以色列研究人员在 arxiv 发表论文,指出中国电信和中国联通会利用带外注入的方法注入虚假内容,注入的内容除了广告还涉及到恶意程序。注入的广告域名包括了阿里巴巴的 is.alicdn.com,jiathis.com 等;指向域名 wa.kuwo.cn 的 JS 脚本注入被认为是恶意的;重定向链接使用了网址 www.baidu.com/?tn=95112007_hao_pg,推荐标签是 hao123.com。
Website-Targeted False Content Injection by Network Operators
Authors: Gabi Nakibly, Jaime Schcolnik, Yossi Rubin
(Submitted on 23 Feb 2016)
Abstract: It is known that some network operators inject false content into users' network traffic. Yet all previous works that investigate this practice focus on edge ISPs (Internet Service Providers), namely, those that provide Internet access to end users. Edge ISPs that inject false content affect their customers only. However, in this work we show that not only edge ISPs may inject false content, but also core network operators. These operators can potentially alter the traffic of \emph{all} Internet users who visit predetermined websites. We expose this practice by inspecting a large amount of traffic originating from several networks. Our study is based on the observation that the forged traffic is injected in an out-of-band manner: the network operators do not update the network packets in-path, but rather send the forged packets \emph{without} dropping the legitimate ones. This creates a race between the forged and the legitimate packets as they arrive to the end user. This race can be identified and analyzed. Our analysis shows that the main purpose of content injection is to increase the network operators' revenue by inserting advertisements to websites. Nonetheless, surprisingly, we have also observed numerous cases of injected malicious content.
Download
Submission history
From: Gabi Nakibly [view email]
[v1] Tue, 23 Feb 2016 11:51:07 GMT
