They say all is fair in war. Cybercriminals are going all out to win the cyberwar by implementing any means possible to attack unsuspecting victims for their data. They deploy the biggest deceptions to mask their identity and take you by surprise with techniques like domain-fronting attacks.
That seemingly legitimate domain accessing your network may not be legitimate after all. For all you know, an attacker could be fronting it to put you in a tight corner. This is what's known as a domain fronting attack. Is there anything you can do about it?
What Is a Domain Fronting Attack?
As a part of regulating the internet, some countries restrict citizens from accessing specific online content and websites by blocking traffic from users within their territory. Unable to access these blacklisted websites legitimately, some people seek unauthorized means of access.
Domain fronting is a process where a user disguises their domain to access a website they are prohibited from accessing in their location. A domain fronting attack, on the other hand, is a process of fronting a legitimate domain with the techniques of domain fronting, to attack a network.
Originally, domain fronting wasn’t a cyberattack means. Non-malicious users could use it to bypass censorship against certain domains in their location. For instance, in mainland China where YouTube is prohibited, a user could use domain fronting to access YouTube for harmless entertainment purposes without compromising anyone’s account. But seeing that it was a convenient way to beat security checks, cybercriminals hijacked it for their selfish gains, hence, the attack factor.
How Does a Domain Fronting Attack Work?
To beat the censorship on the ground, a domain-fronting actor takes on the identity of a legitimate internet user, usually one that is from a different geographic location. Content delivery network (CDN), a repository of proxy servers across the world, plays a major role in a domain fronting attack.
When you want to access a website, you trigger the following requests:
- DNS: Your internet-connecting device has an IP address. This address is unique and exclusive to your device. When you try to access a website, you initiate a domain name system (DNS) request that converts your domain name into an IP address.
- HTTP: The hypertext transfer protocol (HTTP) request connects your access request to hypertexts within the world wide web (WWW).
- TLS: The transport layer security (TLS) request converts your HTTP commands into HTTPS via encryption and secures input between your web browsers and servers.
Basically, a DNS converts your domain name into an IP address, and the IP address runs on an HTTP or HTTPS connection. The conversion of your domain name into an IP address doesn’t change your domain; it remains the same. But in domain fronting, while your domain remains the same in the DNS and TLS, it changes in the HTTPS. The DNS records show the legitimate domain but the HTTPS redirects to a prohibited one.
For instance, you live in a country where example.com is blocked but you want to access it anyway. Your goal is to access example.com using a legitimate website such as makeuseof.com. The requests to your DNS and TLS will point to makeuseof.com but your HTTPS connection will point to example.com.
Domain fronting leverages the advanced security of HTTPS to be successful. Since HTTPS is encrypted, it can bypass security protocols without detection.
Cybercriminals leverage the above scenario to launch domain-fronting attacks. Instead of fronting a legitimate domain to access websites they are restricted from due to censorship, they front a legit domain to steal data and perform associated damaging tasks.
How to Prevent Domain Fronting Attacks
In launching domain-fronting attacks, cybercriminals front not just any legitimate domains, but highly ranked ones. And that’s because such domains have a reputation for being authentic. You would naturally have no reason for suspicion when you spot a legit domain on your network.
You can prevent domain-fronting attacks in the following ways.
Install a Proxy Server
A proxy server is a middleman or intermediary between you (your device) and the internet. It’s a security system that prevents users from accessing the internet directly, especially as user traffic can be harmful. In other words, it filters traffic to check for threat vectors before allowing it into a web application.
To prevent domain fronting, configure your proxy server to intercept all TLS communications and ensure that the HTTP host header is the same as the one the HTTPS reroutes. Based on your settings, the system will deny access if it notices a mismatch.
Avoid Dangling DNS Entries
All entries in your DNS are supposed to direct traffic input to designated channels. When you make an entry that the DNS can’t process due to the absence of the resource, you have a dangling DNS record.
A DNS record is dangling when it’s either misconfigured or outdated and isn’t useful to the DNS commands. This creates room for domain-fronting attacks as threat actors make use of the entries for their malicious activities.
To prevent domain fronting attacks from dangling DNS entries, you must always keep your DNS records clean. Carry out regular sanitation to check for old and outdated entries and delete them. You can use a DNS monitoring tool to automate the process. It generates a list of all your active resources in the DNS records and singles out the non-active ones.
Adopt Code Signing
Code signing is the signing of software with digital signatures such as public key infrastructure (PKI) to show users that the software is intact without any alteration. The main goal of code signing is to assure users that the application they are downloading is authentic.
Code signing allows you to sign your domain and other resources in your DNS records to showcase their integrity and establish a chain of trust among them. The system will not validate or process any resource or command that doesn’t have the authorized signature imprinted on it.
Implement Zero Security Trust to Prevent Domain-Fronting Attacks
Domain-fronting attacks spotlight the dangers associated with domain traffic. If hackers can front legitimate authority platforms to penetrate your system, it shows that you can't trust any platform.
Implementing zero-trust security is the way to go. Ensure that every traffic to your network undergoes standard security checks to verify its integrity.