How to block ISP injected advertisements in webpages



  • My ISP has started "injecting" advertisements inside webpages. They show up in the bottom right corner and obstruct content unless closed. They also tend to spoil the website design/layout on handheld devices. Is there anyway to block them using pfSense?

    I am able to block the ads by blocking the domain the ads reside on in AdBlock Plus and AdFree but this doesn't help with the website layout issues.

    PS: I understand that this is pretty useless unless I have screenshots or HTML code. They appear at random so I'll try to show it ASAP. I just thought that HTML injected ads may be a general problem and might have an ISP-independent solution.



  • Short of using HTTPS on every site, you can't, there wouldn't be a reliable means of detecting what your ISP injected.

    Get a worthwhile ISP, or use an encrypted connection out of their network to tunnel your web traffic. Personally, I'd speak with my wallet, there's 0 chance I'd pay any ISP that injected anything into Internet traffic.



  • I was thinking something along the lines of using a proxy and configuring something similar to a regular expression. Or perhaps reloading the webpage automatically once an ad is detected.

    The ISP that I use is govt. controlled and the only one that is available all over the city. They advertise their own plans with higher data / bandwidth. The only other decent ISP in my city doesn't provide internet service where I live. It is actually much better than the one I use.



  • If it's predictable and consistent enough to match with a regex, Squid might have an option to remove that from the page via something like "Ad Zapper" or similar. Likely will require some hacking to make work.


  • Banned

    What website? Can we have a look?

    @shebang1234:

    My ISP has started "injecting" advertisements inside webpages. They show up in the bottom right corner and obstruct content unless closed. They also tend to spoil the website design/layout on handheld devices. Is there anyway to block them using pfSense?

    I am able to block the ads by blocking the domain the ads reside on in AdBlock Plus and AdFree but this doesn't help with the website layout issues.

    PS: I understand that this is pretty useless unless I have screenshots or HTML code. They appear at random so I'll try to show it ASAP. I just thought that HTML injected ads may be a general problem and might have an ISP-independent solution.



  • See this article:
    http://hackercodex.com/guide/how-to-stop-isp-dns-server-hijacking/

    or just google 'bogus-nxdomain'.

    I believe this may be your ISP injecting through DNS.  If so, you should be able to enable DNS Forwarders, and at the bottom in the advanced section, you can enter the dnsmasq custom lines, once you determine the IP that a bogus domain resolves to.


  • Netgate Administrator

    I believe we are talking about ads that appear inside the requested webpage, the code is injected into the html on-the-fly. Thus it affects the page layout. Not a DNS issue or any particular page. Much more insidious.  :-\

    Steve



  • @shebang1234:

    I was thinking something along the lines of using a proxy and configuring something similar to a regular expression.

    Use a VPN service.  Your ISP will effectively be "out of the loop".



  • Instead of serving me the website that I ask for, they show me a page that has the ad in a div and the actual webpage in an iframe.

    http://imgur.com/vMqRvLx

    I've highlighted thethat contains the advertisement and the <iframe>next to it contains the actual webpage.<br /><br />1. Couldn't they theoretically do this with HTTPS websites as well?<br />2. If I complain that this is a breach of my privacy, do I have a case?<br /><br />EDIT: Link instead of huge image</iframe>


  • LAYER 8 Netgate

    @shebang1234:

    Instead of serving me the website that I ask for, they show me a page that has the ad in a div and the actual webpage in an iframe.

    http://imgur.com/vMqRvLx

    I've highlighted thethat contains the advertisement and the <iframe>next to it contains the actual webpage.<br /><br /></blockquote><br /><br />Wow.  If you're sure that's injected on-the-fly by the ISP don't use a VPN,  get a new ISP and be sure to tell both the losing and gaining provider exactly why.<br /><br /><blockquote><br />1. Couldn't they theoretically do this with HTTPS websites as well?<br /></blockquote><br /><br />If their installer installed a trusted root certificate (which I wouldn't put past anyone who would do this), yes.  When you go to https://www.facebook.com/ and examine the certificate, by which certificate authority is it signed?  For me, it's DigiCert Inc.<br /><br />Without a trusted root in your computer/browser, no, they can't do this without generating certificate error notifications.<br /><br /><blockquote><br />2. If I complain that this is a breach of my privacy, do I have a case?<br /></blockquote><br /><br />I'm with cmb on this.  Vote with your wallet.  Run - don't walk away from them.<br /></iframe>


  • Netgate Administrator

    Wow indeed.  :o
    There appears to be a script associated with it. Can you not block that with no-script or some equivalent? Doesn't help you with mobile devices though.

    Steve


  • LAYER 8 Global Moderator

    looks like they are loading a script from adserver.adtech.de, can you not just put in a host over ride for that fqdn in pfsense to 127.0.0.1 to prevent the script from loading?

    If they are injecting - you can just use a vpn service.  But also vote for change ISP, how do they get away with such stuff.  Injecting anything into a data stream between the http client and the server is BS plain and simple no matter how you look at it.


  • Banned

    When I use www.yougetsignal.com I dont get the injected popup at all.


  • LAYER 8 Netgate

    Nor is there an iframe tag in the source.  Shady stuff.


  • Banned

    But very slow response on some of the links on the front page.

    Especially the reverse tools.


  • LAYER 8 Global Moderator

    supermule are you on the same ISP as the OP?  His whole point is that his isp is injecting the ads.



  • Wait, wait, wait.

    I showed two versions of the same webpage. The right one is what I'd usually see, the left one is what I am served when the ISP injects the ads.

    They show me a completely different webpage, one that has ads and their own scripts. They just include an iframe for the webpage that I wanted.


  • Banned

    Do you have third party cookies and javascript disabled in the browser?

    Adblock Plus has that option.



  • Is everyone 100% sure this isn't a DNS problem?

    I'd try this with a fresh install of ubuntu or live CD and stipulate google dns servers to see what happens.



  • pfSense is configured to use Google DNS servers and nothing else. ISP DNS servers are unreliable and have high latency.

    Derelict: The certificates are signed by DigiCert. I don't think I've ever seen an ad on facebook or another https site to confirm if they are able inject ads in them.

    Moreover, I have seen those advertisements across multiple devices. Ubuntu, WinXP, Win7, Win8.1, Android.


  • Banned



  • I'd bet its something running on your end causing this because what ISP would want to alienate customers by doing such a thing unless they are the only ISP around to chose from?


  • LAYER 8 Global Moderator

    Why would some malware or ad producing junkware on his client promote his ISP packages?  How would that show up on his phones, etc..

    @OP you mention "by blocking the domain the ads reside on in AdBlock Plus"

    So just do that at pfsense dns over rides, and point all your clients to pfsense dns forwarder.  From you image looks that the script is loaded from adtech.de - so as I already mentioned over ride this via pfsense dns forwarder host over rides.



  • I get adds on lots of pages, but they are not "injected".  Most websites have advertisements.

    I'm just saying, its in the ISPs interest to do this?


  • LAYER 8 Global Moderator

    Clearly they think it is.. did you see the to copies of the page he showed.  The left side clearly has been altered, while the right side shows not such modifications.



  • I agree something is up, for sure.

    I just don't think the ISP has that much control to be able to inject whatever they want into whatever web page they like easily.

    Nor do I feel its in their interest to do so.

    Thats why I'm wondering about other explanations.

    Normally I suspect a hijacked browser when I see stuff like this.

    He says its across a variety of devices, so then I start thinking maybe its a DNS issue.

    If its really as bad as the ISP screwing with their own customers, then VPN is the way to go I think.

    Or dump the ISP and try another?


  • Netgate Administrator

    Did you follow Supermule's link to the report that Comcast are doing this. The OP is using MTNL so I'm guessing they're in India, not Comcast anyway. Technically it's not difficult at all if they are running any sort of proxy. For example:
    http://www.ex-parrot.com/pete/upside-down-ternet.html

    Steve



  • I just don't think the ISP has that much control to be able to inject whatever they want into whatever web page they like easily.

    It is trivially easy for an ISP to do this.  Why?  The universal answer to all questions: money.  Same reason why some ISPs are hijacking NXDOMAIN DNS responses and feeding people loaded ad pages in their place?



  • I can confirm that this is something that the ISP is doing. The ads are provided by adphonso (something that I forgot to mention earlier.) They very proudly talk about their "solutions" to make communication between ISPs and customers easier. (wtf?)

    There are records of MTNL customers complaining about adphonso ads all over the internet. Never became a hype though.
    The ISP is government controlled so I doubt if they really care whether or not they lose customers (I mean they've never behaved like it.) I don't have a choice here; I'd have switched to a different ISP long ago, if I could have.

    EDIT: I have blocked both adphonso and adtech. Purpose of this message was to check if there was a way for it to not spoil my layout either.
    EDIT2: Removed link.


  • LAYER 8 Netgate

    That's really unfortunate.  Tunnel all your traffic through a VPN I guess.

    (suppress desire to rant libertarian.)

    I set up vpnbook.com last night to test something.  They have free OpenVPN servers on UDP 53, UDP 25000, TCP 80, TCP 443.  Three of those will be pretty hard to block with a generic rule.  TCP/80 is probably going to be worthless to you.  Depends on how locked down/proxied your outbound traffic is.


  • LAYER 8 Global Moderator

    "EDIT: I have blocked both adphonso and adtech. Purpose of this message was to check if there was a way for it to not spoil my layout either."

    You would have to tunnel so they can not inject for that to happen, or have something that removed the injected code - proxy could do something like that.  But easy solution is to just tunnel past them so they can not inject.

    To me the best vpn solution for something like this is a low end vps, CHEAP – I have a couple of them, one on west cost other on east coast I use for testing - they cost $15 a year each.  500GB a month bandwidth so make great little vpn exit points.



  • What is going on there is incredibly stupid on the part of the ISP.  Sorry to seem so unbelieving before.  It just seems crazy.

    Thats the sort of crap I'd maybe expect on free wifi in a mall or something.

    I'd almost say move!

    The weather is quit nice tonight in manila…  And....  No ads.



  • @KOM:

    It is trivially easy for an ISP to do this.  Why?  The universal answer to all questions: money.  Same reason why some ISPs are hijacking NXDOMAIN DNS responses and feeding people loaded ad pages in their place?

    I know TWC does this. Other then redirecting you to a search page if the domain can't be found; the main reason is for them to direct your traffic is if you account is flagged. Example would be lack of payment (happen at a friends house, they had to acknowledge that they were over due before being routed to the internet), secuity reasons…

    If an ISP is going to inject ads, there service should be free then! This kinda reminds me of the Juno email....


  • LAYER 8 Netgate

    You might also want to make sure tunneling your internet around the government network won't land you in jail.



  • Is this China?  North Korea?  Iran?

    Who else is making a huge fuss about VPNs?

    I've used VPNs is and around china and the middle east.

    Didn't go to jail…  But then again, I wasn't leading an insurrection either.

    Haven't tried North Korea.  They lock people away for taking a deep breath.


  • LAYER 8 Netgate

    Looks like Mumbai, India.  I was just sayin…  Aren't they the ones that made Blackberry give them the ability to MITM?



  • @shebang1234:

    I can confirm that this is something that the ISP is doing. The ads are provided by adphonso (something that I forgot to mention earlier.) They very proudly talk about their "solutions" to make communication between ISPs and customers easier. (wtf?)
    http://adph_onso.com/

    DON'T click this adphonso link, I get a phising and a virus warning when clicking…



  • MITM in India?

    People do that?

    https://www.youtube.com/watch?v=o66FUc61MvU


Log in to reply