Antoine Vastel on Twitter: "@campuscodi Moreover, most bots conducting L7 DDoS don't use real/headless browsers in order to be able to scale their attack, so it's highly likely they'll have a discriminating/inconsistent TLS fingerprint" / Twitter

Stack Overflow under attack: what we learned about handling DDoS attacks stackoverflow.blog/2022/05/16/sta

2

34

71

Replying to

When using HAProxy you can also try to leverage TLS/JA3 fingerprints (haproxy.com/blog/announcin) While it can still be spoofed using several packages , e.g. github.com/Danny-Dasilva/ it can still provide a meaningful/easy-to-manipulate signal.

github.com

GitHub - Danny-Dasilva/CycleTLS: Spoof TLS/JA3 fingerprints in GO and Javascript

Spoof TLS/JA3 fingerprints in GO and Javascript . Contribute to Danny-Dasilva/CycleTLS development by creating an account on GitHub.

1

Replying to

and

Moreover, most bots conducting L7 DDoS don't use real/headless browsers in order to be able to scale their attack, so it's highly likely they'll have a discriminating/inconsistent TLS fingerprint

10:22 AM · May 22, 2022Twitter Web App

Replying to

and

This can also be done directly in Fastly using e.g. developer.fastly.com/reference/vcl/ Another approach to proactively flag malicious IPs is to scrape free proxies. Indeed, most DDoS leverage lot of cheap/know bad IPs. It's frequent to see these free proxies in these attacks.

developer.fastly.com

tls.client.ciphers_list | Fastly Developer Hub

List of ciphers supported by the client (hex-encoded)

1

Replying to

and

However, it's risky to block all free proxies by default since some of them may be shared residential IPs. In this case, a simple/less risky solution is to adopt a more agressive rate limiting on these IPs.

Conversation