Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
The Internet Your Rights Online

Study Reveals How ISPs Responded to SiteFinder 172

penciling_in writes "During the 2+ weeks for which Site Finder was operational, a number of ISPs took steps to disable the service. A study just released reveals the details and analysis, including specific networks disabling Site Finder during its operational period. For example, the study reports China blocked the traffic at its backbone, and Taiwan's Chunghwa Telecom and Korea's DACOM also disabled the service. US ISPs have been slower to act, but US ISP Adelphia disabled the service September 20-22 before re-enabling it on September 23." That link is a summary; or cut straight to the study itself.
This discussion has been archived. No new comments can be posted.

Study Reveals How ISPs Responded to SiteFinder

Comments Filter:
  • by Sir Haxalot ( 693401 ) on Tuesday October 07, 2003 @12:48PM (#7154201)
    here [newsfactor.com]
  • IMO, that's equivalent to spam-blocking -- something most ISP's at least try to accomplish.
    • Spam Solution (Score:3, Interesting)

      by RuB1X ( 707519 )
      Copied from here [theregister.co.uk]

      But there is(was) a solution, perhaps mail servers should check to see if the sender domain for a particular piece of email resolves to the Ip above.If it does, forward the email toVerisign, any of the email addresses on this page should do :

      http://www.verisign.com/corporate/about/contact/in dex.html?sl=060104

      If the email sender domain resolves to the bogus Verisign wildcard entry, then its only fair that the email gets forwarded back to them, as it?s obviously spam and it resolve
  • I guess my provider didn't use verisign in the first place? We are an Educational Institution though, so that could be the reason.
    • by gregmac ( 629064 ) on Tuesday October 07, 2003 @01:09PM (#7154457) Homepage
      I guess my provider didn't use verisign in the first place?

      No, everyone "uses" verisign. They control the database for the gTLDs .com and .net, so all nameservers everywhere on the internet listen to them. When a nameserver tries to resolve a name, it first goes to the root nameservers (A.ROOT-SERVERS.NET, B.ROOT-SERVERS.NET, etc. There's 13 of them. I believe verisign runs two of those, ISC (people that make BIND) run one, I'm not sure who else does). Verisign basically controls what those servers do. They added a wildcard entry for *.com - anything that's not specifically picked up by a registered domain will be connected to their sitefinder server.

      We are an Educational Institution though, so that could be the reason.

      Likely they just blocked it very quickly.

  • Yup (Score:4, Funny)

    by pmz ( 462998 ) on Tuesday October 07, 2003 @12:50PM (#7154229) Homepage

    The markets reacted as expected. I'm breathless.
  • by Anonymous Coward
    I wonder how many other small-network admins did... I guess they're harder to sample though.
    • I actually let it happen. After speaking with my boss, our conclusion was as follows:

      People are still getting a "domain not found" error. They still know that the site they entered doesn't exist. While it may be very unfair business practice for Verisign to do this, we didn't see any reason to disable it. The bandwidth required is quite small and we had more pressing things to deal with.

      I'm very glad to see it gone (for now), but SiteFinder was more hype than it was trouble.


      • by shepd ( 155729 )
        >While it may be very unfair business practice for Verisign to do this, we didn't see any reason to disable it.

        I can give you one reason:

        All your mail with mistyped domains has been "rejected" (probably read by a marketing bot) by verisign.

        That's gotta be worth at _least_ blacklisting the IP, never mind messing with the DNS servers.
      • You obviously don't use DNS for anything other than browsing. If you did, you'd have been flaming pissed when SiteFinder came out. While it may help Joe Idiot, it doesn't help anyone who want to programmatically determine whether or not a domain exists without processing HTTP data, or hard coding verisign's ips into their apps (Which is ALWAYS a bad idea when programming --hardcoding ip's or any other meta-data-esque things means that you'll almost definately have to change your code sometime in the futur
  • wonder of wonders (Score:1, Insightful)

    by Anonymous Coward
    what are the chances - using the search page that comes up at the verisign site to search for "register" we find at the top of the
    list a link to networksolutions.com (a verisign company). we also note that searching for the same word at google does not result in that site being present in at least the first four pages of results.

    yeah - thats a real useful search tool verisign has there - thanks so much.
    • 7. Network Solutions

      Register and transfer domain names, get personalized email, build a Web site, and submit sites to search engines. http://www.networksolutions.com/

      #7 on the list searching for "register", the first link related to domain registration.

      And of course, it doesn't even appear on the first page of google results...
  • by intermodal ( 534361 ) on Tuesday October 07, 2003 @12:50PM (#7154235) Homepage Journal
    while I'm not a general fan of censorship, I don't see this as censorship. This was simply sitefinder's overlords abusing their position. Freedom of speech does not mean that you're free to make everyone listen. Same goes for network traffic. This is no different from me adding doubleclick.net in my /etc/hosts pointing to in that I don't want to hear what they have to say, same goes for sitefinder.
    • I don't agree with SiteFinder, but I don't agree with your reasoning either. Censorship is the act of removing from view objectionable material. The fact that this was done not by the individual deciding not to receive SF's results, but by a third party controlling their network access, is a direct example of censorship.

      Let's have an example, shall we?

      FCC censors cut dirty words out of programming on broadcast TV, regardless of wheather or not the person on the other end wants to hear it. That is censorsh
      • The VChip is something that now is embedded into every TV and for the 95% of us that don't use it we still pay for it. What a bunch of crap. And I still don't see tits on TV.
      • I don't agree with SiteFinder, but I don't agree with your reasoning either. Censorship is the act of removing from view objectionable material. The fact that this was done not by the individual deciding not to receive SF's results, but by a third party controlling their network access, is a direct example of censorship.

        SiteFinder is not a form of free expression. One can't possibly argue that preventing every damn misspelled hostname from returning an obnoxious webpage somehow infringes VeriSign's abi

      • It isn't like they were blocking it because the sitefinder page contained naughty words. They were censoring it because the damn service broke the Internet.

        If I live next to a busy highway and decide to shine a mega-bright spotlight into oncoming traffic, that would completely mess up traffic and possibly kill a few people. If the cops come in and "censor" my spotlight, that's a good thing, right?

        Censorship [cambridge.org] is removing objectionable, or unsuitable content. Preventing someone from shouting "Fire!"

        • Censorship is removing objectionable, or unsuitable content. Preventing someone from shouting "Fire!" in a crowded theatre isn't censorship because it isn't that the words are objectionable, it's that the result of shouting them will cause chaos and damage. Likewise, Verisign's wildcard caused damage and so it was blocked.

          I fail to see that there's anything crystal clear about most peoples definition of censorship, or the one you linked to.

          Saying that something "causes damage" is no excuse for it. Do yo

      • Good point, but he's not talking about censorship. He's talking about freedom of speech.

        One could, for example, call running your lawnmower freedom of speech. Try doing it at 3:00 am. You won't be told to stop because of censorship. You'll be told to stop because you're disturbing the peace and preventing the lawful enjoyment of people's own property.

        This is the same thing. Versign could certainly keep sitefinder.verisign.com running, *but* when they added all that noise, they disturbed the peace of
      • Censorship is the act of removing from view objectionable material.

        Hmmm, sounds like the rows of trees planted facing the highway to obstruct the view of junkyards.

        One junked car on the front lawn is quaint and picturesque. A lot of them on one lawn or one each on a lot of lawns is an eyesore. If there is suddenly a lot of junk, somebody is a position to do something about it is likely to do something about it.

        To my mind, one unsolicited commercial advertisement email is not spam. Spam is the unrelentin
      • Sorry, I still stand by my original statement. As I said, I don't agree with it, but censorship is still censorship, even if you happen to like that the information getting censored. If the ISPs offered each user a choice of whether or not they got VS's results, then it would be fine.

        Take a look at AOL. They block emails coming from certain servers and drop them in the bit bucket, never even allowing them to hit the "spam" folder of their users. Also a wrong approach. Sure, maybe 99% of the mail is somethi
        • You're totally wrong. First of all, companies have no right to free speech. Secondly, since Verisign has a monopoly over the .com and .net TLDs, they do not have the same rights concerning certain things even when compared with other companies. Putting up SF was not an act of 'Free Speech' as you say, but rather a monopolistic abuse that was detrimental to many.

          Let's assume that you watch Television. Would you like it if someone hijacked all of the unassigned channels and displayed whatever they wanted
  • was just to firewall off sitefinder. At least non-http connections dropped immediately (with a couldn't connect message), rather than waiting for them to time out.
  • by The One KEA ( 707661 ) on Tuesday October 07, 2003 @12:53PM (#7154263) Journal
    Most major ISPs and institutions successfully blocked a "service" which only resulted in widespread disruption in the way the Internet works. It didn't necessarily stay blocked, as in the case of Adelphia, but it was blocked rather quickly. I like the graphs showing SiteFinder traffic; they're very easy to read and they show the drops quite clearly.

    Looking through the study, I found something interesting: most of the blockages of SiteFinder were outside the U.S. Interesting.....
  • Adelphia? (Score:2, Informative)

    by Qwell ( 684661 )
    US ISP Adelphia disabled the service September 20-22
    No, they did not, at least not nationwide. I was checking it literally everyday. It kept screwing with my DNS requests. Unless they mean those 4 hours I was offline on the 22nd, they did not disable sitefinder on my dns servers.
  • Denmark (Score:5, Interesting)

    by pointwood ( 14018 ) <jramskov@nOSPaM.gmail.com> on Tuesday October 07, 2003 @12:54PM (#7154285) Homepage
    I know the biggest Danish ISP (TDC) blocked it pretty quickly. TDC have >80% of all DSL connections in DK.
  • More useful (Score:5, Funny)

    by jolyonr ( 560227 ) on Tuesday October 07, 2003 @12:58PM (#7154336) Homepage
    My 404 page redirects people to www.mavisbeacon.com if they mistype a URL.
  • Umm (Score:3, Informative)

    by ad0gg ( 594412 ) on Tuesday October 07, 2003 @01:00PM (#7154367)
    2. That Site Finder pages are larger than ordinary error messages and therefore slower and more costly to transmit. "Cannot find server or DNS Error" is not a page that a server sends back since there is no server in the loop. Its clientside generated page.
    • The study was trying it's best to explain why networks outside the US were blocking.

      I think the argument that it brings up an English page only is reason enough to implement such a block, an insult added to injury of VeriSign abusing it's position.

      Bandwidth may have been a factor too, but for a different reason: a negative response is preferable to a positive response because you have the same number of DNS packets either way, but the nasty part is the browser goes ahead and opens subsequently two HTTP co
      • I don't think cnn.com was much affected by SiteFinder.com, since typos of such a short name are unlikely to result in unassigned domains.
      • I'm not sure if your scheme would work. As I understand Referrer in Mozilla, a site is sent as the referrer only if you click on a link. If you type in the location bar (such as correcting a typo), referrer is not sent. This is the technique I use to view bugzilla links on slashdot. When you first click it says "No referrers from slashdot" or something, but you can just go up to the location bar and hit enter, the referrer isn't sent, and you get the bug report.
        • are listed on the sitefinder page. Presumably, the user would click the appropriate link rather than manually type the correct URL, unless they were trying to not feed Overture.
    • They didnt say that "Cannot find server or DNS Error" was a server generated page.

      2. That Site Finder pages are larger than ordinary error messages and therefore slower and more costly to transmit

      They did say that there was a message returned though, impying a dns error message.
    • "Cannot find server or DNS Error" is not a page that a server sends back since there is no server in the loop. Its clientside generated page.

      Pretty much the same net result:
      Without site finder, 1 DNS request comes back with a NAK... No other net access.
      With site finder, 1 DNS request gets a bogus ACK followed by an annoying page (in english to boot).

      For my part, the site finder was probematic because I had a xcript that set up a service for various boxes, but (as a sanity check) would ping the box f

  • by Anonymous Coward on Tuesday October 07, 2003 @01:02PM (#7154391)
    Sitefinder did not seem to redirect images. I was trying to debug an image server I set up and keep getting a 404 when trying to load a test image. After spending about an hour looking at httpd.conf, I realized that I had mistyped the url. The 404s were coming from sitefinder. My server was set up correctly from the very start.
    • That's precisely the sort of thing that people were upset about. By removing the NXDOMAIN response from the .com and .net domains, VeriSign managed to break things in very mysterious and diffcult-to-detect ways. DNS problems and spam were only part of the problem, as your example showed.

      Let's just hope that VeriSign is prevented from ever breaking DNS like this again.
      • Anyone notice that while the sitefinder service was up, typos were beginning to get into the browser history since they didn't error out? And the next time you wanted to goto the same site, autocomplete would pick up the typo instead.


        I'm just glad that was the worst that happened to me before this "service" got blocked here. I feel for the grandparent.
      • "Let's just hope that VeriSign is prevented from ever breaking DNS like this again."

        They still are in business, and ICANN has not really done anything in the way of harsh punishment, nor has the question seriously been raised of handing over authority to anyone else.

        So I don't see where your hope stems from. Verisign retains the ability to do what they want. I expect this incident to help VS understand what they can get away with, and I expect them to do something else that is more within the gray area,
        • by mabu ( 178417 ) *
          There's no indication that ICANN or Verisign will learn anything from these events. These are just the most recent in a long chain of embarassements and slaps in the face to the Internet community.

          NSI/Verisign violated agreements by charging for domains in the first place; NSI/Verisign charged an "illegal tax" on domain registrants and stole millions of dollars; Verisign strong-armed the community by almost-monopolizing the SSL Cert business and charging outrageous prices; ICANN made a total mess out of t
  • by Anonymous Coward on Tuesday October 07, 2003 @01:04PM (#7154405)
    I just heard some sad news on talk radio. The Verisign SiteFinder service was found dead this morning in its IP home. The cause of death was from an ICANN beatdown. Even if you did not admire its work, there is no denying its contributions to the speed and ease of use of the Internet. Truly an Internet icon.
    • Don't give ICANN credit on this. I seriously doubt that ICANN ultimately had any influence in Verisign disabling this service. ICANN issued a request for Verisign to stop the service long ago and Verisign blew them off.

      The reason Verisign shut down the services is because it was becoming obvious that eventually the entire Internet was going to block their unethical traffic theft, and the community was fed up with their antics.

      ICANN had NOTHING to do with this. ICANN needs to be dissolved and replaced b
    • The Verisign SiteFinder service was found dead this morning in its IP home.

      Hey, you're right! It is dead! []

      (Oh, damn.... I blocked it with iptables, too)

  • We already had enough problems as it is with spam and hacker-wannabe scriptkiddies.. and we were shoved with Veriscum's new invention.

    Now that it is gone, lets hope it stays there. There is no reason to violate the RFCs as they did here.
  • the problem here is the idea of a shared public asset in ".com" with VeriSign as the maintainer. This is a broken idea from the start. Instead there should be ".vs" for VeriSign and ".gd" for GoDaddy. Then it is clear that these companies wholly own these root domains and they can do anything they want with them.
  • by doubleyewdee ( 633486 ) <wd@@@telekinesis...org> on Tuesday October 07, 2003 @01:15PM (#7154522) Homepage
    As far as I know, Alexa doesn't monitor for 'dns lookup failures.' If that's the case then I think this number is way off. About the 22nd or so a lot of people were deploying BIND patches to block this nonsense, and I'm not sure Alexa is registering that. I think their numbers reflect only the ISPs which actually null-routed the sitefinder IP, not ISPs that patched their nameservers.

    Correct me if I'm wrong, though.
    • doubleyewdee, even if Alexa doesn't monitor or record DNS lookup failures, I don't think this presents a problem given our method of analysis.

      In general, we look for a drop-off in Site Finder page views. So if Site Finder page views were high from a given ISP, then dropped off dramatically and suddenly, we notice this and classify the ISP as blocking Site Finder as of the corresponding date. It doesn't matter whether Alexa's other log data shows the dns-lookup-failure'd domains as msn logs, as dns looku

      • Okay, cool. I was a bit sketchy on how this worked exactly. I know my ISP patched their nameservers pretty early on to block sitefinder, and I know we patched them at work damn quick too. Looking more closely at the way this was done, your study seems to account for this.

        All the same, a nearly 10% drop-off in sitefinder 'use' within two weeks is pretty phenomenal. I think as time went on and this caused more problems for people, you'd see those numbers go up. Hopefully we'll never find out. :)

  • Telenor (Score:3, Interesting)

    by Anonymous Coward on Tuesday October 07, 2003 @01:17PM (#7154545)
    I left a note for Norway's biggest ISP and phone company, Telenor [telenor.net], with details of what had happened and a polite request that they undo it at their name servers. I was very pleased to see an email come in from the hostmaster himself, saying they were aware of the problem and that he would get back to me on it. A few days later (actually, this was after VeriSign had agreed to succumb to ICANN's demand) I got a new mail from him again, saying he had given the notice for the patches to be applied.

    This is a company that isn't exactly the most liked in Norway, but I was very pleased with their handling of the problem and the responses.

    And it shows that most admins are not willing to tolerate absurd changes like this.

  • by Anonymous Coward on Tuesday October 07, 2003 @01:28PM (#7154660)
    I don't work for an ISP but I do have about 1500 staff users, plus another 9-10 thousand K-12 students who use the network too. The day this happened, I added some IP-based blocks to our web proxies to deny all access to sitefinder, then made the deny info throw back something that essentially said "That domain does not exist. Check the spelling and try again". Then I filtered outgoing packets on the mail servers to prevent leakage there.

    When the first BIND patch with delegation-only rolled out, that went on our resolvers and the real problem went away. Now the spammers couldn't make up arbitrary crap in .com and .net, and my old deny page was no longer necessary.

    Anyone in the organization who heard about the fuss and tried to play with sitefinder had a window of about 12 hours before the changes took effect. Since then, it's been walled off.

    Chances are, the bigger the organization is, the slower they move on changes like this. There's just too much bureaucracy to go through before you can do something like replacing your resolvers with new code.
    • I'm curious as to why you chose to do that. Sitefinder is clearly obnoxious, the ultimate typo-squat. I'm glad ICANN stomped on it.

      But it seems like you chose to do additional work, which always runs the risk of breaking something. The Sitefinder service didn't actually damage any of your users, did it? It didn't actually redirect them to any inappropriate sites; it just made suggestions. And in the end, it's unnecessary; ICANN got them to stop it.

      You're right that replacing your resolvers and such i
  • As I posted earlier: [slashdot.org]
    Speakeasy's name servers were returning NXDOMAIN instead of sitefinder by the 17th. Maybe earlier but that was when I first checked. No discussion announcement as far as I know, they just did the right thing quietly and with impressive alacrity.
  • China... (Score:2, Insightful)

    China blocked the traffic at its backbone

    China blocks everything outside of it unless it feels there is a good reason to let it's people access it. Having a site show up on it's block list doesn't really say much.
    • Unfortunatly China absolutely no problem hosting american spammers in their networks [spamhaus.org] and allowing them to spew unlimited amounts of spam on the rest of the world..

      If they can block everything incoming they don't like, why can't they block everything outspewing WE don't want?
      • They only block sites because they're concerned about their own citizens viewing pronography and non-sanctioned political or religious ideas. I'm sure they consider advertisements for teen porn and sex organ size enhancers to be par for the course in america. They might start to care if we managed to get asian e-mail addresses added to the spammer lists.
  • I am glad that people didn't just sit idly by and let this happen... if I misspell a web address, that doesn't mean i want to, care to, or will ever click on any ads.
  • Had to locate and compile the new bind (By the way, has anyone ever been to www.issc.org? I didn't even know they had those!) And then configure it to drop the delegations. Took a bit over an hour (Mainly because of the issc.org thing.) Can I bill Verisign for my time?
  • Criminal Skills (Score:5, Interesting)

    by g051051 ( 71145 ) on Tuesday October 07, 2003 @01:45PM (#7154836)
    My company uses SmartFilter. One day, it started blocking access to Site Finder. The reason code it returned indicated that sitefinder.verisign.com had been classified as "Criminal Skills". That sure seems appropriate to me.

    My personal solution was to add it to my junkbuster config, so it would never show, and never register as a hit on their web page.
  • Adelphia (Score:2, Informative)

    Adelphia did block the service, meaning the site would not load when bonus addresses were entered into the browser, but when pinging bogus internet addresses, A pong came back from the numerical IP of the sitefinder. When going to sitefinder.verisign.com, it was not blocked.
  • by jroysdon ( 201893 ) on Tuesday October 07, 2003 @03:26PM (#7155779)
    We bound VeriSign's SiteFinder IP to one of our webservers and added it into our routing table:
    eth0:2 Link encap:Ethernet HWaddr 00:10:4B:21:48:CF
    inet addr: Bcast: Mask:
    Interrupt:11 Base address:0xde00
    Then we served up a wildcard [artoo.net] page for *.com and *.net:
    DocumentRoot /var/www/html/wildcard
    ServerName wildcard.artoo.net
    ServerAlias *.net
    ServerAlias *.com
    CustomLog logs/access_log.wildcard combined
    The page directs users to complain to Congress, ICANN, and the FTC if they don't like the way VeriSign is hijacking the internet.

    Like I said, we're a really small ISP, but it appears we caught 281 typo's (excluding anything that was referred from Slashdot).

    It's pretty amazing to look at the common sites that folks typo.
  • Anybody else get offered the following?

    Please join VeriSign for a one-hour, informative Web seminar -- "Internet Security Intelligence Briefing--Evolving Trends in Internet Usage" on Tuesday, October 14, 2003, 11 AM PT, 1 PM CT, 2 PM ET.

    I couldn't stop laughing for ages!

The world is coming to an end--save your buffers!