AdBlocking and Adblocker Blocking

By   ISBuzz Team
Writer , Information Security Buzz | Oct 20, 2015 07:00 pm PST

Most people are familiar with the notion of an adblocker. It’s pretty much what it says on the label: a program that blocks ads from showing. They may not, however, be entirely familiar with how adblockers work or what the best kind of adblocker for their use might be.

Likewise, people are starting to become aware of sites trying to block users from browsing with adblockers enabled – but the ways in which that works are also somewhat obscure.

Adblocking at the browser-level is the variety which most people are familiar with: the user downloads a plugin for their browser, which then blocks the ads.

The best sort of adblockers entirely block the request to the adserver – they rewrite the page before it’s rendered to replace the request that would otherwise be made with a placeholder. This is the best approach because no spurious traffic is generated – it keeps the network traffic to a minimum, and doesn’t tip off any ad-company analytics that the page was loaded at all. In a way, it’s the most ‘honest’ way of adblocking.

Other methods interrupt the ad loading at different points in the process – either they allow the request to complete but do not accept the returned payload, or they put some kind of blocking panel over the ad so the user does not see it.

These types of adblocking are not as effective as the first. Your browser may still see malvertisements, for example, so you could still be subject to attack – and they end up not only increasing the amount of network traffic to the user but also reveal things about the user’s movements to ad company trackers.

Image 1There are also network-based adblockers that are installed by a network owner so that protections apply to every system and every browser on the network regardless of whether or not an adblocking plugin is installed or even available.

These are especially useful for mobile browsers, which often have very poor support for adblocking plugins, and which are often quite vulnerable to malvertising. With the addition of a VPN, which provides a ‘tunnel’ for all the network traffic to a trusted network, a network-based adblocker can allow a mobile device to benefit from adblocking in the same way that any other computer can.

Some of these adblocking methods are used in conjunction with content filtering proxy servers. The same kind of servers that are put in place to prevent employees from playing games or looking at racy pictures can be tuned to block advertisements as well. Others adjust firewalls to disallow connections to ad network addresses and filter any such requests at the network gateway. A third kind is the “sinkholed” DNS, which requires a little bit of explanation.

Image 2DNS is the service that acts like a phone book – it enables your computer to take a human-friendly name, like ‘‘, and look up the network address that it corresponds to – in my case. Normally, it does this by making requests to figure out where the ‘authoritative’ nameserver for the domain is, or whether the answer to that particular query is cached nearby, and then returning the result so your computer can make the connection.

If someone has configured a ‘sinkholed’ DNS for you, however, the server is configured to respond to certain domains with ‘dummy’ entries. This means that the request cannot successfully complete – so any domain with such a ‘dummy’ entry will be inaccessible to your browser. This is a sort of defensive application of “DNS Hijacking” – a common tactic used by malware to enable man-in-the-middle attacks.

Sinkholed DNS is extremely useful when fighting certain kinds of malware, and it’s also extremely useful in adblocking. Regardless of whether an adblocking plugin is installed, any attempt to load an ad’s URL will be stymied by the inability of the browser to look up the adserver’s domain name. The request won’t be successful, so the ad won’t load.

Ad networks, however, are fighting back.

Most of the measures that they use currently are based around javascript. Javascript’s near-universal availability in modern browsers and the large array of libraries that are available for developers give the networks many tools to detect what happens in users’ browsers.

Most of the current generation of adblock detectors use methods that try to figure out if the ad was fetched or displayed on screen; if it wasn’t, then they’ll attempt to take some measure to ask the user to turn off their adblocker.

These range from displaying a request where the ad would be (the easiest and most inoffensive solution; the ad would otherwise cover up the message) to popping up a modal window – that is, an overlay to the page that can’t be dismissed by normal means – to block the user from viewing the content. However, if the user turns off javascript support, the page – while likely less visually appealing and without some functionality – generally will still load just fine.

All of the anti-adblock solutions that I’m aware of on the market at this time depend on the end-user’s browser supporting them. From an information security standpoint, that’s a laughable stance. Nearly everyone in infosec knows that trusting the end user’s browser to do the right thing is a sure way to end up with headaches and breaches; similarly, trusting the browser to correctly report on advertising rendering is an ultimately futile endeavour.

Without having total control over the user’s browser (and thus making it into a trusted endpoint) advertisers will never be able to defeat every ad-blocking measure: this is an arms race that they won’t be able to win.

“The only winning move is not to play.”

On one side, ad networks are fighting for their survival, since adblocking, in its current form, post an existential threat to their business model.

On the other side, adblocking has started to become a lucrative business, and the companies that distribute them have realized that, besides charging users a fee for installing their adblocking software, they can charge ad networks a fee to be ‘whitelisted’ so that their ‘reliable’ ads will still display.

(This is a situation that one ad company exec, Mike Zaneis, compared to “blackmail” in an interview with C|NET recently.)

Will a new wave of adblockers that ‘play nice’ with ad publishers start to dominate?

Perhaps. The mobile economy has a high demand for adblocking plugins, and relatively few mobile users want to go through the fuss and bother of connecting to a VPN for all their traffic. These apps also have lots of budget available for, ironically enough, advertising. They’ve been written about in several publications recently, and the companies behind them are clearly trying to make them become the ‘acceptable’ alternative – a middle ground between those who are extremely anti-advertisement and the ad networks who demand delivery.

These middle-ground adblockers can still do some good. If they provide the kind of auditing services needed to police the ad networks into ensuring that only non-malicious ads get through to the users, that would be a distinct improvement over the current situation. Even users without the software would benefit overall, as the overall market would drive out those networks that aren’t willing to handle this policing.

On the other hand, there are still more than enough people who are dedicated to eliminating as many advertisements as possible and who have the technical skill and ability to make it happen. If these “ethical” adblocking programs do not suffice, the much more severe measures are still very much available for those who want to use them.

[su_box title=”Eric Rand, Security Consultant at Brown Hat Security and was guest blogging for AlienVault” style=”noise” box_color=”#0e0d0d”]AlienVaultAlienVault’s mission is to enable organizations with limited resources to accelerate and simplify their ability to detect and respond to the growing landscape of cyber threats. Our Unified Security Management (USM) platform provides all of the essential security controls required for complete security visibility, and is designed to enable any IT or security practitioner to benefit from results on day one. Powered by threat intelligence from AlienVault Labs and the AlienVault Open Threat Exchange—the world’s largest crowd-sourced threat intelligence network — AlienVault USM delivers a unified, simple and affordable solution for threat detection, incident response and compliance management. AlienVault is a privately held company headquartered in Silicon Valley and backed by Trident Capital, Kleiner Perkins Caufield& Byers, GGV Capital, Intel Capital, Sigma West, Adara Venture Partners, Top Tier Capital and Correlation Ventures.

AlienVault, Open Threat Exchange and Unified Security Management are trademarks of AlienVault. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.[/su_box]