The ICSI Netalyzr
Start » Blog
Netalyzr News
RSS + Atom

August 2011
Su Mo Tu We Th Fr Sa
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31

Updated analysis of Paxfire-related search hijackings

As we previously reported in cooperation with the EFF and New Scientist, Netalyzr's results identified multiple US ISPs that appear to monetize their users' web searches using affiliate marketing programs by redirecting some of their users' web searches using services provided by a company called Paxfire.

At this week's FOCI Workshop we presented a paper that describes the DNS error traffic monetization business that companies such as Paxfire engage in, and also in part describe our measurements of search redirections. We'd like to take this opportunity to provide an update on the redirections we observe.

Starting on July 26th, we began to identify web search keywords that triggered redirections. The redirections take place in two stages, a first one using DNS to send the user's HTTP request to a Paxfire-controlled proxy, and the second by the proxy not relaying the requests to the intended search engines but instead returning HTTP redirects through the affiliate programs involved. Using popular domain names provided by Alexa, we identified 165 such keywords. Given interest in the set of keywords from multiple parties, we now make the keyword list available. If you have additional questions regarding our measurements or dataset, please contact us by email at and we will see if we are able to accommodate your request.

On August 5th, 24 hours after our public disclosure, Paxfire limited or halted the redirections through affiliate programs. We currently no longer observe any HTTP redirections through affiliate programs, suggesting that Paxfire discontinued the practice. However, the following ISPs still appear to redirect some or all traffic destined to Yahoo's and Bing's search engines through Paxfire's proxies:

  • Cogent
  • Cincinnatti Bell
  • RCN
  • Frontier
  • Megapath
  • Paetec
  • Wide Open West
  • XO

It furthermore appears as though Hughes (DirecPC) has stopped proxying search requests through Paxfire. For the remaining ISPs we do not possess sufficient data.

We currently do not include explicit testing of Paxfire's keyword-based HTTP redirections in Netalyzr. Until we do so, we would appreciate if tech-savvy customers of the involved ISPs could contact us by email at

Wednesday, August 10 2011, 17:31 PDT + Permalink + Tags: newscientist, paxfire, eff

Netalyzr co-wins the FCC's Open Internet Research Challenge

We're happy to announce that our 2010 IMC paper has co-won the FCC's Open Internet Research Challenge. Read more about the award here.

Monday, August 8 2011, 19:14 PDT + Permalink + Tags: fcc, awards

Netalyzr reveals ISPs hijacking users' web search queries

Over the past months we have conducted an investigation of unexpected DNS-based redirections of web search requests we noticed in approximately 2,000 Netalyzr sessions initiated by customers of a dozen US ISPs. We mentioned these redirections in a recent paper, but could not explain them at the time. After our requests for clarifications to the affected ISPs went unanswered, we initiated a joint effort with New Scientist and the Electronic Frontier Foundation to get to the bottom of these redirections. Today we're announcing our findings.

The affected ISPs use services provided by a company called Paxfire in order to monetize certain web search requests. Paxfire's main line of business is DNS error traffic monetization, i.e., the practice of presenting advertisements and search results to users who mistyped a website's address in their browser. In addition, some ISPs employ an optional, unadvertised Paxfire feature that redirects the entire stream of affected customers' web search requests to Bing, Google, and Yahoo via HTTP proxies operated by Paxfire. These proxies seemingly relay most searches and their corresponding results passively, in a process that remains invisible to the user. Certain keyword searches, however, trigger active interference by the HTTP proxies. We have identified a set of ~170 keywords, derived from the names of large websites, for which the Paxfire proxies actively redirect search requests through affiliate marketing programs to specific landing pages, bypassing the actual search engines. In the process, the ISPs and Paxfire presumably earn commission payments for the redirected flows.

Read more about our findings at New Scientist and the EFF, or follow the coverage on BoingBoing, Broadband Reports, Slashdot and TPM.

A sincere Thank You to our users for enabling this investigation!

Friday, August 5 2011, 10:19 PDT + Permalink + Tags: newscientist, paxfire, eff