CloudFlare Domain Fronting: an easy way to reach (and hide) a malware C&C
CloudFlare, as we know, provides a free load balancing and CDN service. In order to use it, just replace your domain nameservers with CloudFlare DNS, and case closed.
“Setting up CloudFlare is easy” so easy that anyone can configure a new domain without an “ownership verification process”. In fact, you can configure any domain that is not already been configured by some other CloudFlare user.
Now, you may think that if I setup “corriere.it” (an Italian daily newspaper published in Milan with an average daily circulation of 410,000 copies) on my Free Plan, CloudFlare will not forward any requests until it’ll checks that “corriere.it” has been “moved” to its DNS … ehmm NO! ’cause CloudFlare is easy! 🤙
The big easy and orange provider just prevent forwarding all HTTPS requests and all those to 3rd level domain, until the DNS change is done. For example: requests to http://corriere.it are accepted, but all requests that match: (http|https)://.+\.corriere\.it are blocked.
My question is: what would happen if, in order to elude “content filters” or “firewall policy”, I wrote a malware that connects to its C&C using the http forward of a “fake” and “trusted” domain on CloudFlare (being able to connect to any CloudFlare IPs scattered around the world) ? Let’s try!
As you can see in the video, first I configure “corriere.it” on my Free CloudFlare account. While the setup is in progress, I try to make a request with cURL to a random CloudFlare IP (104.24.99.193 and 104.27.143.145 I choose you!) specifying the “Host: corriere.it” header, which is obviously blocked:
A second after the setup process ended, the request was correctly forwarded to the corriere.it website!
Well Done! At this point, we could talk for hours about why CloudFlare agrees to forward a HTTP request to a site I don’t own. It’s also true that I can’t use this way in order to “hide my real IP address” connecting to the corriere website through CloudFlare, because the IP from which I connect to CloudFlare is set to “X-Forwarded-For” and “CF-Connecting-IP” header parameters.
What seems to be possible is to use CloudFlare to simulate a real browsing to the corriere.it website. For example: if I need to send sensible user’s information to my C&C, I can send it to CF that submits the request to a my web server and then it does a GET to the real corriere.it website in order to caught the reponse_body and use it as a response for the origin. This in order to trying to evade a “content filters” or “firewall policies” or something like it… TL;DR: Domain Fronting.
Probably, in this case, a traffic analysis will report just some http requests to corriere.it, to a trusted CF IP address, with a reasonable corriere.it http response body… 😎
Now, all I have to do is, from the CloudFlare’s DNS Web GUI, point “corriere.it” to my server’s IP and configure it to accept all “corriere.it” http requests:
As you can see in the video, my web server has received two HTTP requests from a CloudFlare IP address (188.114.102.101) with the target hostname “corriere.it” 😱 it works!
Conclusion
It seems so stupid to allow users to configure any domain without an “ownership check”, I guess CloudFlare is aware of this situation. I’m probably too stupid to understand the need or, most likely, I’m missing something fundamental, or monumental, that I still can’t see. If you are more enlightened than me, please don’t hesitate to bla bla bla. 👋
