[App_rpt-users] Got a strange error in my AT&T gateway

David McGough kb4fxc at inttek.net
Sun Jul 30 18:04:09 UTC 2017 

George,

I sent you a link to a related, but wrong article, earlier.  This link 
explains what is going on:

https://arstechnica.com/information-technology/2015/03/atts-plan-to-watch-your-web-browsing-and-what-you-can-do-about-it/

So, basically, what "hijacked" means is that the DNS entry for 
stats.allstarlink.org has been spoofed by AT&T, and those queries have 
been redirected to an AT&T proxy server (AKA: man in the middle) for 
"evaluation" before passing the request along to the REAL stats server.

DNS hijacking is becoming a serious problem these days, even if you set 
your DNS server explicitly to a well known address---like google 
(8.8.8.8)....This problem is one reason so much traffic on the Internet 
these days uses TLS (https), since using TLS will at least notify you of 
an invalid host (like a proxy server). BUT, be aware that even using TLS 
doesn't eliminate this man-in-the-middle problem, it just makes it easier 
to spot.

73, David KB4FXC





On Sun, 30 Jul 2017, George Csahanin wrote:

> Maybe I wasn't clear on this point.
> 
> host=stats.allstarlink.org url=/uhandler.php is a valid line from rpt.conf, well, technically http://stats.allstarlink.org/uhandler.php is.
> And my stats show up in stats.allstarlink.org
> 
> I found this on ATT forum, from another user (oddly, NOT from AT&T):
> */"the correct information in regards to the " hijacked" description 
> endings in the logs.  They are stating that the/**/*Gateway*/**/has hijacked the connection, and is providing responses.  It does not 
> mean that an external party has hijacked the connection.  The gateway 
> does this to send you error messages (i.e. in your browser), but it 
> usually causes more harm than it does good./*"
> 
> I'll ignore this log entry. The daily reboot is still a mystery, sort of...it IS AT&T
> 
> GeorgeC
> 2360
> 
> 
> On 7/29/2017 12:29 PM, George Csahanin wrote:
> > Hi all. I've been seeing a daily reboot of my AT&T gateway, has done 
> > it three times now. Looked at the logs in the AT&T box and I see several:
> >
> > host=stats.allstarlink.org url=/uhandler.php hijacked
> >
> > Anybody know what this might mean?
> >
> > GeorgeC
> >
> >
> 
>

More information about the App_rpt-users mailing list