Hacker News new | comments | show | ask | jobs | submit login
Domain Fronting with Meterpreter (bitrot.sh)
25 points by wolframio 10 months ago | hide | past | web | favorite | 3 comments

I had a closer look at this technique after reading the article.

The cool thing about this hack is that even in the TLS Server Name Indication (SNI) extension, the front domain name shows up, and only the (encrypted) HTTP Host header shows the true covert destination.

The paper "Blocking-resistant communication through domain fronting" (https://www.bamsoftware.com/papers/fronting/) is very interesting.

One thing that I'm left wondering is if the front domain owners will be at risk being blocked if domain fronting is being done with their domain. If so they may ask the CDN companies to block this routing behaviour.

Not sure I understand the point of the article. How is this different from what CloudFlare does (for free)?

If you're not clear on what domain fronting offers, it is basically a chance to hide traffic by sending it to a popular domain (the unencrypted TLS SNI destination), but traffic is routed elsewhere within that provider's network (via the encrypted HTTP Host header). It takes extra work for providers to shut it down (since SSL termination is usually separate from load balancing), and support is generally left enabled (kind of "don't ask don't tell" at the personal-use scale) because of anti-censorship benefits.

I believe the main point is that support is being integrated into Meterpreter, an exploit framework. The end result will be that even script-kiddie style attacks can spend $10 on a domain (or perhaps a free trial of GAE/Azure/AWS) to auto-magically use this technique to add another layer hiding their command & control servers from non-LEO/government defenders. (Meterpreter may be late to the party compared to similar tools.)

It is another step in the cat & mouse game, where techniques like this are usually first used by APT-level actors, someone rediscovers or documents it, it goes mainstream and eventually gains enough notoriety to be shut down.

There were a pair of discussions on the technqiue when Signal added support about a year ago: https://news.ycombinator.com/item?id=13245970, https://news.ycombinator.com/item?id=13232417

- mentions a Tor pluggable transport implementing the technique first discussed in January 2014: https://trac.torproject.org/projects/tor/wiki/doc/meek

- also mentions effective mitigations done provider-side: https://news.ycombinator.com/item?id=13233720

>temprature: Cloudflare did this a few years back by requiring that SNI matches the host header [...] or suspend the server running the reflector (Google did this to the meek reflector running on Appspot that Tor Browser used).

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact