Domain fronting: what is this threat that puts a domain at risk

When using devices connected to the network, having services such as a web page, we can find many problems related to security. There are many types of threats that in one way or another could affect us. In this article we are going to talk about what Domain fronting means. We are going to talk about this type of attack that could put users at risk. We will also give advice to be protected.

Domain fronting attacks

We can say that Domain fronting is known as a malicious technique in which an attacker can make use of a legitimate, highly reputable domain to mask and redirect connections to servers.

It should be noted that this type of attack is based on CDN or distribution networks in the cloud. They are services widely used especially by companies. This allows different items to be cached to get geographically closer to potential customers. This distribution network in the cloud will also host an SSL web certificate for the domain.

How then does the hacker act? What you do first is set up a server on the same CDN as that company. That company has an SSL certificate that is intended to hide callbacks to the C2 network from the attacker.

Basically what the hacker does in this case is hide behind a legitimate domain. It takes advantage of a computer that has previously been infected with malware. That computer is connected to that CDN, where the attacker is also.

The malware makes a callback to the legitimate domain. But that return does not go to the domain owned by the attacker, but to a legitimate one that is hosted on that CDN. This configures the TLS session between the malware and the legitimate domain that is on the network.

What they are looking for is that the DNS resolution and a new call simulate being a call to the legitimate domain and therefore the browser will trust that certificate. The malware calls again, but this time to the attacker’s domain, which is on the same CDN. It is hidden over HTTP and with a TLS connection.

This request will be routed but by unwrapping the header it will redirect said request to the attacker’s server located on the CDN.

Later there is another redirect. That cybercriminal does not want their activity to be visible on the CDN and causes a second redirect this time to a command and control server that is outside, elsewhere.

Widely used to avoid censorship

This method is widely used to avoid censorship and limitations that may exist in certain territories throughout the world. For example to be able to access a blocked web domain or an application.

The Tor browser, for example, can use what is known as Domain fronting to bypass certain locks and make the connection anonymous. The same are other known applications that have problems in certain countries, such as Telegram or Signal.

Therefore, we can summarize by indicating that the first thing a client does is initiate a connection to a legitimate domain (what would be known as Domain fronting) through HTTP. Subsequently, that request is received and interpreted as secure on the network. The third step is to encrypt that connection using SSL. In this way they can manipulate HTTP requests.

This method has been used over the years by many attackers and users who have sought to hide themselves through a legitimate domain.

How to avoid domain fronting attacks

Whenever we surf the net or use any program or device, it is essential to preserve security. We must have everything necessary to avoid being victims of any type of attack that could put our privacy at risk. We have seen a clear example of how a potential attacker could take advantage of a legitimate domain.

Use a proxy server

Proxy server, domain fronting
Proxy server

One of the best security barriers to avoid domain fronting attacks is to use a proxy server. It will act as an intermediary for all connections that leave our network.

This will also make sure that the HTTP host header will match the legitimate domain found in the URL. Keep in mind that we can find different options in this regard. We must always choose the one that best suits what we are looking for, but making sure that it will perfectly fulfill its mission.

Updates and fix vulnerabilities

Another very important issue is to keep all the updates available on the servers we use, devices and any tool that is part of our day to day surfing the net. It is essential to have all the patches and to fix any possible problems that may appear.

Hackers could make use of vulnerabilities that appear. They can use them to carry out their attacks easily and put our security and privacy at risk. Hence, it is essential to update everything always.

Security programs

We have seen that one of the origins of a Domain fronting attack is through an infected computer within the CDN. Therefore, it is essential to avoid any kind of problem like this to protect the devices properly.

For this, something fundamental will be to have security programs. A good antivirus that can detect malware and any type of similar attack is essential. Also a good firewall that can intercept fraudulent connections on the network. We have at our disposal a wide range of options. Many types of software that in one way or another can help us.

Ultimately, Domain fronting attacks could compromise security and redirect legitimate websites. It is important to always be protected, to have all kinds of programs that can help us avoid hackers and that could at any given time serve as a gateway.

Leave a Reply