Configure TLS Fingerprinting

Objective

This document provides instructions on how to enhance security for your applications by configuring TLS fingerprinting in your service policy rules. To know more about how Volterra secures your applications using service policies, See Volterra Service Policy.

TLS fingerprinting is a method of extracting a certain parameters from a TLS client request (ClientHello) and comparing with a predefined or customized set of fingerprints to identify attack patterns. This enhances the protection for your application from DDoS attacks by identifying clients that could be parts of Botnets.

Volterra TLS fingerprinting supports setting of predefined or custom fingerprints using service policy rules. Also, you can obtain the top TLS fingerprints from the virtual host dashboard to update your TLS fingerprint based service policy rules to dynamically handle the DDoS attacks.

Using the instructions provided in this document, you can create service policies with policy rules to matching the set TLS fingerprints. As per the match conditions, you can set the action of blocking the traffic to secure your applications.


Prerequisites

  • VES account

  • Your application provisioned using Volterra.

    • Note: Install the Volterra Node or Cluster Image. See Deploy Applications for instructions on how to deploy your applications on Volterra sites.
  • A virtual host to loadbalance and serve your application.


Configuration

Configuring the TLS fingerprints and dynamically protecting your application requires the following:

  • Configure service policy with rules that deny the traffic matching configured fingerprints.
  • Monitoring the virtual host dashboard to check the top TLS fingerprints and update it in the service policy rules to block the associated traffic. This enhances security and reduces dynamic nature of DDoS attacks by Botnets.

Note: You can create a new policy rule or update an existing rule.

Configuration Sequence

Configuring service policy requires you to perform the following sequence of actions:

Phase Description
Configure TLS Fingerprints Create a service policy rule with TLS fingerprints.
Monitor and Update TLS Fingerprints Obtain the top TLS fingerprints from virtual host dashboard and update the service policy rule with it.

Configure TLS Fingerprints

The TLS fingerprints are applied through the service policies. Service policy requires you to configure service policy rules, apply them to a service policy, and enable them through a service policy set. This chapter provides instructions on how to set TLS fingerprints in a service policy rule. For detailed instructions on applying service policy, see Configure a Service Policy.

Step 1: Log into VoltConsole and navigate to network security configuration.

Select or create the desired namespace. Select Security from configuration menu and Network Security from options pane.

Step 2: Start service policy rule creation.

Select Service Policy Rules and click Add service policy rule.

Step 3: Set a name for your rule and set action to block traffic.
  • Enter a name in the Name field.
  • Select Deny for the Action field.

spr deny
Figure: Service Policy Rule Basic Configuration

Step 4: Apply predefined TLS fingerprints and optionally add or exclude custom values.
  • Scroll down to the TLS Fingerprint Matcher and select predefined fingerprint classes from the TLS fingerprint classes field. These classes include set of curated fingerprints classified into categories.

spr tls fps
Figure: Service Policy Rule TLS Fingerprint Classes

  • Optionally, set custom fingerprint values. Click Add exact value and add a fingerprint string.

spr fp exact
Figure: Service Policy Rule Add Custom Fingerprint

  • Optionally, set specific fingerprint values to be exempted. Click Add excluded value and add a fingerprint string.

Note: Refer to the Classes and Fingerprints document to find fingerprint classification. This is useful in choosing a fingerprint for excluding in cases where, a legitimate fingerprint may belong to one of the predefined classes.

Step 5: Complete creating service policy rule.

Click Add service policy rule to complete creating the policy rule.

Step 6: Apply the rule to service policy and add the policy to the policy set.

You can add the rule to an existing service policy or create a new policy. Similarly, you can add the policy to an existing policy set or create a new set.

  • Create a service policy and add the rule created in the previous step.

    • Select Service Policies from the configuration menu and click Add service policy.
    • Enter a name and select First Rule Match for the Rule Combining Algorithm.
    • Click Select rule and add the rule created in the previous step.
    • Click Add service policy.
  • Create a service policy set and add the policy created in the previous step.

    • Select Service Policy Sets from the configuration menu and click Add service policy set.
    • Enter a name for your service policy set.
    • Click Select Policy and add the policy created in the previous step.
    • Click Add service policy set.

Monitor and Update TLS Fingerprint

The virtual host dashboard presents the top TLS fingerprints hitting the domain for your application served using that virtual host. You can monitor the dashboard and take the top the TLS fingerprints and apply them in the service policy rule to prevent the client requests matching that fingerprint.

The TLS fingerprints configured in the service policies in the namespace apply to all the virtual hosts of that namespace.

Step 1: Log into VoltConsole and navigate to virtual host dashboard.

Navigate to the namespace of your virtual host. Select Virtual Hosts from configuration menu and HTTP Loadbalancers from options pane.

Step 2: Find the top TLS fingerprint from the virtual host dashboard.
  • Find the loadbalancer for your application from the displayed list and click on it to open the dashboard.
  • Scroll down to the Top TLS Fingerprints section and note the fingerprint value displayed.

vh top tls
Figure: Virtual Host Top TLS Fingerprints

This example shows that the f50e8eb4c7313dd6139e1496cda3e988 string is the top TLS fingerprint detected.

Step 3: Edit the service policy rule to add the fingerprint collected in the previous step.
  • Select Security from the configuration menu and Service Policy Rules from the options.
  • Click ...->Edit to open the edit form for the service policy rule created in the Configure TLS Fingerprints chapter.
  • Scroll down to the TLS Fingerprint Matcher field and click Add exact value after it.
  • Enter the fingerprint you obtained in the previous step.
  • Click Save changes.

Concepts


API References