I've had an issue that's happened at least three times over the span of around two years where if I'm directly connected to my ISP without any VPN's, when I open a new tab in Firefox and type a website's address, there is a connection redirect that brings me to some inflammatory/crude types of sites that have nothing to do with what I'm working on at that moment. I've also seen sites that I visit return a HTTP version instead of HTTPS. Could this part be SSL Stripping?
I'm using my own hardware and not using the ISP's DNS servers. The system's these attacks have happened on are Linux and MacOS. I have performed virus and vulnerability scans, scanned the particular internal network and made sure nothing is public facing, have network monitors, and have HIDS and a SIEM solution setup for those systems as well. None of these measures have alerted me to anything suspicious.
This is a large ISP. The way I assume the attack is being done is my router is getting poisoned routes from the ISP when it requests a website. What I can't figure out is the DNS servers are not owned by the ISP or even in the same country.
I'm asking if the community here could please point me in the right direction to figure out how to pinpoint and stop these attacks, thanks.
https://help.dnsfilter.com/hc/en-us/articles/1500008110182-transparent-proxying
https://support.mozilla.org/en-US/kb/firefox-dns-over-https
Second would be malicious browser extension.