In the previous blog post in this WAF series, I shared how to maintain a blocklist, using Ja3Fingerprint sourced from previously blocked malicious requests.
What was wrong with Ja3Fingerprint?
However this technique faced a few limitations due to the nature of Ja3s: Ja3Fingerprint is not specific enough, i.e. when blocking a fingerprint you may also block a (small, yet significant) portion of legitimate users (false positive).
My implementation of the WAF-Ja3FingerPrint-Blacklist Terraform module took that into account by proactively purging fingerprints from the block list after a user-defined period of time, that should be long enough to deter attackers from pursuing their attack, but short enough to limit impact on legitimate traffic.
Introducing Ja4Fingerprint!
Today, AWS announced WAF now supports Ja4Fingerprint!
Ja4 adds new elements to the fingerprint calculation, making it more specific than Ja3. That's good news, as it will enable us to keep bad guys out while keeping doors open to bona fide users!
I for sure will soon publish an update of my Terraform module!
Top comments (0)