利用網域名稱變換規避廣告攔截器之方法分析

Abstract

廣告攔截器非常仰賴過濾列表來阻擋廣告以及追蹤域名。相關文獻有觀察到廣告商透過註冊「規避域名」，即新的域名但與被過濾的域名有相同功能，來規避過濾列表。但是，由於偵測規避域名的困難性，並沒有相關文獻完整的研究它的普遍性，以及所帶來的影響。因此，我們提出了一個啟發式的方法來找到規避域名，並完整分析它們。我們觀察到廣告域名與其規避域名的擁有者相同，且會有相似的功能性，因此會留下一些可以被連結的足跡。精確而言，我們的方法使用 DNS、TLS 證書、伺服器回應以及 URL 路徑來偵測規避域名。我們也要求規避域名必須要在原廣告域名之後才被加入過濾列表，以降低錯誤判別率。我們在 15,000 個網站中找到 1,569 個規避域名，其中有 339 個已經被過濾而 1,230 尚未被過濾。我們從 1,230 未被過濾的域名中，隨機挑選 293 個進一步進行人工分析，其中有 219 的確是廣告域名。此外，規避域名平均可以存活 356 天，比一般的廣告域名還多了 19 天。透過質化分析，我們對廣告商如何創造、產生規避域名並更新網站，提出了一個分類法。其中我們認為用第一方網站的子域名來代理廣告內容是危險的，因為他濫用了使用者對於第一方網站的信任。藉由了解規避域名，我們希望可以提昇廣告商規避過濾列表的難度。我們的方法亦可以用來創造規避域名資料庫，讓後續的學者可以基於該資料庫進行更多的研究。

Ad-blockers heavily rely on filter lists to block advertising and tracking domains. Prior work has observed that advertisers register and switch to evading domains---new domains that serve the same purpose as the blocked ones---to circumvent domain-based filters. However, no study has thoroughly investigated the prevalence and impact of evading domains, mainly owing to the difficulty of identifying them. This work proposes heuristics to identify evading domains and analyzes them comprehensively. Our heuristics are based on the observation that an ad domain and its evading domain share the same owner and have similar functionality, and thus may leave linkable traces in their configurations. Specifically, we leverage DNS records, TLS certificates, server responses, and URL paths to associate ad domains with their evading domains. We also require that the evading domain be encountered and blocked chronologically after its original ad domain to reduce false positives. On the 15K websites we crawled, we found 1,569 unique evading domains, with 339 of them blocked and 1,230 not blocked. We randomly selected 293 of the 1,230 non-blocked evading domains and confirmed that 219 are ad domains via manual inspection.Moreover, evading domains survive for an average of 356 days, 19 days longer than ad domains without evasion behaviors. Additionally, based on our qualitative analysis, we presented a taxonomy of techniques used to create evading domains, generate domain names, and update first-party websites. The use of first-party subdomains to proxy ads is hazardous, as it abuses users' trust on the first-party website. By improving the understanding of evading domains, we hope to raise the bar for advertisers to bypass filter lists. Our method can also be used to create a large evading-domain dataset, upon which more research can be performed and evaluated.