Website-Targeted False Content Injection by Network Operators

Gabi Nakibly


It is known that some network operators inject false content into users' network traffic. Yet all previous works that investigate this practice focus on edge ISPs (Internet Service Providers), namely, those that provide Internet access to end users. Edge ISPs that inject false content affect their customers only. However, in this work we show that not only edge ISPs may inject false content, but also non-edge network operators. These operators can potentially alter the traffic of \emph{all} Internet users who visit predetermined websites. We expose this practice by inspecting a large amount of traffic originating from several networks. Our study is based on the observation that the forged traffic is injected in an out-of-band manner: the network operators do not update the network packets in-path, but rather send the forged packets \emph{without} dropping the legitimate ones. This creates a race between the forged and the legitimate packets as they arrive to the end user. This race can be identified and analyzed. Our analysis shows that the main purpose of content injection is to increase the network operators' revenue by inserting advertisements to websites. Nonetheless, surprisingly, we have also observed numerous cases of injected malicious content. We publish samples of the injections to facilitate continued analysis of this practice by the security community.

Joint work with Jaime Schcolnik and Yossi Rubin. To be presented at Black Hat USA and Usenix Security 2016.


Gabi is a fellow at the National Cyber and Electronics Research Center at Rafael – Advanced Defense Systems Ltd and is also an adjunct lecturer and researcher at the Technion – Israel Institute of Technology. His research interests mainly revolve around network security. Gabi received his PhD from the Technion at 2008.

Time and Place

Thursday, June 23, 4:15pm
Gates 415