The ICSI Netalyzr
Start » Blog
Netalyzr News
RSS + Atom

Archive Browser » 2011 / 08 / 17:31:19

Updated analysis of Paxfire-related search hijackings

As we previously reported in cooperation with the EFF and New Scientist, Netalyzr's results identified multiple US ISPs that appear to monetize their users' web searches using affiliate marketing programs by redirecting some of their users' web searches using services provided by a company called Paxfire.

At this week's FOCI Workshop we presented a paper that describes the DNS error traffic monetization business that companies such as Paxfire engage in, and also in part describe our measurements of search redirections. We'd like to take this opportunity to provide an update on the redirections we observe.

Starting on July 26th, we began to identify web search keywords that triggered redirections. The redirections take place in two stages, a first one using DNS to send the user's HTTP request to a Paxfire-controlled proxy, and the second by the proxy not relaying the requests to the intended search engines but instead returning HTTP redirects through the affiliate programs involved. Using popular domain names provided by Alexa, we identified 165 such keywords. Given interest in the set of keywords from multiple parties, we now make the keyword list available. If you have additional questions regarding our measurements or dataset, please contact us by email at and we will see if we are able to accommodate your request.

On August 5th, 24 hours after our public disclosure, Paxfire limited or halted the redirections through affiliate programs. We currently no longer observe any HTTP redirections through affiliate programs, suggesting that Paxfire discontinued the practice. However, the following ISPs still appear to redirect some or all traffic destined to Yahoo's and Bing's search engines through Paxfire's proxies:

  • Cogent
  • Cincinnatti Bell
  • RCN
  • Frontier
  • Megapath
  • Paetec
  • Wide Open West
  • XO

It furthermore appears as though Hughes (DirecPC) has stopped proxying search requests through Paxfire. For the remaining ISPs we do not possess sufficient data.

We currently do not include explicit testing of Paxfire's keyword-based HTTP redirections in Netalyzr. Until we do so, we would appreciate if tech-savvy customers of the involved ISPs could contact us by email at

Wednesday, August 10 2011, 17:31 PDT + Permalink + Tags: newscientist, paxfire, eff