Keywords: CDN, CDN abuse, censorship, Domain Fronting, C2
Abstract: Domain fronting is a network communication technique that involves leveraging (or abusing) content delivery networks (CDNs)
to disguise the final destination of network packets by presenting
them as if they were intended for a different domain than their
actual endpoint. This technique can be used for both benign and
malicious purposes, such as circumventing censorship or hiding
malware-related communications from network security systems.
Since domain fronting has been known for a few years, some popular CDN providers have implemented traffic filtering approaches
to curb its use at their CDN infrastructure. However, it remains
unclear to what extent domain fronting has been mitigated.
To better understand whether domain fronting can still be effectively used, we propose a systematic approach to discover CDNs
that are still prone to domain fronting. To this end, we leverage
passive and active DNS traffic analysis to pinpoint domain names
served by CDNs and build an automated tool that can be used to
discover CDNs that allow domain fronting in their infrastructure.
Our results reveal that domain fronting is feasible in 22 out of 30
CDNs that we tested, including some major CDN providers like
Akamai and Fastly. This indicates that domain fronting remains
widely available and can be easily abused for malicious purposes.
Track: Security
Submission Guidelines Scope: Yes
Submission Guidelines Blind: Yes
Submission Guidelines Format: Yes
Submission Guidelines Limit: Yes
Submission Guidelines Authorship: Yes
Student Author: No
Submission Number: 2047
Loading