Earthlink Contact - DNS cache poisoning

william.dean · September 25, 2011, 12:43am

Anyone out there in Earthlink land? I am seeing what looks to be a cache poisoning attack on ns1.mindspring.com.

Sporadic of course so it takes a few queries to replicate.

will$ dig www.google.com @207.69.188.185

; <<>> DiG 9.7.3 <<>> www.google.com @207.69.188.185
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26196
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 60 IN A 64.27.117.179
www.google.com. 60 IN A 69.25.212.24

;; AUTHORITY SECTION:
www.google.com. 65535 IN NS WSC2.JOMAX.NET.
www.google.com. 65535 IN NS WSC1.JOMAX.NET.

;; Query time: 88 msec
;; SERVER: 207.69.188.185#53(207.69.188.185)
;; WHEN: Sat Sep 24 20:25:40 2011
;; MSG SIZE rcvd: 120

- Will

James_Hess · September 25, 2011, 12:51am

The "JOMAX.NET" response is indicative that there's a Paxfire box
in the mix,
intercepting the DNS query (probably installed by the ISP).

Christopher_Morrow · September 25, 2011, 1:07am

The "JOMAX.NET" response is indicative that there's a Paxfire box
in the mix,
intercepting the DNS query (probably installed by the ISP).

I think actually.. earthlink uses barefruit? (or they did when ...
kaminsky was off doing his destruction of the dns liars gangs...)
Maybe the same backend is used though for the advertizer side?
(barefruit provides the appliance, some third-party is the
advertiser/website-host... same for paxfire?)

william.dean · September 25, 2011, 1:21am

Barefruit was just for returning a search engine result for a NXDOMAIN response.

It appears Earthlink is now using Paxfire to sniff and proxy a users traffic to at least one popular website. Besides the obvious privacy implications, it introduces a nice captcha on Google.

- Will

Christopher_Morrow · September 25, 2011, 1:35am

I think actually.. earthlink uses barefruit? (or they did when ...
kaminsky was off doing his destruction of the dns liars gangs...)
Maybe the same backend is used though for the advertizer side?
(barefruit provides the appliance, some third-party is the
advertiser/website-host... same for paxfire?)

Barefruit was just for returning a search engine result for a NXDOMAIN response.

ah, paxfire does the same...

It appears Earthlink is now using Paxfire to sniff and proxy a users traffic to at least one popular website. Besides the obvious privacy implications, it introduces a nice captcha on Google.

hrm, they could simply use the appliances to answer: "www.google.com
-> jomax.net-ns-answer" which is a frontend simply 30[24]'ing off to
the jomax-esque site... Oh, you get the captcha though via earthlink?
that sucks

-chris