Ask HN: Connection Hijacking and Redirection

3 points by Ms-J ↗ HN
Hi all.

I've had an issue that's happened at least three times over the span of around two years where if I'm directly connected to my ISP without any VPN's, when I open a new tab in Firefox and type a website's address, there is a connection redirect that brings me to some inflammatory/crude types of sites that have nothing to do with what I'm working on at that moment. I've also seen sites that I visit return a HTTP version instead of HTTPS. Could this part be SSL Stripping?

I'm using my own hardware and not using the ISP's DNS servers. The system's these attacks have happened on are Linux and MacOS. I have performed virus and vulnerability scans, scanned the particular internal network and made sure nothing is public facing, have network monitors, and have HIDS and a SIEM solution setup for those systems as well. None of these measures have alerted me to anything suspicious.

This is a large ISP. The way I assume the attack is being done is my router is getting poisoned routes from the ISP when it requests a website. What I can't figure out is the DNS servers are not owned by the ISP or even in the same country.

I'm asking if the community here could please point me in the right direction to figure out how to pinpoint and stop these attacks, thanks.

8 comments

[ 2.4 ms ] story [ 45.5 ms ] thread
Normally I'd suggest you try and confirm that your ISP is not hijacking DNS. Here's a guide:

  https://help.dnsfilter.com/hc/en-us/articles/1500008110182-transparent-proxying
But, the latest versions of FireFox use DNS-over-HTTPS by default:

  https://support.mozilla.org/en-US/kb/firefox-dns-over-https
So, assuming your FireFox is up to date, your machine's DNS settings won't play a role. Perhaps you should try disabling/removing browser plugins and/or try a brand new profile?
Thanks for posting the guide. I took a look at it doesn't appear that the ISP is performing any DNS hijacking.

I'm using an updated copy of Firefox and Firefox ESR without any extensions. This has happened on Safari using MacOS as well. I'm aware of the default Cloudflare DoH settings and have this turned off, as well as making sure nothing is going through a proxy and all the settings are correct.

> happened at least three times over the span of around two years

Well, it's certainly difficult to speculate as to the causes of these past events. I can think of a slew of reasons you may have had the experiences you mention; ssl stripping being just one of them.

So, without being able to reliably reproduce the problem, I'm afraid your only recourse will be to stay vigilant and... have investigation tools ready (e.g. wireshark) for the next time it happens.

SSL stripping would cause the sites to not display an encrypted connection, definitely. But what really puzzles me is the redirection. I'm thinking it has to do with the routes being tampered with. Yes, I'll need to check more with WS.
> what really puzzles me is the redirection. I'm thinking it has to do with the routes

There are many possibilities. I'd, personally, refrain from using the words "tampered" and "attacks" since they carry a moral implication.

It also seems it could be that a name based virtual host configuration changed mid session. I suppose this could be considered routing in a sense as well.

Again, the fact that it hasn't happened often and that your memory/knowledge of the exact transaction of packets is likely incomplete, makes all this just speculation.

My guess is it's probably just a glitch and nothing nefarious is going on. I wouldn't be too worried.

It's good you're keeping an eye on things though!

Thanks for the suggestions. The reason I use such strong words is because the type of redirects are very specific as what I'm working on using those boxes has nothing to do with the type of sites that were pushed to me. The sites that I was loading were usually large, microsoft.com for one example but was redirected to something that has nothing to do with technology.

I understand it's "speculation" since I don't know the exact mechanism or have proof as to what happened, but it's very far from a glitch. Again, this happened a few times on multiple different physical computers and didn't set off any alerts in my security systems.

My first guess would be router/CPE compromise. (Vulnerable firmware).

Second would be malicious browser extension.

I really appreciate your reply, and I definitely considered my router being vulnerable/hacked. I flashed/updated the firmware and even swapped it out for a bit with a different router but same issue.

I was using an updated copy of Firefox and Firefox ESR without any extensions.