search cancel

How the domains are mapped, in the access log fields, in the case of a Domain Fronting Attack.

book

Article ID: 226625

calendar_today

Updated On:

Products

ProxySG Software - SGOS ISG Proxy

Issue/Introduction

How the domains are mapped, in the access log fields, in the case of a Domain Fronting Attack.

Resolution

The legitimate http CONNECT request/domain will be mapped to the x-http-connect-host field, while the attacking host/domain will be mapped to cs-host filed, in the access log.

Domain fronting is when the HTTP Host header or TCP port differs from the Host in the URL. For example:

CONNECT http://www.example.com/ HTTP/1.0
Host: www.adifferentsite.com

In the case above, www.example.com would be mapped to the x-http-connect-host field, while www.adifferentsite.com would be mapped to the cs-host filed.

Reference Doc. for Domain Fronting Detection: https://knowledge.broadcom.com/external/article/173281/domain-fronting-attack-detection-feature.html