ISP redirects browsing to own advertising site
Hello :)
I'm trying to figure out exactly what BSNL, India's national telecomms utility, is doing to redirect browsing to www.motive.bsnl.co.in, one of its own advertising sites, as discussed in this India Broadband Forum thread. It is independent of browser, OS and DNS servers. There are reports of it affecting Windows Media Player as well as browsers. Workarounds include configuring the browser not to allow redirects and configuring dnsmasq with the advertising site as a "bogus-domain". Here's dnsmasq logging after restarting the ADSL modem and restarting dnsmasq. There is a Firefox lookup for www.thefreedictionary.com which dnsmasq forwards to all the DNS servers it knows about, presumably to determine the fastest. At 21:48:35, an application on the local machine (127.0.0.1) -- presumably Firefox -- asks for resolution of www.motive.bsnl.co.in. Could it be that BSNL is modifying HTTP traffic to cause the redirect? Code:
Jun 21 21:48:34 CW8 dnsmasq[6713]: query[A] www.thefreedictionary.com from 127.0.0.1 Code:
tcpdump -nnl -i eth0 -s 1536 dst port 80 Charles |
traceroute? whois? nmap? ping?
|
What happens if you hardcode Opendns as your DNS server?
|
Thanks fruttenboel and john test :)
As per the OP, the phenomenon is independent of DNS server. The log in the OP showed that the local machine itself was resolving the advertising site www.motive.bsnl.co.in -- this is not a case of DNS-level redirection. I believe the redirection is happening higher in the protocol stack than traceroute and ping. Regards whois, we know the organisation is BSNL: www.motive.bsnl.co.in Regards nmap, the details of the www.motive.bsnl.co.in server are irrelevant to why BSNL users are being directed to it. I dug a little deeper using tcpdump -i eth0 -l -n -s 0 thus showing all packets. It shows the same story in more detail:
I plan to repeat the tcpdump with more verbosity to see what is in the packets from www.thefreedictionary.com a) when the redirect happens and b) when it does not. EDIT: here's the tcpdump output with the first redirect in red: Code:
06:37:04.284477 IP 192.168.168.7.32081 > 218.248.240.180.53: 62718+ A? www.thefreedictionary.com. (43) |
The technique used is definitely HTTP 1.1 (text/html) packet modification. Wireshark shows that the first HTTP 1.1 (text/html) packet that arrives after the router is restarted is ostensibly from freedictionary.com's IP address but contains HTML to redirect the browser to the advertising page. Here it is (possibly slightly garbled by manual editing out of Wireshark's hex dump translation):
SaHTTP/1.1 200 OK..Content-Length: 216..Connection: close..Cache-Control: no-cache..Expires: -1. .Content-Type: text/html....<html>..<head>..<meta http-equiv="Refresh" content="1; URL=http://www.motive.bsnl.co.in/">..<meta http-equiv="pragma" content="no-cache">..</head>.. <body>..Please wait while you are redirected ... ..</body>..</html>.. |
AFAIK none of the solutions posted on India Broadband Forum so far give the user an uninterrupted browsing experience. At best they block www.motive.bsnl.co.in and the original link has to be opened again.
This is unavoidable for solutions at the IP and name resolution level (browser site blocking, DNS, firewall, hosts file etc.) on either computer or router because BSNL are modifying the first HTTP HTML packet sent. The only way I can imagine to completely solve this is by examining every HTTP packet and dropping the spoofed one. The browser would time out waiting for it and ask for it again. The second packet would not be altered by BSNL. In case anyone is interested in the how BSNL are doing this, it may be that they are using the authentication mechanism. When the ADSL link is initiated, traffic is directed to an authentication server for username/password checking. Normally, when that is OK, traffic flows directly into the network. It could be that the authentication servers hold on to the traffic and monitor it for HTTP HTML packets. After finding the first one and changing it, the authentication server could then allow traffic to flow directly into the network in the normal way. |
What happens if you use a caching DNS server like Pdnsd and configure it to only resolve using accessible, "clean" name servers from say above.net, etc (not your .in. TLD and not Google or OpenDNS)?
What happens with a HTTP query (curl, wget) to say http:// www.google.in/ ?q=something+completely+different and https:// www.google.in/ ?q=something+completely+different ? If they differ in result could you attach a packet capture for both? What happens if you use a HTTP proxy outside of your ISPs domain? |
What sanctions are being initiated for bsnl?
|
Quote:
Quote:
Code:
c@CW8:~$ wget --no-check-certificate https://www.google.in/?q=something+completely+different 2>&1 | tee /tmp/wget_s.out Quote:
I do not use proxies so had better describe what I did to perform this test.
|
Quote:
"Dear Sir This is not any "Wrong direction". But we have implemented the motive application which is very popular in US. This software will be very useful in configuring the modem and for subsequent fault rectification, tracing, email configuration etc... However, it is under testing and we shall provide clear instruction in our portal very soon please. For the time being, it can be ignored and the customers can just type another website please ". "Secondly, when the net is connected, the motive application (site) open first. But once you ignore and type any other website, it will never comes again unless you disconnect the broadband and connect again. The re-direction is given after passing the authentication stage and hence the application open only in the beginning. It will not open again as given in your mail. The software is being validated online and though a small portion of customers will have some difficulty, it is not a major problem and we have not received much complaints regarding this so far please. We request you to kindly bear with us for the time being please" |
All times are GMT -5. The time now is 07:23 AM. |