Frontier Search Hijacking
From Payne.org Wiki
This note describes how Frontier Communications hijacked Google search queries.
NOTE: As of ~May, 2011, Frontier has (as best I can tell) stopped all hiijacking and proxying of Google search queries. Use this tool from Berkeley to audit your connection.
I noticed this behavior recently when visiting relatives in West Virginia. My Google searches for "amazon" (from the Safari search bar) were landing on Amazon's home page directly, NOT showing a Google search results page as I expected.
ISPs have redirected DNS queries for a while, but have mostly focused on typos and misspellings. I've never seen an example of an ISP actually hijacking a user's Google search, and inserting their own results, and that seems pretty egregious to me.
NOTE: I contacted Frontier Communications and I heard back immediately from Maggie Wilderotter, the CEO. She said that this had been done by one of their vendors, in violation of Frontier's business rules, and it's been shut down. In subsequent discussions with folks at Frontier, they seem to be still proxying Google queries (without hiijacking) by directing www.google.com to their own servers, but are re-evaluating this practice as well (as of April, 2011).
- My original blog post on this topic
- A related problem for Frontier subscribers in WA (by proxying, the ISP is concentrating the search traffic from a smaller number of IP addresses, making it more likely to trigger Google's rate-limiting checks)
Google Search Hijacking
Frontier's IP provisioning (over DSL) offered two DNS servers: 184.108.40.206 and 220.127.116.11.
Both were returning results for www.google.com that pointed to Fronter's servers, not Google. For example:
payne@house ~ $ dig @18.104.22.168 www.google.com ; <<>> DiG 9.7.1 <<>> @22.214.171.124 www.google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11830 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.google.com. IN A ;; ANSWER SECTION: www.google.com. 60 IN A 126.96.36.199 ;; AUTHORITY SECTION: www.google.com. 65535 IN NS WSC2.JOMAX.NET. www.google.com. 65535 IN NS WSC1.JOMAX.NET. ;; Query time: 31 msec ;; SERVER: 188.8.131.52#53(184.108.40.206) ;; WHEN: Wed Dec 29 22:47:54 2010 ;; MSG SIZE rcvd: 104
Note: I saw these results as well from queries outside Frontier's network. However, the hijacking as since been shut down (as of January 2). Fronter's servers now return correct results:
payne@house ~ $ dig @220.127.116.11 www.google.com ; <<>> DiG 9.7.1 <<>> @18.104.22.168 www.google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5013 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;www.google.com. IN A ;; ANSWER SECTION: www.google.com. 200744 IN CNAME www.l.google.com. www.l.google.com. 120 IN A 22.214.171.124 www.l.google.com. 120 IN A 126.96.36.199
... etc ...
So queries made to www.google.com are directed instead to Fronter's server at 188.8.131.52 (ple-wv01.roch.ny.frontiernet.net)
This server seems to mostly pass through queries to Google, but a few are intercepted and redirected to another of Frontier's servers. For example, a search for "amazon" is hijacked and redirected:
payne@house ~ $ wget --header="Host: www.google.com" 'http://184.108.40.206/search?client=safari&ie=UTF-8&q=amazon' --2011-01-02 10:35:08-- http://220.127.116.11/search?client=safari&ie=UTF-8&q=amazon Connecting to 18.104.22.168:80... connected. HTTP request sent, awaiting response... 302 Moved Temporarily Location: http://service1.searchguide.frontier.com/search?qkf=amazon&sid=001vB79EA5JmEEtSmS&rg=DOM2&ri=GT03&encu=U2FsdGVkX19XQ6tFCko0wcCBUjeT6S%2FURc%2B0rxZUXF5zHOCnemowRFCZczUon3NAM8v664%2BR4UY1%0AAQKUNVnyYOOwTC8ew4UtNj%2BJLrGm7wg%3D%0A
In turn, that query is redirected to Amazon's home page with Frontier's Amazon affiliate code inserted (frontiercomm-20):
HTTP request sent, awaiting response... 302 Document has moved Location: http://www.amazon.com/gp/redirect.html?ie=UTF8&location=http%3A%2F%2Fwww.amazon.com%2F&tag=frontiercomm-20&linkCode=ur2&camp=1789&creative=9325 [following] --2011-01-02 10:36:30-- http://www.amazon.com/gp/redirect.html?ie=UTF8&location=http%3A%2F%2Fwww.amazon.com%2F&tag=frontiercomm-20&linkCode=ur2&camp=1789&creative=9325 Resolving www.amazon.com... 22.214.171.124
The net result: a user Googling "amazon" would normally see a Google results page. Instead, Fronter subscribers (while this hijacking was in place) would instead get the Amazon home page, with Frontier's affiliate code inserted (presumably in an attempt to get commission payments from Amazon).
As of late April, 2011, Frontier is provisioning two DNS servers for West Virginia: 126.96.36.199 (in Rochester, NY) and 188.8.131.52 (in Dallas, PA). (Note: Frontier's "official" DNS servers are listed here).
All Frontier DNS severs appear to be pointing www.google.com to Frontier's own servers, but Frontier asserts they are merely proxying, not hijacking.
How to Prevent
One easy way to avoid ISP hijacking is to use public DNS servers, such as Google's. For more information, see Google Public DNS.
You would usually configure these in your router, or on each individual computer.