Domain Fronting and Undermining Risks Explained

Post Views: 6

A New Threat to Network Security: The Underminr Exploitation Technique

In a recent report, ADAMnetworks highlighted a vulnerability in the way many large-scale hosting providers implement internet-bound connections, known as Underminr. This technique poses significant risks to network security, similar to those associated with domain fronting.

How Underminr Works

Underminr exploits a weakness in the implementation of domain name system (DNS) resolution, allowing attackers to mask malicious connections by disguising them as legitimate traffic.

It does so by resolving an initial DNS query to an allowed domain, while presenting the actual disallowed target domain in both the Server Name Indication (SNI) field and the HTTP Host header.

Risks Associated with Underminr

This technique enables attackers to circumvent network defenses designed to block specific domains, making it challenging for organizations to detect and block malicious traffic without blocking legitimate traffic from abused CDNs.

According to ADAMnetworks’ research, nearly 42% of domains and 33 CDN providers are susceptible to Underminr exploitation.

Mitigating Risks

To mitigate this risk, domain owners can choose a CDN provider that is not susceptible to Underminr exploitation or request solutions from their current provider to prevent it.

ADAMnetworks has also released an open-source tool called Outminr that can be used to monitor networks for attempts to exploit the Underminr technique.

This tool provides a lookup function for domain owners to check whether their domain may be susceptible to Underminr and whether abuse has already been detected using their domain.

According to Quad9, a cybersecurity-focused DNS service provider, the Underminr report highlights an outcome of increased centralization of CDN and hosting infrastructure, creating potential for installed malware to look up one name in the DNS but connect to a different resource on the resolved IP address via a different protocol indicator.

Conclusion

The Underminr exploitation technique poses significant risks to network security, similar to those associated with domain fronting.

Organizations should take proactive measures to mitigate these risks, such as choosing a CDN provider that is not susceptible to Underminr exploitation or requesting solutions from their current provider.

Additionally, monitoring networks for attempts to exploit the Underminr technique using tools like Outminr can help organizations stay ahead of emerging threats and ensure the security of their networks.