Analyzing the Use of CNAME Cloaking in the Wild

Master thesis (2023)

Authors

B. van Groeningen Electrical Engineering, Mathematics and Computer Science

Contributors

G. Smaragdakis Cyber Security - EEMCS (supervisor 1)
Faculty
Electrical Engineering, Mathematics and Computer Science
Copyright: © 2023 Boris van Groeningen
More Info
expand_more

Published Date

10-07-2023

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Electrical Engineering, Mathematics and Computer Science

Abstract

CNAME (Canonical Name) cloaking has emerged as a deceptive technique employed by website operators to obfuscate the true origin of their content. This master thesis aims to comprehensively examine the utilization and prevalence of CNAME cloaking across the web.

To achieve this, a custom program was developed to crawl websites and gather valuable insights such as cookies and embedded objects. DNS resolutions are performed to identify domains in the resolution chain that exhibit characteristics of cloaking, as per the defined parameters. The thesis leverages diverse datasets to analyze different segments of the web, providing a holistic view of the ecosystem.

This study focuses on several key aspects. Firstly, it investigates the most common types of cloakers encountered, shedding light on their prevalence and distribution within the web. Furthermore, the coexistence of Content Delivery Networks (CDNs), trackers, and cloakers is analyzed, providing a comprehensive understanding of their interplay and potential implications. Additionally, the Time-to-Live (TTL) values of cloakers are examined to gain insights into their temporal dynamics and potential strategies employed by operators.

By examining the prevalence and dynamics of CNAME cloaking, this research contributes to the broader understanding of this deceptive practice and its implications for privacy, security, and user experience. The findings of this thesis provide valuable insights for policymakers, web administrators, and security professionals to devise effective countermeasures against CNAME cloaking.

According to our findings, cloaking tends to occur more frequently on popular websites, indicating a correlation between website popularity and the likelihood of encountering cloaking behavior. Additionally, our analysis reveals that each cloaker tends to target specific types of websites, suggesting a degree of specialization or targeting within the cloaking ecosystem.

Moreover, we will delve into the origins and implications of both cookies and embedded objects in the context of cloaking. By examining the relationship between cloaking and these elements, we aim to gain a deeper understanding of the mechanisms and techniques employed by cloakers in their tracking practices.d