cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 1 of 3

How Can I Block and Log Domain Fronting Attempts with UCE?

Jump to solution

Domain Fronting can be identified blocked and logged with McAfee Web Gateway by utilizing the URL.DiscardedHost property which will not be empty if the host header does not match the FirstLine URL. See the MWG product documentation and here: Solved: McAfee Support Community - Domain Fronting, Vulnerabilities and Detection, Pa... - McAfee Su... for more information on domain fronting. But my question is how do I detect and log when managing Web Gateway Cloud Service policy from UCE?

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?
1 Solution

Accepted Solutions
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: How Can I Block and Log Domain Fronting Attempts with UCE?

Jump to solution

Updated and improved 8/12/21

Policy code modification is currently required. The following procedure can be used for detecting blocking and logging domain fronting attempts (allowing and logging is not presently possible with UCE.).  

You can create a completely new code branch as described below or you can add the code to an existing code branch to make scoping easier if scoping is required.

Create a new branch within URL Filtering..

From MVISION Cloud Management Console go to Policy >Web Policy > Policy > and activate code view.

Edit the code to add an INCLUDE statement at the top of the list of INCLUDES. Place the statement before global bypass with the name of your new branch.

UCEFront1.PNG

Save and publish.

Go to your newly created code branch and edit the first line of code to give yourself an activate button, operate on web request only and customize the branch name if desired.

ROUTINE Domain_Fronting_Block_and_Log ON (Web.Request) [enabled="true"] { // Domain Fronting Block and Log

Add the policy code Insert policy code to block and log when (connected.host does not match URL.Host) OR (discardedhost is not empty AND does not match URL.Host), by inserting your modified version of the code after the first line and before the routine end signified by } Code should include use of customized block page so that the logs show the details of why the request was blocked.

 

Domain.PNG-------------------Code to insert----------------------------

STRING customBlockPage_Reason
STRING customBlockPage_Message = "Domain Fronting Detected"

IF MWG.CommandName.ToUpper == "CONNECT" THEN {
    MWG.ConnectionVariablesAdd("ConnectedDomain", MWG.Url.Domain)

    } ELSE IF MWG.ConnectionVariablesHave("ConnectedDomain") THEN {
        STRING domain1 = MWG.ConnectionVariablesGet("ConnectedDomain")
        STRING domain2 = MWG.Url.Domain

    IF NOT (domain1.ToUpper == domain2.ToUpper) THEN {
        customBlockPage_Reason = "Attempted Domain Fronting " + MWG.Url.ToString + " through " + domain1
        MWG.Block (McAfee_Custom_Block_Page, customBlockPage_Reason, "URL Filtering Policy")
        }
    }

IF MWG.DiscardedHost != "" AND MWG.DiscardedHost != MWG.Host(MWG.Url) THEN {
    customBlockPage_Reason = "Attempted Domain Fronting " + MWG.DiscardedHost + " through " + MWG.Url.ToString
    MWG.Block (McAfee_Custom_Block_Page, customBlockPage_Reason, "URL Filtering Policy")
}

-------------------END Code to insert------------------------

Note that this will only block HTTPS domain fronting attempts if HTTPS Inspection is enabled in initial CONNECT request. Also the check for connected domain may over block on sites that have more than one domain served by a single connection and certificate. (Solutions to this over blocking issue are still being developed)

Code inserted into a ruleset with scoping: (Note that doing it this way renders all but skip by URL useless in the simple view).

Domain2b.PNG

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?

View solution in original post

2 Replies
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: How Can I Block and Log Domain Fronting Attempts with UCE?

Jump to solution

Updated and improved 8/12/21

Policy code modification is currently required. The following procedure can be used for detecting blocking and logging domain fronting attempts (allowing and logging is not presently possible with UCE.).  

You can create a completely new code branch as described below or you can add the code to an existing code branch to make scoping easier if scoping is required.

Create a new branch within URL Filtering..

From MVISION Cloud Management Console go to Policy >Web Policy > Policy > and activate code view.

Edit the code to add an INCLUDE statement at the top of the list of INCLUDES. Place the statement before global bypass with the name of your new branch.

UCEFront1.PNG

Save and publish.

Go to your newly created code branch and edit the first line of code to give yourself an activate button, operate on web request only and customize the branch name if desired.

ROUTINE Domain_Fronting_Block_and_Log ON (Web.Request) [enabled="true"] { // Domain Fronting Block and Log

Add the policy code Insert policy code to block and log when (connected.host does not match URL.Host) OR (discardedhost is not empty AND does not match URL.Host), by inserting your modified version of the code after the first line and before the routine end signified by } Code should include use of customized block page so that the logs show the details of why the request was blocked.

 

Domain.PNG-------------------Code to insert----------------------------

STRING customBlockPage_Reason
STRING customBlockPage_Message = "Domain Fronting Detected"

IF MWG.CommandName.ToUpper == "CONNECT" THEN {
    MWG.ConnectionVariablesAdd("ConnectedDomain", MWG.Url.Domain)

    } ELSE IF MWG.ConnectionVariablesHave("ConnectedDomain") THEN {
        STRING domain1 = MWG.ConnectionVariablesGet("ConnectedDomain")
        STRING domain2 = MWG.Url.Domain

    IF NOT (domain1.ToUpper == domain2.ToUpper) THEN {
        customBlockPage_Reason = "Attempted Domain Fronting " + MWG.Url.ToString + " through " + domain1
        MWG.Block (McAfee_Custom_Block_Page, customBlockPage_Reason, "URL Filtering Policy")
        }
    }

IF MWG.DiscardedHost != "" AND MWG.DiscardedHost != MWG.Host(MWG.Url) THEN {
    customBlockPage_Reason = "Attempted Domain Fronting " + MWG.DiscardedHost + " through " + MWG.Url.ToString
    MWG.Block (McAfee_Custom_Block_Page, customBlockPage_Reason, "URL Filtering Policy")
}

-------------------END Code to insert------------------------

Note that this will only block HTTPS domain fronting attempts if HTTPS Inspection is enabled in initial CONNECT request. Also the check for connected domain may over block on sites that have more than one domain served by a single connection and certificate. (Solutions to this over blocking issue are still being developed)

Code inserted into a ruleset with scoping: (Note that doing it this way renders all but skip by URL useless in the simple view).

Domain2b.PNG

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: How Can I Block and Log Domain Fronting Attempts with UCE?

Jump to solution

Note that the test string: 

curl --insecure -v -s -o /dev/null --proxy http://c1171147416.wgcs.mcafee-cloud.com:8080 -H "Host: mcafee.com" -H "Connection: close" "https://cnn.com/"
 
will not work from Cygwin on Windows because Windows Cygwin curl does not allow conflicting host header. The test string should work from native linux. Testing was done with MWG MLOS (McAfee Linux OS)
Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community