Amazon Boosts Domain Protections in CloudFront

Amazon Web Services (AWS) has unveiled a series of enhancements for the domain protections available in CloudFront, meant to ensure that all requests handled by the service come from legitimate domain owners.

Integrated with AWS, the CloudFront global content delivery network service provides both network and application level protection, scales globally, negotiates TLS connections with high security ciphers, and includes distributed denial of service protections.

As per the AWS Terms of Service, CloudFront customers aren’t allowed to receive traffic for a domain they are not authorized to use, and Amazon disables abusive accounts when it becomes aware of this type of activity. Now, the company is also integrating checks directly into the CloudFront API and Content Distribution service to prevent abusive behavior.

One of the newly announced enhancements affects protections against “dangling” DNS entries, where a customer deletes their CloudFront distribution but leave the DNS still pointing at the service. Such situations are very rare, but some customers do leave their old domains dormant, the company says.

In some of these situations, an abuser could exploit a subdomain. If the customers no longer users the subdomain (although the domain is in use) and it points to a deleted CloudFront distribution, an abuser could register the subdomain and claim traffic that they aren’t entitled to.

“This also means that cookies may be set and intercepted for HTTP traffic potentially including the parent domain. HTTPS traffic remains protected if you’ve removed the certificate associated with the original CloudFront distribution,” Amazon explains.

The best fix is to ensure there are no dangling DNS entries in the first place, and Amazon is already reminding users moving to an alternate domain to delete any DNS entries that may still be pointing at CloudFront. Furthermore, checks in the CloudFront API ensure this kind of domain claiming can’t occur when using wildcard domains.

Courtesy of new enhanced domain protection, CloudFront now also checks the DNS whenever the customer removes an alternate domain. Thus, if the service determines that the domain is still pointing at a CloudFront distribution, the API call will fails and other accounts can’t claim the traffic.

Amazon is also planning improved protections against domain fronting, a technique where “a non-standard client makes a TLS/SSL connection to a certain name, but then makes a HTTPS request for an unrelated name.” It basically means routing application traffic to mask its destination.

While such behavior is normal and expected in some circumstances – browsers re-use persistent connections for domain listed in the same SSL certificate –, some use the method to evade restrictions and block imposed at the TLS/SSL layer
. However, the technique can’t be used to impersonate domains and the clients are non-standard and working around the usual TLS/SSL checks.

“Although these cases are also already handled as a breach of our AWS Terms of Service, in the coming weeks we will be checking that the account that owns the certificate we serve for a particular connection always matches the account that owns the request we handle on that connection. As ever, the security of our customers is our top priority, and we will continue to provide enhanced protection against misconfigurations and abuse from unrelated parties,” Amazon says.

Threat actors have been observed using domain fronting to hide malicious traffic, the same as legitimate communication services looking to bypass censorship.

Several weeks ago, news broke that Google is making changes to its infrastructure to no longer support domain fronting (which was never officially supported, it seems). According to Access Now, many human rights-enabling technologies relying on Google’s commitment to protecting human rights could be affected by the change.

Related: APT29 Cyberspies Use Domain Fronting to Evade Detection

Related: “Signal” Uses Domain Fronting to Bypass Censorship