Domain Fronting Through Microsoft Azure and CloudFlare: How to Identify Viable Domain Fronting Proxies

Thumbnail Image

Files

Domain Fronting Through Microsoft Azure and CloudFlare - DEFCON.pdf (660.56 KB)

Links to Files

Permanent Link

http://hdl.handle.net/11603/28900

Collections

UMBC Information Systems Department
UMBC Faculty Collection
UMBC Student Collection

Author/Creator

Author/Creator ORCID

https://orcid.org/0000-0003-0431-5272

Date

2023-08-13

Type of Work

conference papers and proceedings
preprints
Text

Department

Program

Citation of Original Publication

Rights

This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.

Subjects

Abstract

Domain fronting is a technique for internet connection obfuscation and also internet censorship circumvention that uses different domain names in different communication layers of an HTTPS connection to discreetly connect to a different target domain than is discernible to third parties monitoring the traffic. Domain fronting involves using different domain names in the DNS/SNI headers of the visible HTTPS packet and the Host header of the encrypted HTTP packet. If both domains are served from the same Content Delivery Network (CDN), then the CDN may proxy the request to the address specified in the HTTP header after unwrapping the TLS encrypted HTTPS payload. As a result, connection monitoring outside the CDN server network will not be able to ascertain where the connection packets are ultimately going to or coming from. This paper explores and expands upon methodologies for identifying viable domain fronting proxies within the CloudFlare and Microsoft Azure Content Delivery Networks (CDNs). Despite claims by Microsoft to block domain fronting behavior on all Azure products, our research successfully identified 14 Azure edge servers on 6 Microsoft domains that successfully proxied domain fronted traffic. Comparably, the CloudFlare CDN yielded over 2000 viable proxies among the 30 domains tested, with an average of 6.61 viable proxies per domain (excluding outliers). Unlike similar research conducted in 2017-2018 by penetration testers Vincent Yiu and Raphael Mudge [14], [23], no consistent pattern was found between a domain's DNS record and its ability to proxy fronted traffic. As an example, the domain huffingtonpost.com contains a different CDN address in its DNS records but still exhibited three subdomains as proxy-willing CloudFlare edge servers. In response to these findings, this paper presents a methodology, subdomain enumeration using brute force scripting, as a more effective method of identifying domain fronting proxies within popular CDNs. Additionally, the domainfuzzer.py application developed as part of this study plays a crucial role in the analysis of viable domain fronting proxies within a CDN. By providing a userfriendly tool, domainfuzzer.py enables non-technical users to identify CDN edge servers capable of proxying domain fronted traffic. For more technical users, this methodology can easily be adapted to any CDN, empowering users to build their own domainfuzzer.py for use on a CDN of their choosing, should they be so motivated.