How to block ISP injected advertisements in webpages

shebang1234 · Oct 12, 2014, 6:44 PM

My ISP has started "injecting" advertisements inside webpages. They show up in the bottom right corner and obstruct content unless closed. They also tend to spoil the website design/layout on handheld devices. Is there anyway to block them using pfSense?

I am able to block the ads by blocking the domain the ads reside on in AdBlock Plus and AdFree but this doesn't help with the website layout issues.

PS: I understand that this is pretty useless unless I have screenshots or HTML code. They appear at random so I'll try to show it ASAP. I just thought that HTML injected ads may be a general problem and might have an ISP-independent solution.

cmb · Oct 13, 2014, 4:42 AM

Short of using HTTPS on every site, you can't, there wouldn't be a reliable means of detecting what your ISP injected.

Get a worthwhile ISP, or use an encrypted connection out of their network to tunnel your web traffic. Personally, I'd speak with my wallet, there's 0 chance I'd pay any ISP that injected anything into Internet traffic.

shebang1234 · Oct 13, 2014, 2:22 PM

I was thinking something along the lines of using a proxy and configuring something similar to a regular expression. Or perhaps reloading the webpage automatically once an ad is detected.

The ISP that I use is govt. controlled and the only one that is available all over the city. They advertise their own plans with higher data / bandwidth. The only other decent ISP in my city doesn't provide internet service where I live. It is actually much better than the one I use.

cmb · Oct 13, 2014, 4:54 PM

If it's predictable and consistent enough to match with a regex, Squid might have an option to remove that from the page via something like "Ad Zapper" or similar. Likely will require some hacking to make work.

Supermule · Oct 13, 2014, 5:32 PM

What website? Can we have a look?

@shebang1234:

My ISP has started "injecting" advertisements inside webpages. They show up in the bottom right corner and obstruct content unless closed. They also tend to spoil the website design/layout on handheld devices. Is there anyway to block them using pfSense?

I am able to block the ads by blocking the domain the ads reside on in AdBlock Plus and AdFree but this doesn't help with the website layout issues.

PS: I understand that this is pretty useless unless I have screenshots or HTML code. They appear at random so I'll try to show it ASAP. I just thought that HTML injected ads may be a general problem and might have an ISP-independent solution.

newpfsenser · Oct 13, 2014, 10:07 PM

See this article:
http://hackercodex.com/guide/how-to-stop-isp-dns-server-hijacking/

or just google 'bogus-nxdomain'.

I believe this may be your ISP injecting through DNS. If so, you should be able to enable DNS Forwarders, and at the bottom in the advanced section, you can enter the dnsmasq custom lines, once you determine the IP that a bogus domain resolves to.

stephenw10 · Oct 14, 2014, 12:56 AM

I believe we are talking about ads that appear inside the requested webpage, the code is injected into the html on-the-fly. Thus it affects the page layout. Not a DNS issue or any particular page. Much more insidious. :-\

Steve

NOYB · Oct 14, 2014, 1:01 AM

@shebang1234:

I was thinking something along the lines of using a proxy and configuring something similar to a regular expression.

Use a VPN service. Your ISP will effectively be "out of the loop".

shebang1234 · Oct 15, 2014, 7:46 PM

Instead of serving me the website that I ask for, they show me a page that has the ad in a div and the actual webpage in an iframe.

http://imgur.com/vMqRvLx

I've highlighted thethat contains the advertisement and the <iframe>next to it contains the actual webpage. 1. Couldn't they theoretically do this with HTTPS websites as well? 2. If I complain that this is a breach of my privacy, do I have a case? EDIT: Link instead of huge image</iframe>

Derelict · Oct 15, 2014, 8:01 PM

@shebang1234:

Instead of serving me the website that I ask for, they show me a page that has the ad in a div and the actual webpage in an iframe.

http://imgur.com/vMqRvLx

I've highlighted thethat contains the advertisement and the <iframe>next to it contains the actual webpage. </blockquote> Wow. If you're sure that's injected on-the-fly by the ISP don't use a VPN, get a new ISP and be sure to tell both the losing and gaining provider exactly why. <blockquote> 1. Couldn't they theoretically do this with HTTPS websites as well? </blockquote> If their installer installed a trusted root certificate (which I wouldn't put past anyone who would do this), yes. When you go to https://www.facebook.com/ and examine the certificate, by which certificate authority is it signed? For me, it's DigiCert Inc. Without a trusted root in your computer/browser, no, they can't do this without generating certificate error notifications. <blockquote> 2. If I complain that this is a breach of my privacy, do I have a case? </blockquote> I'm with cmb on this. Vote with your wallet. Run - don't walk away from them. </iframe>

stephenw10 · Oct 15, 2014, 8:20 PM

Wow indeed. :o
There appears to be a script associated with it. Can you not block that with no-script or some equivalent? Doesn't help you with mobile devices though.

Steve

johnpoz · Oct 15, 2014, 8:50 PM

looks like they are loading a script from adserver.adtech.de, can you not just put in a host over ride for that fqdn in pfsense to 127.0.0.1 to prevent the script from loading?

If they are injecting - you can just use a vpn service. But also vote for change ISP, how do they get away with such stuff. Injecting anything into a data stream between the http client and the server is BS plain and simple no matter how you look at it.

Supermule · Oct 16, 2014, 3:37 AM

When I use www.yougetsignal.com I dont get the injected popup at all.

Derelict · Oct 16, 2014, 3:48 AM

Nor is there an iframe tag in the source. Shady stuff.

Supermule · Oct 16, 2014, 3:56 AM

But very slow response on some of the links on the front page.

Especially the reverse tools.

johnpoz · Oct 16, 2014, 9:19 AM

supermule are you on the same ISP as the OP? His whole point is that his isp is injecting the ads.

shebang1234 · Oct 16, 2014, 12:39 PM

Wait, wait, wait.

I showed two versions of the same webpage. The right one is what I'd usually see, the left one is what I am served when the ISP injects the ads.

They show me a completely different webpage, one that has ads and their own scripts. They just include an iframe for the webpage that I wanted.

Supermule · Oct 16, 2014, 12:47 PM

Do you have third party cookies and javascript disabled in the browser?

Adblock Plus has that option.

kejianshi · Oct 16, 2014, 12:50 PM

Is everyone 100% sure this isn't a DNS problem?

I'd try this with a fresh install of ubuntu or live CD and stipulate google dns servers to see what happens.

shebang1234 · Oct 16, 2014, 1:05 PM

pfSense is configured to use Google DNS servers and nothing else. ISP DNS servers are unreliable and have high latency.

Derelict: The certificates are signed by DigiCert. I don't think I've ever seen an ad on facebook or another https site to confirm if they are able inject ads in them.

Moreover, I have seen those advertisements across multiple devices. Ubuntu, WinXP, Win7, Win8.1, Android.