← BACK TO FEED
CDN securitydomain frontingnetwork infrastructureweb vulnerabilitiescyber threats

Underminr: The CDN Attack That Lets Hackers Borrow Your Website's Reputation

Researchers at ADAMnetworks have identified a new exploit called "Underminr," which builds on the older "domain fronting" technique to allow attackers to hijack trusted website identities by exploiting gaps between DNS and CDN systems. By manipulating specific fields in web requests, attackers can route malicious traffic through reputable domains, evading security detection while damaging the brand reputation of legitimate sites. The vulnerability affects approximately 42% of websites globally (51% in the US), and the primary mitigation recommended is moving at-risk domains to CDNs that practice "bucketizing" — grouping domains by reputation to prevent malicious sites from sharing IP addresses with trusted ones.

Researchers at ADAMnetworks have identified a class of attack baked into how the modern web actually works, and there is no quick patch coming. They're calling it Underminr, and roughly 42% of websites globally are sitting ducks. In the US, that figure hits 51%.

If you remember domain fronting from around 2018, Underminr will feel familiar. Domain fronting was a neat trick where someone could tell DNS infrastructure they were visiting one website while actually being routed to another, just by manipulating the HTTP Host header in their request. CDNs eventually moved to block it. Underminr gets around those mitigations and achieves the same outcome through a slightly different mechanism.

Here is what is actually happening under the hood. When you visit a website these days, your request rarely goes straight to a single server. Most sites sit behind a CDN like Cloudflare, which bundles enormous numbers of domains behind shared edge IP addresses. When a request arrives at one of those IPs, the CDN figures out which site you want using two fields: the Server Name Indication in the TLS handshake, and the HTTP Host header inside the encrypted request body.

The flaw Underminr exploits is that DNS and CDN systems do not talk to each other. DNS resolves a request, waves it through, and hands off to the CDN. Neither side checks whether the other saw the same destination. An attacker can do a DNS lookup for a perfectly legitimate, well-regarded domain, sail through any Protective DNS filter without raising suspicion, and then swap in a completely different domain in the fields the CDN actually reads. If that second domain is malicious, and it is also hosted on the same CDN edge IP, the traffic arrives at the bad destination with the good domain's reputation acting as cover.

The consequences run in both directions. The attacker gets a reliable way to run scams, command-and-control infrastructure, or data exfiltration while evading DNS-based, signature-based, and behavioural detection. The legitimate site being impersonated gets dragged into the mess, potentially facing reputational damage and the legal and operational headaches that follow.

ADAMnetworks scanned the top five million domains to size up the problem. The exposure is not uniform. The US is at 51%, Eastern Europe around a third, and China below 9%. That last figure is telling. When a heavily regulated, politically curated internet turns out to be structurally safer against this specific attack, it suggests Underminr is not some unavoidable quirk of internet architecture. It is a consequence of how CDNs have chosen to run their networks.

The fix, where it exists, is about customer segmentation. ADAMnetworks CEO David Redekop points to Fastly as the best example of a large CDN doing this right. Fastly was slow to address the original domain fronting problem but eventually resolved it more thoroughly than its competitors by grouping domains according to reputation rather than throwing everyone behind the same IPs. Established, trusted publications end up sharing infrastructure with other established, trusted publications. Brand new domains of unknown provenance get grouped with their own kind. Redekop calls this 'bucketizing', which is not an official industry term but is a reasonably accurate description of what is happening.

By doing this, Fastly made domain fronting and Underminr largely pointless for its customers. Yes, technically the attack still works, but swapping one major newspaper's domain for another major newspaper's domain is not much of a weapon.

For everyone else, the options are limited. Smaller, security-focused CDN providers that are selective about who they serve do not have this problem by default. But if your site is on a large CDN that happily onboards anyone with a credit card and bundles them all behind shared IPs, Redekop is blunt about the realistic solution: move your domain off that CDN.