Domain fronting attacks
We can say that Domain fronting is how you know a malicious technique in which an attacker can make use of a legitimate, highly reputable domain to mask and redirect connections to servers.
It should be noted that this type of attack is based on CDN or cloud distribution networks. They are services widely used especially by companies. This allows different items to be cached to get geographically closer to potential customers. This distribution network in the cloud will also host an SSL web certificate for the domain.
How then does the hacker act? What you do first is set up a server on the same CDN as that company. That company has an SSL certificate that is intended to hide callbacks to the attacker’s C2 network.
Basically what the hacker does in this case is hide behind a legitimate domain. It takes advantage of a computer that has previously been infected with malware. That computer is connected to that CDN, where the attacker is also.
The malware performs a callback to the legitimate domain. But that return does not go to the domain owned by the attacker, but to a legitimate one that is hosted on that CDN. This configures the TLS session between the malware and the legitimate domain that is on the network.
What they are looking for is that DNS resolution and a new call pretends to be a call to the legitimate domain and therefore the browser will trust that certificate. The malware makes a call again, but this time to the attacker’s domain, which is on the same CDN. It is hidden over HTTP and with a TLS connection.
This request will be routed but by unwrapping the header it will redirect the request to the attacker’s server located on the CDN.
Later there is another redirect. That cybercriminal does not want their activity to be visible on the CDN and causes a second redirect this time to a command-and-control server outside, elsewhere.
Widely used to avoid censorship
This method is widely used for bypass censorship and the limitations that may exist in certain territories throughout the world. For example to be able to access a blocked web domain or an application.
The Tor browser, for example, can use what is known as Domain fronting to skip certain locks and make the connection anonymous. The same is true for other well-known applications that have problems in certain countries, such as Telegram or Signal.
Therefore, we can summarize by indicating that the first thing a client does is initiate a connection to a legitimate domain (what would be known as Domain fronting) by means of HTTP. Subsequently, that request is received and interpreted as secure on the network. The third step is to encrypt that connection using SSL. In this way they can manipulate HTTP requests.
This method has been used over the years by many attackers and users who have sought to hide themselves through a legitimate domain.
How to avoid domain fronting attacks
Whenever we surf the net or make use of any program or device, it is essential to preserve the safety. We must have everything necessary to avoid being victims of any type of attack that could put our privacy at risk. We have seen a clear example of how a potential attacker could take advantage of a legitimate domain.
Use a proxy server
One of the best security barriers to avoid domain fronting attacks is to make use of a proxy server. It will act as an intermediary for all connections that leave our network.
This will also make sure that the HTTP host header will match the legitimate domain found in the URL. Keep in mind that we can find different options in this regard. We must always choose the one that best suits what we are looking for, but making sure that it will perfectly fulfill its mission.
Updates and fix vulnerabilities
Another very important issue is to keep all updates available on the servers we use, devices and any tool that is part of our day-to-day to surf the net. It is essential to have all the patches and to fix any possible problems that may appear.
Hackers could make use of vulnerabilities that appear. They can use them to carry out their attacks easily and put our security and privacy at risk. Hence, it is essential to update everything always.
We have seen that one of the origins of a Domain fronting attack is through an infected computer within the CDN. Therefore, it is essential to avoid any kind of problem like this protect devices correctly.
For this, something fundamental will be to have security programs. A good antivirus that can detect malware and any type of similar attack is essential. Also a good firewall that can intercept fraudulent connections on the network. We have at our disposal a wide range of options. Many types of software that in one way or another can help us.
Ultimately, Domain fronting attacks could compromise security and redirect legitimate websites. It is important to always be protected, to have all kinds of programs that can help us avoid hackers and that could at any given time serve as a gateway.