Domain Fronting and SNI

Domain fronting is a malicious act of appearing to request to visit a legitimate site (the front), while in actual fact, the request is going to another website.

Domain fronting relies on the SSL technology to work, where the service provider is unable to see the actual malicious hostname the request is going to, but can only see fronted domain the SNI data.

SNI


SNI, which stands for Server Name Indication, helps solves the issue introduced with TLS on HTTP connections.

A server can be shared by many users to host their own websites. For example: AWS, Google Cloud or Azure all host multiple websites that clients can visit.

In a non-TLS connection, when the request is made from the client to the server, the hostname is visible in clear text. The server then simply serves the requested hostname to the client.

In a TLS connection, it gets slightly complicated. A TLS connection requires the certificate of the website to complete the handshake. Each website hosted on the server has their own certificate. However, the hostname is encrypted in the incoming request from the client. Without the hostname, how will the server know which website the client wants to visit, and which certificate to present to the client?

A simple solution is presented by SNI, which indicates the hostname in the initial TLS connection (TLS Hello). This way, the server knows which website to get the certificate from to complete the TLS handshake.

SNI-Hostname Mismatch


Domain fronting takes advantage of SNI presented to the server. The hostname is the actual destination the packet is going to, and it’s encrypted. The only information the servers have is from the SNI, and attackers can simply spoof the SNI value to something legitimate.

An example scenario:

  1. Hostname : http://www.badsite.com
  2. SNI spoofed to show: http://www.goodsite.com

Since the hostname is encrypted, no one knows im going to http://www.badsite.com, and they can only access the SNI data to assume that i’m visiting http://www.goodsite.com

Detection


Domain fronting is used in other malicious scenarios, such as C2 communication and data exfiltration

Detection of domain fronting obviously can’t work just by observing the packet, as the contents are encrypted. Detection can thus only be done through behavioral analysis such as regular beaconing intervals, or suspicious packet sizes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s