Domain fronting attack detection using Cisco Umbrella

Esha Goyal · ‎03-27-2022

Domain fronting is a well known CDN vulnerability that emerged several years ago. It is exploited by setting an HTTP host header that is different from the TLS SNI extension to hide a malicious domain request inside an SSL connection to a benign domain. The CDN will transparently forward the connection to the malicious/bad domain after the connection to the valid domain is established. This attack can be achieved only if the “good” and “bad” domains are in the same infrastructure/ cloud provider such as Cloudfront, Azure, etc.

Most of the popular CDN providers have blocked the use of domain fronting in their infrastructure and have effectively limited the practice in the wild.

When SSL inspection is turned on, the encrypted HTTP host header is visible to Umbrella. The service will not only check the domain’s reputation, but will also scan the content using multiple antivirus engines. However, Umbrella will not drop the connection if the SNI information does not match the host header in the HTTP request.

If SNI is set, but the value is empty (called domainless fronting) Umbrella will drop the connection.

In summary, Umbrella ( DNS n SWG both )will block a domain fronted connection if the destination is known to be malicious or the content being transferred is malicious. If the attack is using domainless fronting, the connection will be dropped.

Domain fronting attack detection using Cisco Umbrella

AnyConnect Certificate Based Authentication.

Getting past intermittent/unexplained 802.1x problems on Windows 7

Insights About Multiple Vulnerabilities in Cisco Discovery Protocol Implementations (CDPwn)