Article

Inflight modifications of content: who are the culprits?

Authors:

David A. Maltz,

Jin LiAuthors Info & Claims

LEET'11: Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats

Page 8

Published: 29 March 2011 Publication History

Abstract

When a user requests content from a cloud service provider, sometimes the content sent by the provider is modified inflight by third-party entities. To our knowledge, there is no comprehensive study that examines the extent and primary root causes of the content modification problem. We design a lightweight experiment and instrument a vast number of clients in the wild to make two additional DNS queries every day. We identify candidate rogue servers and develop a measurement methodology to determine, for each candidate rogue server, whether the server is performing inflight modifications or not. In total, we discover 349 servers as malicious, that is, as modifying content inflight, and more than 1.9% of all US clients are affected by these malicious servers. We investigate the root causes of the problem. We identify 9 ISPs, whose clients are predominately affected. We find that the root cause is not sophisticated transparent in-network services, but instead local DNS servers in the problematic ISPs.

References

[1]

Beware the Bahama Botnet. http://blog.clickforensics.com/?p=314.

[2]

Google Public DNS. code.google.com/speed/public-dns/.

[3]

Summary of ASes. http://bgp.potaroo.net/cidr/autnums.html.

[4]

Wireshark. www.wireshark.org.

[5]

BOLIN, M., WEBBER, M., RHA, P., WILSON, T., AND MILLER, R. C. Automation and Customization of Rendered Web Pages. In Proceedings of the 18th annual ACM symposium on User interface software and technology (2005), UIST '05.

Digital Library

[6]

CASADO, M., AND FREEDMAN, M. J. Peering Through the Shroud: The Effect of Edge Opacity on IP-Based Client Identification. In 4th USENIX Symposium on Networked Systems Design & Implementation (2007), NSDI '07.

Digital Library

[7]

DAGON, D., PROVOS, N., LEE, C., AND LEE, W. Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority. In Proceedings of The 15th Annual Network and Distributed System Security Symposium (2008), NDSS '08.

[8]

GENNARO, R., AND ROHATGI, P. How to Sign Digital Streams. Inf. Comput. 165 (February 2001), 100-116.

Digital Library

[9]

GUHA, S., CHENG, B., AND FRANCIS, P. Challenges in measuring online advertising systems. In Proceedings of the 10th annual conference on Internet measurement (2010), IMC '10.

Digital Library

[10]

HUANG, C., MALTZ, D. A., GREENBERG, A., AND LI, J. Public DNS System and Global Traffic Management. In IEEE INFOCOM (2011).

[11]

KICIMAN, E., AND LIVSHITS, B. AjaxScope: A Platform for RemotelyMonitoring the Client-side Behavior of Web 2.0 Applications. In 21st ACM SIGOPS symposium on Operating systems principles (2007), SOSP '07.

Digital Library

[12]

KOUNAVIS, M., KANG, X., GREWAL, K., ESZENYI, M., GUERON, S., AND DURHAM, D. Encrypting the Internet. In ACM SIGCOMM (2010).

Digital Library

[13]

KREIBICH, C., WEAVER, N., NECHAEV, B., AND PAXSON, V. Netalyzr: Illuminating the Edge Network. In Proceedings of the 10th annual conference on Internet measurement (2010), IMC '10.

Digital Library

[14]

REIS, C., GRIBBLE, S. D., WEAVER, N. C., AND KOHNO, T. Automation and Customization of Rendered Web Pages Detecting In-Flight Page Changes with Web Tripwires, 2008.

[15]

RESCORLA, E. SSL and TLS: Designing and Building Secure Systems. Addison Wesley, 2010.

[16]

VRATONJIC, N., FREUDIGER, J., AND HUBAUX, J.-P. Integrity of the Web Content: The Case of Online Advertising. In Usenix CollSec'10 (2010).

Digital Library

Cited By

Chung TChoffnes DMislove AGill PHeidemann JByers JGovindan R(2016)Tunneling for TransparencyProceedings of the 2016 Internet Measurement Conference10.1145/2987443.2987455(199-213)Online publication date: 14-Nov-2016
https://dl.acm.org/doi/10.1145/2987443.2987455
Schomp KCallahan TRabinovich MAllman M(2014)Assessing DNS Vulnerability to Record InjectionProceedings of the 15th International Conference on Passive and Active Measurement - Volume 836210.1007/978-3-319-04918-2_21(214-223)Online publication date: 10-Mar-2014
https://dl.acm.org/doi/10.1007/978-3-319-04918-2_21
Alrwais SGerber ADunn CSpatscheck OGupta MOsterweil EZakon R(2012)Dissecting ghost clicksProceedings of the 28th Annual Computer Security Applications Conference10.1145/2420950.2420954(21-30)Online publication date: 3-Dec-2012
https://dl.acm.org/doi/10.1145/2420950.2420954
Show More Cited By

Recommendations

A paracasting model for concurrent access to replicated Internet content

In this paper, we develop a model to study how to effectively download a document from a set of replicated servers. We propose a generalized application-layer anycasting protocol, known as paracasting, to advocate concurrent access of a subset of ...
Improving Content Delivery with PaDIS

Content-delivery networks (CDNs) originate a large fraction of Internet traffic; yet, due to how CDNs often perform traffic optimization, users aren't always assigned to the best servers for end-user performance. To improve user assignment of CDNs, the ...
Deliver the content over multiple surrogates: A request routing model for high bandwidth requests
Abstract
The Content Delivery Networks (CDNs) deploy the surrogate servers at the network edge to speed up the request routing procedure. But, the routing procedure of high bandwidth requests increases the load of one server suddenly. This ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

LEET'11: Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats

March 2011

11 pages

Program Chair:
Christopher Kruegel
University of California, Santa Barbara

Sponsors

Google Inc.

Publisher

USENIX Association

United States

Publication History

Published: 29 March 2011

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 14 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Chung TChoffnes DMislove AGill PHeidemann JByers JGovindan R(2016)Tunneling for TransparencyProceedings of the 2016 Internet Measurement Conference10.1145/2987443.2987455(199-213)Online publication date: 14-Nov-2016
https://dl.acm.org/doi/10.1145/2987443.2987455
Schomp KCallahan TRabinovich MAllman M(2014)Assessing DNS Vulnerability to Record InjectionProceedings of the 15th International Conference on Passive and Active Measurement - Volume 836210.1007/978-3-319-04918-2_21(214-223)Online publication date: 10-Mar-2014
https://dl.acm.org/doi/10.1007/978-3-319-04918-2_21
Alrwais SGerber ADunn CSpatscheck OGupta MOsterweil EZakon R(2012)Dissecting ghost clicksProceedings of the 28th Annual Computer Security Applications Conference10.1145/2420950.2420954(21-30)Online publication date: 3-Dec-2012
https://dl.acm.org/doi/10.1145/2420950.2420954
Sun SBeznosov KYu TDanezis GGligor V(2012)The devil is in the (implementation) detailsProceedings of the 2012 ACM conference on Computer and communications security10.1145/2382196.2382238(378-390)Online publication date: 16-Oct-2012
https://dl.acm.org/doi/10.1145/2382196.2382238

View Options

View options

Media

Figures

Other

Tables

View Table of Contents