In this digital era, online advertising has become an indispensable part of the internet ecosystem. Websites, from small personal blogs to massive social media platforms, rely heavily on advertisements for revenue. As a result, there has been a substantial rise in the ads traffic alongside organic website traffic in the last few years.
Figure 1: US Social Network Video Ad Spending, 2019-2023
Network Traffic Analysis
The ATI team in Keysight has analyzed the network traffic pattern of different popular ads service providers (like Google AdSense, Amazon Ads, Microsoft/Bing Ads, LinkedIn Ads, Twitter Ads etc.) and has seen some interesting information from the decrypted traffic which can be useful for other researchers.
Inside the HTTP Request:
To understand a particular HTTP request belonging to an advertising network, several fields and characteristics within the request can be analyzed.
Request URL:
- Ad traffic sometime comes from a known ad server or network which can be identified by looking into its domain or subdomains.
- Sometimes the request URL path contains specific keywords like “ads”, “adserver”, “click”, “banner”, “doubleclick” etc which generally indicates that the HTTP request associates with advertising.
Figure 2: Example of an Ad specific HTTP Request
HTTP Headers:
- Referer: The header can show if the request is coming from an ad network or another site that typically serves ads.
- Sometime, the HTTP request contains different ads specific header like “x-advertising-id”, “x-ad-server”, “x-ad-partner”, “x-ad-type” etc. which clearly indicates the request belongs to an ad.
Content Type:
Ads often come with specific content types (MIME types) such as “image/gif”, “image/jpeg”, “application/javascript”, “text/html”, “text/plain” etc for embedded iframes.
Figure 3: Example of another Ad specific HTTP POST request
Query Parameters:
The query often contains parameters commonly associated with ads traffic such as “clickid”, “adid”, “utm_source”, “utm_campaign”, “gclid”, “pid” etc. These parameters help in tracking and managing ad interactions, making them key indicators of advertising related requests.
Inside the HTTP Response:
To understand whether a particular HTTP response comes from an ad server or not, several fields and characteristics within the response can be analyzed.
Status Codes:
- Ads frequently use redirections (status code 301 and 302) to track clicks or load content from various ad server or networks.
- HTTP responses with a status code 200 that contains ad-related content.
Figure 4: Example of an Ad specific HTTP Response with GIF content
Content Types:
Ads responses have specific content or MIME types like –
- “image/gif”, “image/jpeg”, “image/png” for banner ads
- “application/javascript” for ad scripts
- “text/html” for ad frames or pop-ups
- “video/mp4”, “video/webm” for video ads
Response Payload:
Ad responses sometimes contain identifiable patterns such as “<iframe>”, “<img>”, “<script>” etc. tags under JavaScript elements. These elements are commonly used to embed advertisements and track user actions on web pages.
Figure 5: Ad specific HTTP Response containing <img> tag inside the response payload
Ads Traffic Simulation in Keysight ATI
At Keysight Technologies, the Application and Threat Intelligence (ATI) team, researchers have examined the traffic pattern of various popular Advertising service providers and advertisements from the world’s top 50 most popular websites. They have published the network traffic pattern of the 5 most popular Ad service providers (Google AdSense, Amazon Ads, Microsoft/Bing Ads, LinkedIn Ads and Twitter Ads) with sample advertisements traffic in ATI-2024-11 and ATI-2024-12 Strike Packs released on June 07, 2024 and June 20, 2024 respectively.
Figure 6: Ads superflows present in BPS
Leverage Subscription Service to Stay Ahead of Attacks
Keysight’s Application and Threat Intelligence subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously monitors threats as they appear in the wild. Customers of BreakingPoint now have access to attack campaigns for different advanced persistent threats, allowing BreakingPoint Customers to test their currently deployed security control’s ability to detect or block such attacks.