Website-Targeted False Content Injection by Network Operators

TL;DR

This paper reveals that not only edge ISPs but also core network operators inject false content into user traffic, often for revenue purposes, and demonstrates a method to detect such out-of-band content injection.

Contribution

It uncovers the practice of false content injection by core network operators and introduces a detection method based on analyzing packet races between forged and legitimate traffic.

Findings

Core network operators inject false content affecting all users visiting certain websites.

Injection is performed out-of-band without dropping legitimate packets, creating detectable races.

Content injection is primarily for revenue through advertisements, with some malicious content also observed.

Abstract

It is known that some network operators inject false content into users' network traffic. Yet all previous works that investigate this practice focus on edge ISPs (Internet Service Providers), namely, those that provide Internet access to end users. Edge ISPs that inject false content affect their customers only. However, in this work we show that not only edge ISPs may inject false content, but also core network operators. These operators can potentially alter the traffic of \emph{all} Internet users who visit predetermined websites. We expose this practice by inspecting a large amount of traffic originating from several networks. Our study is based on the observation that the forged traffic is injected in an out-of-band manner: the network operators do not update the network packets in-path, but rather send the forged packets \emph{without} dropping the legitimate ones. This creates a race between the forged and the legitimate packets as they arrive to the end user. This race can be identified and analyzed. Our analysis shows that the main purpose of content injection is to increase the network operators' revenue by inserting advertisements to websites. Nonetheless, surprisingly, we have also observed numerous cases of injected malicious content. We publish representative samples of the injections to facilitate continued analysis of this practice by the security community.