Closed Sakura-sx closed 2 months ago
Whitelisting doesn't necessarily make too much sense, because the attacker can just change the parameters of his TLS connections to match any fingerprint.
All he needs is a browser, make a HTTPS request and capture that traffic. In wireshark you can look at the TLS ciphers offered and the order of extensions etc. He can then make his DDoS tool use the same parameters and your whitelist would be circumvented.
The DB does have a list of browsers and their user agent strings, constantly updated. However, I highly discourage using JA4+ allow lists for browsers. This is because browser fingerprints will change constantly as they're auto updated, every few months in the case of Chromium-based browsers. Instead, block list on known bad.
Allow listing based on JA4+ is only recommended in locked-down environments where nothing changes or have extremely strict change control procedures that include checking and updating the allow list. In these locked-down environments, an attacker would not know what to mimic and therefore could not emulate the allowed fingerprints, because they don't know what they are. A powerful addition to your defense-in-depth strategy.
I am making a website and have got a lot of L7 HTTP DDoS attacks. I saw JA4DB and wanted to make a whitelist, but found no list of only browsers.
The list could look something like this:
(obviously with the actual fingerprints).
Thank you.