google-site-verification: google30a059f9a075f398.html

Domain Fronting – A New Technique For Hiding Malware Command and Control (C2) Traffic within a Content Delivery Network

CyberWisdom Safe Harbor Commentary on Domain Fronting

This story from tells a revealing a new technology called Domain Forwarding allows cybercriminals to hide commands and control network traffic from the CDN. It serves as a mask for the C&C network and extensively uses advanced malware evasion techniques.

“The content delivery network (CDN) is a distributed server (network) system based on the user’s geographic location, the origin of the web page and the content delivery server to deliver web pages and other web content to users.”

There are many CNDs that perform this content delivery operation, including CloudFlare, Akamai, Azure, and Amazon.

This approach has been influenced by many CNDs and has found major impacts in Akamai Technologies, which have highly significant traffic of various HIgh reputation domains that can mask our traffic.

According to Akamai, their CDN can carry 15-30% of global network traffic, and it is common for almost any potential target to see outbound traffic on the Akamai network. This makes Akamai’s CDN the main target of cutting-edge new methods in this field.

Field pre-work method

Also read Use n1n3 to simulate a circumventing “no file” malware – proof of concept
TOR project for domain front end
The Tor project is used to implement forward-looking domain names to avoid censorship in different countries that restrict Internet access to specific websites that refuse access to content distribution network services.

A specific Akamai domain name ( was used by the Tor project to bypass China’s Internet restrictions and was later blocked in China because it was used to bypass the country’s content filtering controls. Cyber Ark Say.

A few months before explaining this Domain Fronting, Cyber Ark said that there are 1000 Domains affected by this Domain Fronting Method, including the Fortune 100 company’s domain name.

Two requirements in the frontier of the field
As an attacker, you need two successful DF requirements to avoid command and control traffic.

The CDN must carry a two-way, persistent read-write mechanism (system or application). This means using the CDN-hosted application list to exchange instructions and data with Attacker.
Malware must be specially crafted to use this C2 channel, and the user’s machine must be infected with this malware.


The CDN could also give each domain virtual IP addresses that are tied to a specific SSL certificate. This stops malware from nesting in CDNs, but there are simply not enough public IPv4 addresses to make this happen.

Read more…

A New Technique called ” Domain Fronting “  allow cybercriminals to hide the command & control Networks Traffic within a CDN. It acts as a mask for  C&C networks and widely used advanced Technique for Malware Evasion. “A content delivery network (CDN) is a system of distributed servers (network) that deliver pages and other Web content Engaging post, Read More…

thumbnail courtesy of

If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post » Domain Fronting – A New Technique For Hiding Malware Command and Control (C2) Traffic within a Content Delivery Network