referral
tokens would be replaced and that the only behavior was injecting a popup
coupon window.

I decided not to proceed with it because it seemed like a support nightmare
and tampering with non-malicious subscriber traffic crosses a line.

Their marketing affiliates (such as Cash4Trafik) are always reaching out to
CEO types at small ISPs and the money they bring (particularly when you are
small) can be hard to pass up.

~~~
click170
May I ask which ISP you work for?

Knowing that you consider tampering with nonmalicious subscriber traffic to be
crossing a line is something I would pay a premium for.

~~~
jauer
Just a little Rural Wireless/Fiber+Metro Datacenter/whatever provider in
Southeastern Wisconsin. I try to keep my personal opinion at least one step
removed from their name just in case :-) My email is in my profile. If you
need a connection in that geographic area hit me up and I'll see what we can
do.

------
dmourati
Super shady stuff. I never rely on any ISP provided DNS servers. I'm glad you
talked to the the etailers to let them know what was going on. These business
practices do introduce latency, regardless of what he told you. Not to
mention, they are highly unethical and dishonest.

~~~
kaffeinecoma

      Super shady stuff. I never rely on any ISP provided DNS servers
    

Doesn't that mean that you don't benefit from nearby CDNs? Perhaps worth the
tradeoff anyway.

~~~
jrockway
8.8.8.8 and 8.8.4.4 are anycast.

~~~
efdee
You don't trust your ISP, so you go for the one company whose entire profit
model is build around ads and profiling their users, and who is known to
cooperate (willingly and/or unwillingly) with the NSA in their logging
programs? I'm not sure that's the right response...

~~~
jrockway
If the NSA is your adversary, you should not be using DNS at all.

------
tdumitrescu
"I will continue to monitor periodically their DNS entries and compare them
with other public DNS servers."

This would make for a great watchdog site to provide visibility across
different ISPs (and could also discourage other ISPs from pulling this crap).

~~~
helfire
I think so too, though CDN's will mess with the results a bit. It would be
nice if DNS had a way to sign/validate/somehow know the record you got was
correct. Especially on the apex record as it can happen before ssl.

~~~
Procrastes
It's interesting no one brought up DNSSEC[1]. Has anything happened there
since 2010?

1\.
[http://en.wikipedia.org/wiki/Domain_Name_System_Security_Ext...](http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions)

~~~
dingaling
DNSSEC is great in theory, but after three years I still haven't deployed a
live instance.

It is cumbersome to implement and maintain, requiring co-operation of
registrars and frequent key regeneration.

It is also very, very chatty and imposes a considerable processing burden on
the first-hop DNS resolver.

We need a signed DNS solution that isn't DNSSEC.

------
lambda

      This also shows a weakness in DNS. There is currently no 
      way to validate the DNS record you’re being served is what 
      the person hosting the website intended.
    

That's what DNSSEC is for, but it hasn't become pervasive enough yet to be
able to depend on it.

~~~
IvyMike
Sadly DNSSEC kinda sucks. Here's some earlier discussion on HN, with a lot of
links. (Namedrop: tptacek is against DNSSEC and talks about it in the link.)

[https://news.ycombinator.com/item?id=5937004](https://news.ycombinator.com/item?id=5937004)

TLDR: DNSSEC is kinda complex and hacko, doesn't protect you as much as you
might think, and introduces a whole new PKI that you should probably trust
even less than the current ones. But read the links above for the real story.

I'm using DNSCrypt right now, which (correct me if I'm wrong) protects against
DNS interception by my ISP, and seems like a whole lot less trouble than
DNSSEC.

~~~
mike-cardwell
"protects against DNS interception by my ISP"

Your ISP can still see the IP address of every web server that you connect to,
and can still see the "Host" header that your browser sends in HTTP requests,
and also in HTTPS requests (due to SNI) if you're using a reasonably modern
OS/Browser combo.

All you've done is add an additional third party that can view and log what
you're doing.

~~~
ars_technician
>All you've done is add an additional third party that can view and log what
you're doing.

You forgot the part where it's protecting against trashy ISPs like the one in
this article.

~~~
mike-cardwell
I did not forget that. The privacy lost is worse than the supposed
"protection" gained by using DNSCrypt. "Trashy" ISPs can (and do) still
intercept and modify the HTTP traffic even if they can't intercept and modify
the DNS traffic.

------
gnu8
Is there a way we can choke companies like Apira by making a concerted
distributed effort to disrupt the referral programs they exploit (either by
reporting them or by feeding them false referrals somehow)?

~~~
gregcohn
Agree with this sentiment, but I think the effort would be better spent taking
steps to switch to trusted DNS providers, as well as building layperson tools
to monitor them.

------
AlonsoGL
Here it goes: Behind a ISP-wide cache. Any 'traceroute' passes by
transtelco.net (ISP used to have their own infraestructure for voip services
Megafon) now i have 5/6? DNS jumps! and all my traffic going to Transtelco.

    
    
      traceroute to news.ycombinator.com (198.41.191.47), 30 hops max, 60 byte packets
      1  customer-GDL-**-***.megared.net.mx                 << 177.230.**.*** Dynamic IP, GDL is the city of the company
      2  10.0.28.62 (10.0.28.62)  8.939 ms  8.941 ms  8.935 ms
      3  10.2.28.195 (10.2.28.195)  8.912 ms  8.903 ms  8.891 ms
      4  pe-cob.megared.net.mx (189.199.117.***)  8.878 ms  8.866 ms  14.201 ms << COB is the user city
      5  10.3.0.29 (10.3.0.29)  23.494 ms  23.483 ms  23.408 ms
      6  10.3.0.13 (10.3.0.13)  22.842 ms  19.609 ms  19.596 ms
      7  10.3.0.10 (10.3.0.10)  19.560 ms  19.555 ms  19.536 ms
      8  201-174-24-233.transtelco.net (201.174.24.233)  19.527 ms  20.650 ms  19.468 ms
      9  201-174-254-105.transtelco.net (201.174.254.105)  34.239 ms  31.793 ms  31.268 ms
      10  fe3-5.br01.lax05.pccwbtn.net (63.218.73.25)  31.792 ms  31.736 ms  33.533 ms
      11  any2ix.coresite.com (206.223.143.150)  32.834 ms  33.221 ms  33.429 ms
      12  ae3-50g.cr1.lax1.us.nlayer.net (69.31.124.113)  41.288 ms  41.228 ms  41.231 ms
      13  ae2-50g.ar1.lax1.us.nlayer.net (69.31.127.142)  42.632 ms ae1-50g.ar1.lax1.us.nlayer.net (69.31.127.138)  35.192 ms 33.860 ms
      14  as13335.xe-11-0-6.ar1.lax1.us.nlayer.net (69.31.125.106)  35.143 ms  44.714 ms  44.666 ms
      15  198.41.191.47 (198.41.191.47)  37.638 ms  37.239 ms  36.997 ms
    

I don't know how normal or ethic is this type of cache. No download limits, I
have the 10mb and get 20mb(2000-2300kbps) downloads, for uploads is limited to
1mb.

~~~
emilv
As long as they don't tamper with the data I think an HTTP cache is perfectly
OK. HTTP has loads of built-in mechanism for that kind of caching. It saves
bandwidth upstream, not least for website owners, and may make your web
browsing speed faster if the proxy is good.

Tampering with the data, however, is not OK at all. In the U.S. I believe it
may make the ISP exempt from for example the safe harbor clauses in the DMCA.

~~~
ceejayoz
Some of the big content providers like Netflix are even reportedly making
caching deals for their content. Both the content provider and the ISP get
better performance and less exterior bandwidth.

------
rcfox
One a slightly related note, in Chrome extensions, it's possible to redirect
DNS requests on a per-URL basis. This is how Media Hint works to allow non-US
Netflix users access the US version of the site.

I'm surprised we haven't seen similar behaviour from Chrome extensions. I'm
sure it would be caught eventually, but this isn't exactly something that
people tend to look for, so it would take a while for people to catch it.

~~~
dangrossman
> I'm surprised we haven't seen similar behaviour from Chrome extensions

The "Window Resizer" Chrome extension got a silent update a few weeks ago. It
rewrote all the links on Google search result pages to point to a proxy that
added affiliate links where possible.

~~~
peregrine
Over the holiday I did usual, fix/clean my grandmother's computer. She's been
using chrome because I explained to her how much safer it is.

I did a google search and realized something wasn't right. Uninstalled all the
crapware apps that wormed their way in. And then I looked at the chrome
extensions and low and behold there it was, more crapware.

I removed them and they re-added themselves. I had to run spybox s&d to remove
it completely.

Moral of the story: chrome extensions are in some ways worse than toolbars.

------
neil_s
Interestingly, you might have benefitted more from keeping quiet about this.
While the original retailers are losing money through this, you aren't really
affected negatively by them doing it. In fact, with this additional revenue
source, they might be able to support thinner margins on their broadband
charges, saving you some money. You did the morally correct thing, but perhaps
at a potential personal cost.

~~~
goldenkey
The affiliates are getting hurt hugely though. Affiliate profits are supposed
to be for helping the purchase - through marketing efficiency. The ISP is
doing none of that, they are simply mafiosoing affiliate dollars through
hijack. Amazon would not like this, the ISP gives exactly 0% efficiency boost
to the e-commerce process, they're just a gypsie snake.

~~~
emilv
Why did you have to end an otherwise good answer with a racist slur?

~~~
goldenkey
Why have you failed to visit an abortion clinic yet? You're not fit for
children.

Gypsy: "An itinerant person or any person suspected of making a living from
dishonest practices or theft; a member of a nomadic people, not necessarily
Romani; a carny."

------
natch
I'd like to try out this curl command. I'm not using macports, though. Like
many people, I've switched to brew since some time. Is there a quick way to
see if my curl install is compiled with 'ares' whatever that is?

~~~
helfire
ports > brew!

But seriously I don't know how brew works, though looks like the code supports
the option:
[https://github.com/Homebrew/homebrew/blob/master/Library/For...](https://github.com/Homebrew/homebrew/blob/master/Library/Formula/curl.rb#L12)

------
_RPM
Gaming the system seems to be the secret to winning.

~~~
gesman
Gaming the system is as sustainable as winning at casino.

It's fun while it lasts.

------
samweinberg
Anyone know if Time Warner Cable does this?

------
ozh
+1 to OP, and +2 to companies who responded positively (and -3 to ISP,
obviously)

------
GigabyteCoin
Congratulations. What they were doing was absolutely evil in my opinion.

------
philip1209
This is why you should encrypt your DNS.

~~~
helfire
Do you have a link to a usable encrypted DNS solution? I searched but didn't
find anything actively used, but a lot of proposals.

~~~
IvyMike
DNSCrypt
[http://www.opendns.com/technology/dnscrypt/](http://www.opendns.com/technology/dnscrypt/)

This works well for me. But I have found that this is the kind of thing where
an expert can pop in and say "have you considered risk X with solution Y?" and
leave me dumbfounded.

So use at your own risk.

~~~
phySi0
Better page: [http://dnscrypt.org](http://dnscrypt.org)

------
squintychino
VPN + HTTPS just for good measure

------
squintychino
VPN + HTTPS for good measure

