Blog

Domain Fronting: An Introduction

In 2018, Google closed its “domain fronting service.” Before then, Google had allowed its servers to be used as “proxies” to connect to other websites. In a nutshell, this is what domain fronting is.

In this 2-part blog, we demystify domain fronting, explain why it’s a part of today’s expanding threat landscape, and unpack some strategies to help you protect your organization.

To understand domain fronting, we must first revisit some basic Internet concepts.

The Internet: Web Traffic, IP Addresses and Routers

Every time you browse one of the 2 billion websites on the Internet, you become part of web traffic, aka Internet Protocol or IP traffic. The Internet is a global network of interconnected computers, each with a unique address to identify and differentiate it from the others. This address is its IP address.

Think of the Internet as a street with many houses, each identified by a unique number or IP address. Every website is hosted on a server. When you access a website through a browser, you generate IP traffic in the form of data bits and bytes. This data and your computer’s IP address tell the webserver who is visiting the site. As you visit other websites, you move along different paths with your browser and generate more Internet traffic.

The Internet consists of multiple routers that forward user traffic to the right destination. Routers are owned by different Internet Service Providers (ISPs). No single ISP can reach every user, so ISPs interconnect their networks and exchange data traffic, allowing users worldwide to access the Internet seamlessly.

What is a Content Delivery Network (CDN)?

The early Internet content primarily consisted of static web pages. Today, it consists of millions of dynamic web pages, user-generated content (UGC), stylesheets, images, Javascript files, videos, and of course, streaming content.

Every website is located on a server, and the distance between the server and a user limits a website’s loading speed. When the server and user are closer together, the website loads faster, and vice versa. For example, consider the websites of Yelp (crowd-sourced business reviews) or Whole Foods (multinational supermarket chain). Although both are accessible globally, their web servers are based in the U.S. So; these sites will load more slowly for a user from Singapore than a user in the U.S. A Content Delivery Network (CDN) eliminates this problem.

A CDN is a network of linked hosting servers. It routes traffic to whichever server has the least load to improve loading speeds and the user’s website experience. The CDN stores cached versions of websites in multiple geographies with their own caching servers. It serves a copy of the web page from a server closest to the user to reduce latency and ensure fast and secure content delivery.

Today, most web traffic is served through CDNs, including traffic from major sites like Amazon, Netflix, Facebook, and millions of retail, finance, and healthcare sites.

And now, let’s explore domain fronting.

What is Domain Fronting?

Hackers and scammers exploit a CDN’s architecture for domain fronting. They use this technique to hide the true destination of encrypted Internet traffic behind legitimate traffic in a CDN. Simply put, hacker traffic “mirrors” reputable traffic, allowing them to get back-door access to data from a targeted network.

How Domain Fronting Works

For domain fronting, hackers take advantage of CDNs hosting multiple domains. Censors cannot block the CDN since this would also block other websites hosted on it. Hackers route their traffic to a CDN server, which then gets re-routed through a domain fronting server to its final destination. This process masks the hacker’s traffic and makes it look like all Internet traffic is legitimate and coming from websites hosted on the CDN.

Every website has two addresses: the DNS domain name in the URL and the host header in the HTTP request header. For a self-hosted website without a CDN, the DNS domain name and the host header match. But for websites hosted behind a CDN, the host header can mismatch, which hackers take advantage of.

Hackers sign up for the CDN service, which assigns them a specific header value. They then masquerade as the trusted server at a genuine website like Whole Foods Market to force infected clients to use their host header instead. Thus, hackers route what appears to be trusted website traffic from a legitimate CDN to their server instead.

In Part 2, we will explore how bad actors use domain fronting to cause chaos in enterprise networks and systems.

Conclusion

Although very few CDNs now support domain fronting, it remains a viable cybersecurity threat for organizations. In Part 2 of this blog, we explore some strategies to protect your organization from bad actors leveraging this clever hacking technique.

Featured Posts

See All

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

September 27 - Blog

What is InfoStealer Malware and How Does It Work?

InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.

September 26 - Blog

Blackwood APT Uses AiTM Attacks to Target Software Updates

Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.