CAPEC-481 Contradictory Destinations in Traffic...

CAPEC-481 Metadata

Likelihood of Attack

Medium

Typical Severity

High

Overview

Summary

Adversaries can provide contradictory destinations when sending messages. Traffic is routed in networks using the domain names in various headers available at different levels of the OSI model. In a Content Delivery Network (CDN) multiple domains might be available, and if there are contradictory domain names provided it is possible to route traffic to an inappropriate destination. The technique, called Domain Fronting, involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. An alternative technique, called Domainless Fronting, is similar, but the SNI field is left blank.

Prerequisites

An adversary must be aware that their message will be routed using a CDN, and that both of the contradictory domains are served from that CDN. If the purpose of the Domain Fronting is to hide redirected C2 traffic, the C2 server must have been created in the CDN.

Potential Solutions / Mitigations

Monitor connections, checking headers in traffic for contradictory domain names, or empty domain names.

Related Weaknesses (CWE)

CWE ID	Description
CWE-923	Improper Restriction of Communication Channel to Intended Endpoints

Related CAPECs

CAPEC ID	Description
CAPEC-161	An attacker exploits characteristics of the infrastructure of a network entity in order to perpetrate attacks or information gathering on network objects or effect a change in the ordinary information flow between network objects. Most often, this involves manipulation of the routing of network messages so, instead of arriving at their proper destination, they are directed towards an entity of the attackers' choosing, usually a server controlled by the attacker. The victim is often unaware that their messages are not being processed correctly. For example, a targeted client may believe they are connecting to their own bank but, in fact, be connecting to a Pharming site controlled by the attacker which then collects the user's login information in order to hijack the actual bank account.

CAPEC ID

Description

CAPEC-161

An attacker exploits characteristics of the infrastructure of a network entity in order to perpetrate attacks or information gathering on network objects or effect a change in the ordinary information flow between network objects. Most often, this involves manipulation of the routing of network messages so, instead of arriving at their proper destination, they are directed towards an entity of the attackers' choosing, usually a server controlled by the attacker. The victim is often unaware that their messages are not being processed correctly. For example, a targeted client may believe they are connecting to their own bank but, in fact, be connecting to a Pharming site controlled by the attacker which then collects the user's login information in order to hijack the actual bank account.

Taxonomy Mappings

Taxonomy: ATTACK

Entry ID	Entry Name
1090.004	Proxy:Domain Fronting

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.