Domain Fronting
In this article, we are going to learn about a very interesting and powerful technique known as Domain Fronting which is a circumvention technique based on HTTPS that hides the true destination from the censor.
What is Domain Fronting?
Domain fronting is a technique to circumvent the censorship employed for certain domains(censorship may be for domains not in line with company's policies or may be because of the bad reputation of domains).Domain fronting works at HTTPS layer and uses different domain names at different layers of the request(more on this later).To the censors, it looks like the communication is happening between the client and an allowed domain whereas, in reality, the communication might be happening between the client and a blocked domain.
Phishing simulations & training
How Domain Fronting Works
Domain Fronting works at HTTPS layer and under these different requests for hostname will be different at different layers. In Domain Fronting, hostname information will be same for DNS request and SNI whereas HTTP host header which is hidden from censors from HTTPS encryption will carry another hostname. The outside addresses will typically be those of a CDN that would have a large number of domains behind it (such as s3.amazonaws.com), and the host address would be a small "reflector" hosted on that CDN.
The reflector would be a small application that forwards traffic in the HTTP request to wherever it needs to go and forwards the responses to the client through the HTTPS tunnel. Thus the initial DNS request and Client Hello are sent in the clear and are visible in packets, but the inner HTTP traffic is sent through the encrypted tunnel.
What is SNI?
SNI stands for Server name Indication and is an extension of TLS protocol which allows a server to host multiple hostnames under the same IP. With this extension, clients can specify the domain they want to connect with in the initial TLS request which allows the server to select the appropriate certificate to negotiate with the client.
For example, if we query google.co.in using OpenSSL clients, we see that the returning certificate is not for the issued request.
Looking at the x509 certificate reveals more information about the frontal server and other sites under the same frontal.
As you can see in the above screenshot that, same frontal also accepts connections for *.appspot.com which is the domain issued for apps hosted on Google App Engine.
As you might have guessed that if *.appspot.com is blocked by censorship and if the frontal is not, then the request will succeed, and to the monitoring team, only a request for frontal will be seen. To see the actual destination, TLS should be broken to see what is inside HTTP header.
Meek - Tor Extension
As we know TOR is a network of proxy nodes, that attempts to provide anonymity to users accessing the internet. However, analysts can find TOR communication by identifying communication with TOR infrastructure. Meek Extension is a plugin for TOR browser, and it acts like a client whereas the meek endpoint in CDNs like Azure and Amazon will act as a meek server. Below are the underlying steps in meek infrastructure/communication.
- Tor is configured on the client with meek plugin.
- The client sends an HTTP request to the Tor bridge via a CDN. Client protects the bridge domain name from the censor by fronting it with an allowed name.
- Front end server (from CDN) decrypts the request and sends the request to the destination mentioned in the HOST header.
- Bridge sends the data back to the client in the HTTP response
Domain Fronting and meek works when CDN blocks some of the domains but not all of them. Default bridge lines can be found here, and the CDN can be changed by altering the front parameter while installing meek. Below are the some of the services that can be used with TOR:
- Meek-amazon
- Meek-azure
Considering the way in which domain fronting works, it will not be feasible to block CDNs since popular domains like Microsoft Azure, Amazon AWS use it and blocking those domains will lead to monetary losses and possible business disruption due to the resources hosted by such services. There were no cases reported earlier where domain fronting technique is abused, but since now we know how it works, it can be easily abused. ON the same lines there was an APT named APT29 discovered using Domain Fronting. More details can be found here. So how will monitoring team defend against domain fronting? One way is to employ proper egress filtering and configure traffic all egress traffic to pass through that proxy and performing SSL man in the middle to decrypt the traffic, examine it and re-encrypting the traffic towards the destination. ON the response, the proxy will do the reverse. While examining, analysts must make sure that all the three indicators like DNS request, SNI server name, and HTTP Host header are same. If they are not same, then what is the actual destination under HTTP header.
Phishing simulations & training
So in this article, we have looked into a very clever technique to bypass censorship which is gaining popularity among APT authors as well.
In this Series
- Domain Fronting
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
