How does the cloak actually work?

How does the cloak actually work?

“We have the most impenetrable cloaker”, “We use artificial intelligence to analyze traffic”, “We analyze SSL fingerprints”. Such statements from the creators of the cloakers are a great way to attract new gullible customers and raise the price at least an order of magnitude. To understand why all this is nothing more than marketing, you need to understand how the cloak work from the inside. That is what I will tell you today.

How does the cloak work?

The cloaker analyzes incoming traffic and, based on the results of the check, shows either a black page for an ordinary person who switched from advertising, or a white page for bots and moderators.

How incoming traffic is analyzed

The most important thesis is that the cloak should analyze only the data that before can get before the visitor sees the site. Obviously, because the primary decision is which page to show at all. We have available…

Headers with IP addresses

For analysis, we are quite suitable:

  • CF-Connecting-IP
  • X-Forwarded-For
  • X-Real-IP
  • Client-IP
  • Remote-Addr

Their addresses may be different. For example, if a person uses Opera Turbo or his provider proxies traffic, the address should be caught not in Remote-Addr, but in X-Forwarded-For. Therefore, you need to analyze all the addresses that are caught in these headers.

Here you can immediately catch the first trigger – non-target geo. This is always and guaranteed automatic ban with the addition of the address to the black list.

Next, the cloaker must check the IPs with its database of blacklists. It is in the quality of the base and in what tools are used to compile it that the key difference between a good cloak and a bad one lies. Alas, I can’t tell you in detail about compiling the most complete black lists. This is the secret of my cloak AlterCPA One, which I do not advertise, because such a miracle does not need advertising.

For example, the well-known network “Book of faces” itself publishes a database of addresses of its bots. There is a well-known base from the NPPR team. There are also various blacklisting features. For example, if a lot of inappropriate traffic comes from one subnet, you can block the entire subnet at once.

User Agent header

A live person will immediately show a mobile device or desktop. And the bot will sign here that it is a bot. If there is no user agent, feel free to send it to white, a real person always has it without exception.

Accept Language header

For unknown reason, it is not used in all the cloakers. This header specifies which languages the browser accepts. For example, traffic goes to Russia, but in Accept Language only English – we send it to white. The absence of a local language in Accept Language is one of the main triggers.

Dispelling marketing tricks of the cloakers

Some cloaks claim to collect black lists based on device fingerprint, which in itself is an extremely stupid idea. To pass it off as an advantage is at least strange. First, to get a fingerprint, you need to make a request with a JS script even before the person got to the white or black site. That is, in fact, to show off part of the work of the cloak itself. The same Google with great pleasure will issue a “Malware” error for this, and you can say goodbye to the advertising campaign. And secondly, the prints of the same moderator change.

There is a more interesting way – collecting fingerprints of an SSL connection. This is even more deception. The SSL fingerprint always depends on two computers – the one that is accessing and the one that is being connected to. The same moderator, when communicating with one server, will have one fingerprint, and when communicating with the second, it will have a different one. The addresses of the cloak servers are constantly changing, otherwise they will simply be blocked by advertising networks. Therefore, the method of catching SSL connections using fingerprints is not working.

And my favorite: machine learning, artificial intelligence, etc. In any field of application of this technology there is an important condition. It should be possible to form a working correlation from the data obtained. At the user’s input, we do not receive either screen sizes or the number of processor cores, no information that can be analyzed in such a way as to collect patterns. In a good way for such analytics, it is necessary to obtain data on behavior, for example, mouse movement, at least, which is unrealistic. Accordingly, a correlation that works with an adequate hit level cannot be compiled either. This can only work when data is collected by scripts after a person hits the site. Why it is impossible to abuse scripts wrote above.

Cloud or self-hosted?

The effectiveness of a cloak is highly dependent on the size and quality of its blacklists.

  • A good cloud cloak analyzes the traffic of all clients across all countries and sources, and adapts blacklists. When working with different GEOs and a small amount of traffic, the cloud option will be better – it has preparations for all occasions in advance. Of the minuses, there may be false positives on some subnets that were banned due to the mistakes of some user. AlterCPA One is good choise here.
  • The advantages of self-hosted cloak are revealed on large volumes of traffic. This option is ideal for an arbitrage team, especially those working with their own advertisers in a narrow geo. Perhaps at first this cloaker will work a little worse while it is self-learning, but after a few days it will give a better result, not polluted by random crooked bays of users of the cloud version. Recommended here is AlterCPA Pro.

What is the difference between a good cloak and a bad one?

Expensive or cheap? All tools that actually work are primitive. Analysis of IP, user agents, language. A good cloak just knows how to work with it competently. And there are many of them. Expensive cloakers promise artificial intelligence and other amenities, but paying for it is inappropriate. Unless you like the accompanying service and you are a fan of the brand. Is my AlterCPA One better than the competition? No. Can it break through? Yes, like everyone else. This happens extremely rarely, and only a scammer will guarantee 0 breakdowns. But it’s cheaper and works exactly the same.


Don’t get fooled by marketing gimmicks. Traffic analysis does not need to be complicated, it is primitive, at least, because the cloak does not have much data for checking. Choose a simple high-quality and cheap cloud option – that’s all you need to minimize breakdowns, which are likely, no matter how you look at it.