Software Engineering Institute

This presentation was given at FloCon 2023, an annual conference that focuses on applying any and all collected data to defend enterprise networks.

Domain fronting is a common network evasion technique used by privacy tools and malware where the client queries a DNS server for a benign domain name, advertises that domain name in the TLS client hello, and then sets the encrypted HTTP Host field to the target domain which is hosted on the same infrastructure. The client typically performs domain fronting in an attempt to evade DNS-layer enforcement as well as detection based on the TLS server name and TLS certificate information. This presentation reviews domain fronting and related network behaviors including 1) domain faking, where the client sets the TLS server name to a value not hosted by the server or CDN, and 2) residential proxying, where an endpoint can unknowingly receive and forward traffic. These techniques are illustrated with concrete examples, highlighting observable network behaviors along with a set of clients known to use the specified technique.

Additionally, we will present a novel measurement study of the domain name disinformation ecosystem including the infrastructure providers and applications that support domain name evasion. Malware sandbox data is used to highlight how prevalent these techniques are and the preferred providers and tools that are most frequently used by malware. Finally, we will show how to detect these techniques. Domain faking and residential proxy detection can be detected with simple rules when large-scale data is available. We will also demonstrate more generic detection mechanisms aimed at domain fronting that leverage straightforward machine learning and large-scale data.

The audience will learn about evasion strategies commonly employed that attempt to erode the value of domain name-based indicators of compromise, including domain fronting, domain faking, and residential proxying. The audience will additionally learn how to identify artifacts of these methods and how to efficiently hunt for occurrences within their own network.