Basic Concepts of Domain Fronting

Initially, we developed this tool to determine what domains are frontable programmatically. Despite being unsuccessful in that original vision, it took some research to get to where we are; we felt it pertinent to document our findings.

What is Domain Fronting

Domain fronting is a means of circumventing packet inspection by firewall IDS/IPS systems that are using domains as a way to restrict internet traffic. Domain fronting has been used in Command and Control (C2) traffic in attacks by Active Persistent Threats (APTs) as well as circumvention of censorship with tools such as Signal. The idea is to access evil.com, a malicious domain, by accessing allowed.com instead so that traffic can get through the firewall.

How Does Domain Fronting Work

Domain Fronting requires that the blocked domain and unblocked domain exist on the same Content Delivery Network (CDN) such as Cloudflare. The fundamental method for domain fronting consists of the following:

• Destination domain is an allowed or accepted domain by a blocking entity
• The Host header in the HTTP headers is set to the intended, blocked domain
• Using HTTPS, the HTTP section (including HTTP headers) is encrypted with Transport Layer Security (TLS), which stops intermediate routers, firewalls, and other systems that may handle the packet from seeing the intended Host: header.
  • They only see the Server Name Indication (SNI) header from the TLS layer.
• The CDN then receives the packet and decrypts the TLS layer with the key it has, then proceeds to read the Host header.

This graphic from Ben Dickson at Tech Talks visually describes this concept well:

How to Test Domain Fronting

We found that the above method of testing domain fronting was reliable enough to use every time.

Prerequisites:

• Target domain must be on CDN
• We know of content, or preferably own content, on the same CDN, which we can use to test the frontability of the domain.

The process can be done with tools such as chkdfront and fronter to check if a domain is frontable or not. These tools use the following information:

• You know the CDN the target domain uses.
• You have content to test against which is on the same CDN.

Simpler alternatives the use of a method described by Robin from the blog https://digi.ninja, where they describe using the command line tool cURL to test for frontability of a CloudFront domain. For this to work, you need to know what CDN the domain is using and have, or know of, content that exists on that same CDN. The method consists of setting the Host header to the URL of the blocked domain and the target URI to the URL of the unblocked domain. Note: Make sure the target URL uses HTTPS; otherwise, the fronting will be ineffective, as stated above. Looks like this:

curl -H "Host: d1sdh26o090vk5.cloudfront.net" https://fronted.digi.ninja/

- Source: https://digi.ninja/blog/cloudfront_example.php The domain fronting is successful if:

• There is a 200 OK from the resource.
• There is a sub-string or content that is unique to the intended resource that gets returned.

How to Mitigate Domain Fronting

Mitigating domain fronting as an end-user is much harder than as a CDN. The only reasonable way to do this is to intercept the traffic in transit, such as at a firewall, and then decrypt the TLS layer of the packet; you can then see if the Host is allowed. The following methods include what a website owner can do to mitigate Domain Fronting:

• Change to a CDN provider that stops domain fronting

Thus, the mitigation will be contingent on how the CDN handles the traffic coming into the endpoints in its network. Since the SNI header in TLS is transmitted in clear-text, this can be compared to the unencrypted Host header to see if the traffic is going to where the SNI header intended. This is a showcased mitigation; however, the list of mitigations for CDNs include:

• Compare SNI header to decrypted HTTP Host header
  • Also referred to as utilizing HTTPS proxy with SSL termination to identify mismatches between host headers and request URI.
• CDN resource management
  • The CDN internally tracks SSL certs to the registered resources; however, this is resource-intensive, and not all CDNs implement.
  • This may also require client approval.

Resources

• Domain Fronting in a nutshell
• A 101 on Domain Fronting
• Domain Fronting Technique T1172 - MITRE ATT&CK Framework
• Blocking-resistant Communication Through Domain Fronting
• Domain Fronting - Wikipedia
• rvrsh3ll/FindFrontableDomains
• Traversing the Kill-Chain - Vincent Yiu
• SSL Domain Fronting 101
• What is Domain Fronting
• What is SNI
• How Does HTTPS Work
• skahwah/fronter
• KINGSABRI/chkdfront