Mitigating denial of service attacks with a mix of fingerprinting and rate limits
By Alex Norman —
As company who’s lifeblood is an online service, keeping your services available is critical to survival. But what happens when an attacker or a competitor wants to disrupt your momentum and prevent people from enjoying your product? In this article we’ll dig into what denial of service (DoS) and distributed denial of service (DDoS) attacks are, and some techniques you can use to protect yourself against them.
Imagine your business is a takeaway food stand that primarily takes orders over the phone.
Denial of Service (DoS): Imagine someone repeatedly calling your restaurant over and over asking for menu items that don’t exist, tying up the phone lines so that other customers can’t call in to place orders. This type of attack is a single source aimed at overwhelming your capacity to serve customers. While disruptive, they can often be easier to identify and stop due to being a single source. In the technical world, this would be like a single computer sending tons of junk traffic to your website and hogging the bandwidth.
Distributed Denial of Service (DDoS): Now imagine that hundreds or thousands of people, all at once, start calling your food stand with fake orders, tying up the phone lines again. While very similar to the DoS attack mentioned before, this type of distributed attack makes use or more people to make it much harder to identify and stop. In the technical world, this would be like a botnet using thousands of compromised machines all sending traffic to your website in a coordinated attack and hogging the bandwidth. Since this is distributed across many devices, the bandwidth hogging effects will be amplified.
The ultimate outcome from either of these attacks is to prevent your online services from handling legitimate requests and traffic from online users.
There are a variety of strategies that can be used to protect your online services from a DoS and DDoS. And as with most things in the cybersecurity realm, you’ll need to take a considered and layered approach by applying a variety of strategies together.
Suggested techniques include:
- Bot protection
- Caching of static assets on the edge
- Rate limiting based on IP address
- Rate limiting based on fingerprints
- Blocking known malicious IP addresses
These techniques are mainly network level mitigations, but it’s also extremely important to design your application to be resistant to these types of attacks. The OWASP Denial of Service Cheat Sheet has great recommendations for software design concepts.
A core challenge when defending against DoS attacks is trying to figure out what is good traffic from legitimate users and what is bad traffic from the attackers. It’s particularly difficult when your web service is unresponsive to due an overwhelming amount of traffic.
This is where you need effective logging in place. This will heavily depend on the web hosting or public cloud you use. In Kinde’s case, we’re using AWS for our public cloud, which provide detailed traffic metadata as part of their WAF product. Logs from the web application firewall (WAF) are sent to Cloudwatch, which can then be analysed for patterns to identify the relevant fingerprints or IPs to take action against.
Device fingerprinting is a technique used to identify and track devices by collecting unique information about their configuration. When a browser or bot connects to your web service, it will have a fingerprint based on the metadata provided, such as user agent, IP address, or encryption used. These fingerprints can be used to identify a toolkit used by an attacker when they launch a DDoS against your service.
There are two types of fingerprints that are readily used across most public cloud and security services that can help identify attackers: JA3 and JA4 fingerprints.
JA3 fingerprinting is a method originally created by Salesforce that creates a unique fingerprint based on the initial SSL/TLS connection. This makes the fingerprint transferable even after the attacker has changed IP address or uses a group of IPs, which makes it effective at preventing a DDoS attack since you can block the fingerprint. Read more in the Salesforce blog.
The internet changes rapidly and attackers adapt fast. Since the introduction of JA3 fingerprinting, browsers and attackers have evolved the way they connect to web services, which meant that JA3 fingerprinting became far less reliable as a method of detection.
JA4 fingerprinting, and it’s broader JA4+ suite, has evolved to keep up with detection evasion techniques. Developed by FoxIO, this newer fingerprinting method serves as a full replacement for JA3. Fingerprints can be created in much the same way as the original method, however with additional detection types, you can expand the detection to focus on not just the SSL/TLS connection, but also latency, client methods, certificates, SSH traffic, and many others. This helps categorise attackers and minimize false positives, since multiple fingerprints combined create a more detailed picture.
Check out the blog from FoxIO for more information about JA4+ fingerprinting with references to a known fingerprint database guidance on how to use it.
When an attacker launches an attack on your web service, they will leave a fingerprint behind from their connection attempts. By using JA3 and JA4 fingerprints, you can create rules on your WAF to block these known attacker fingerprints, which will help reduce the impact and strain on your web services and backend infrastructure.
Kinde uses rate limiting on our WAF and cloud infrastructure. Rate limiting is a security technique that controls the number of requests a client can make to your web service within a specified time frame. The rate limit measurement depends on the feature set available with the tool you’re using. Pretty much every security provider will offer IP rate limiting and some will allow using other metadata such as headers and fingerprints.
An example for an IP rate limit would be to block any IP address that sends more than 1,000 requests to your website in a 5 minute period. This would prevent single IPs from sending extremely large amounts of traffic to you. While effective against a DoS, it may not be as effective for a DDoS due to the distributed nature.
An example for a JA4 fingerprint rate limit would be to block an JA4 fingerprint that sends more than 100,000 requests to your website in a 5 minute period. This would prevent a single fingerprint type from overloading your systems, even if it’s from multiple IP addresses across the globe. Why the much higher limit though? Fingerprints are created for common connections, such as a web browser, which you don’t want to block.
To reduce the chance of false positives, it’s crucial to test, monitor, and measure the rules against sample traffic, so that you don’t accidentally block legitimate users trying to use your services. A common technique is to create the rate limit, but set it to count rather than to block. This gives you an opportunity to tune how the rate limits may impact real traffic without impacting your service.
Implementing solutions that leverage JA3 and JA4 fingerprinting alongside rate limiting provides an additional layer of defense against DoS and DDoS attacks. It moves beyond simple IP blocking to analyze the underlying characteristics of connection attempts, allowing you to increase availability and reduce false positives.