Anyone out there in Earthlink land? I am seeing what looks to be a cache poisoning attack on ns1.mindspring.com. Sporadic of course so it takes a few queries to replicate. will$ dig www.google.com @207.69.188.185 ; <<>> DiG 9.7.3 <<>> www.google.com @207.69.188.185 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26196 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.google.com. IN A ;; ANSWER SECTION: www.google.com. 60 IN A 64.27.117.179 www.google.com. 60 IN A 69.25.212.24 ;; AUTHORITY SECTION: www.google.com. 65535 IN NS WSC2.JOMAX.NET. www.google.com. 65535 IN NS WSC1.JOMAX.NET. ;; Query time: 88 msec ;; SERVER: 207.69.188.185#53(207.69.188.185) ;; WHEN: Sat Sep 24 20:25:40 2011 ;; MSG SIZE rcvd: 120 - Will
On Sat, Sep 24, 2011 at 7:43 PM, Will Dean <will@willscorner.net> wrote: The "JOMAX.NET" response is indicative that there's a Paxfire box in the mix, intercepting the DNS query (probably installed by the ISP).
Anyone out there in Earthlink land? I am seeing what looks to be a cache poisoning attack on ns1.mindspring.com.
;; AUTHORITY SECTION: www.google.com. 65535 IN NS WSC2.JOMAX.NET. www.google.com. 65535 IN NS WSC1.JOMAX.NET.
-- -JH
On Sat, Sep 24, 2011 at 8:51 PM, Jimmy Hess <mysidia@gmail.com> wrote:
On Sat, Sep 24, 2011 at 7:43 PM, Will Dean <will@willscorner.net> wrote:
The "JOMAX.NET" response is indicative that there's a Paxfire box in the mix, intercepting the DNS query (probably installed by the ISP).
I think actually.. earthlink uses barefruit? (or they did when ... kaminsky was off doing his destruction of the dns liars gangs...) Maybe the same backend is used though for the advertizer side? (barefruit provides the appliance, some third-party is the advertiser/website-host... same for paxfire?)
Anyone out there in Earthlink land? I am seeing what looks to be a cache poisoning attack on ns1.mindspring.com.
;; AUTHORITY SECTION: www.google.com. 65535 IN NS WSC2.JOMAX.NET. www.google.com. 65535 IN NS WSC1.JOMAX.NET.
-- -JH
On Sep 24, 2011, at 9:07 PM, Christopher Morrow wrote:
On Sat, Sep 24, 2011 at 8:51 PM, Jimmy Hess <mysidia@gmail.com> wrote: I think actually.. earthlink uses barefruit? (or they did when ... kaminsky was off doing his destruction of the dns liars gangs...) Maybe the same backend is used though for the advertizer side? (barefruit provides the appliance, some third-party is the advertiser/website-host... same for paxfire?)
Barefruit was just for returning a search engine result for a NXDOMAIN response. It appears Earthlink is now using Paxfire to sniff and proxy a users traffic to at least one popular website. Besides the obvious privacy implications, it introduces a nice captcha on Google. - Will
On Sat, Sep 24, 2011 at 9:21 PM, Will Dean <will@willscorner.net> wrote:
On Sep 24, 2011, at 9:07 PM, Christopher Morrow wrote:
On Sat, Sep 24, 2011 at 8:51 PM, Jimmy Hess <mysidia@gmail.com> wrote: I think actually.. earthlink uses barefruit? (or they did when ... kaminsky was off doing his destruction of the dns liars gangs...) Maybe the same backend is used though for the advertizer side? (barefruit provides the appliance, some third-party is the advertiser/website-host... same for paxfire?)
Barefruit was just for returning a search engine result for a NXDOMAIN response.
ah, paxfire does the same...
It appears Earthlink is now using Paxfire to sniff and proxy a users traffic to at least one popular website. Besides the obvious privacy implications, it introduces a nice captcha on Google.
hrm, they could simply use the appliances to answer: "www.google.com -> jomax.net-ns-answer" which is a frontend simply 30[24]'ing off to the jomax-esque site... Oh, you get the captcha though via earthlink? that sucks :( -chris
participants (3)
-
Christopher Morrow
-
Jimmy Hess
-
Will Dean