Domain Fronting

A domain fronting attack is a technique that uses content delivery networks to disguise the true destination of network traffic.

Attackers leverage the way CDNs route requests by sending traffic that appears to go to a legitimate, allowlisted domain while actually communicating with a malicious server hosted on the same CDN infrastructure.

The attack works by exploiting the difference between the domain name in the TLS Server Name Indication (SNI) field and the Host header in the HTTP request. While network security tools see traffic going to a trusted domain like a major cloud provider, the CDN actually routes the request to the attacker's server based on the Host header.

This technique is particularly effective for bypassing domain-based filtering, deep packet inspection, and geographic censorship controls. Attackers commonly use domain fronting for command and control communication in advanced persistent threat campaigns, data exfiltration, and circumventing network restrictions.

Major cloud providers like Amazon CloudFront, Google, and Microsoft have implemented countermeasures against domain fronting by requiring consistency between SNI and Host headers. However, the technique remains viable on platforms that haven't implemented these protections, making it an ongoing concern for network security teams monitoring for covert communication channels.