Configure TLS Fingerprinting

Objective

This document provides instructions on how to enhance security for your applications by configuring TLS fingerprinting in your service policy rules. To know more about how F5® Distributed Cloud Services secure your applications using service policies, See Service Policy.

TLS fingerprinting is a method of extracting certain parameters from a TLS client request (ClientHello) and comparing with a predefined or customized set of fingerprints to identify attack patterns. This enhances the protection for your application from DDoS attacks by identifying clients that could be parts of botnets.

TLS fingerprinting from Distributed Cloud Services support the setting of predefined or custom fingerprints using service policy rules. Also, you can obtain the top TLS fingerprints from the virtual host dashboard to update your TLS fingerprint-based service policy rules to dynamically handle the DDoS attacks.

Using the instructions provided in this document, you can create service policies with policy rules to matching the set TLS fingerprints. Per the match conditions, you can set the action of blocking the traffic to secure your applications.


Prerequisites


Configuration

Configuring the TLS fingerprints and dynamically protecting your application requires the following:

  • Configuring the service policy with rules that deny the traffic matching configured fingerprints.

  • Monitoring the virtual host dashboard to check the top TLS fingerprints and update it in the service policy rules to block the associated traffic. This enhances security and reduces the dynamic nature of DDoS attacks by botnets.

Note: You can create a new policy rule or update an existing rule.

Configuration Sequence

Configuring a service policy requires you to perform the following sequence of actions:

Phase Description
Configure TLS Fingerprints Create a service policy rule with TLS fingerprints.
Monitor and Update TLS Fingerprints Obtain the top TLS fingerprints from virtual host dashboard and update the service policy rule with it.

Configure TLS Fingerprints

The TLS fingerprints are applied through the service policies. A service policy requires you to configure service policy rules, apply them to a service policy, and then activate that service policy. This chapter provides instructions on how to set TLS fingerprints in a service policy rule. For detailed instructions on applying a service policy, see Configure a Service Policy.

Step 1: Start service policy creation process.
  • Log into F5® Distributed Cloud Console (Console).

  • Click Load Balancers.

Figure: Console Homepage
Figure: Console Homepage

  • Select your namespace from the drop-down menu.

  • Click Security > Service Policies > Service Policies.

  • Click Add service policy.

Step 2: Configure service policy.
  • In the form, add a name in the Name field.

  • From the Server Selection menu, select an option.

  • In the Rules section, click Show Advanced Fields.

  • From the Default Action menu, select an action to take for the service policy rules. The options include:

    • Next Policy: This option takes the next policy.

    • Deny: This option denies all requests.

    • Allow: This option allows all requests.

  • Complete the configuration. See Configure a Service Policy for more information.

Step 3: Apply predefined TLS fingerprints.
  • From the TLS Fingerprint Classes menu, select predefined fingerprint classes. These classes include sets of curated fingerprints classified into categories.

Figure: TLS Fingerprints
Figure: TLS Fingerprints

  • Optionally, set specific fingerprint values for exemption:

    • In the List of TLS fingerprint value field, click Add item.

    • Click See Common Values and select a value.

    • To add more values, click Add item.

Note: Refer to the Classes and Fingerprints guide to find fingerprint classification. This is useful in choosing a fingerprint for excluding in cases where a legitimate fingerprint may belong to one of the predefined classes.

  • Click Save and Exit.
Step 4: Activate the service policy.
  • Click Security > Service Policies > Active Service Policies.

  • Click Select Active Service Policies.

  • Click Select Service Policy.

  • Find the service policy that was previously created and select.

  • Click Select Service Policy.

Step 5: Apply the service policy in the load balancer.
  • Click Manager > Load Balancers > HTTP Load Balancers.

  • Find your load balancer and click ... > Manage Configuration > Edit Configuration.

  • In the Security Configuration section, perform the following:

    • From the Service Policies menu, select Apply Specified Service Policies.

    • Click Configure.

    • From the List of Policy menu, select the service policy that was previously created.

    • Click Apply.

  • Click Save and Exit.


Monitor and Update TLS Fingerprint

The virtual host dashboard presents the top TLS fingerprints hitting the domain for your application served using that virtual host. You can monitor the dashboard and take the top the TLS fingerprints and apply them in the service policy rule to prevent client requests from matching that fingerprint.

The TLS fingerprints configured in the service policies in the namespace apply to all the virtual hosts of that namespace.

Step 1: Navigate to virtual host dashboard.
  • In Console, click Load Balancers.

  • Navigate to the namespace of your virtual host.

  • Click Virtual Hosts > HTTP Load Balancers.

Step 2: Find the top TLS fingerprint from the virtual host dashboard.
  • Find the load balancer for your application from the displayed list and click on it to open the dashboard.

  • Scroll down to the Top TLS Fingerprints section and note the fingerprint value displayed.

Step 3: Edit the service policy rule to add the fingerprint collected in the previous step.
  • Click Security > Service Policies > Service Policy Rules.

  • Click ... > Manage Configuration > Edit Configuration to open the edit form for the service policy created in the Configure TLS Fingerprints chapter.

  • Scroll down to the TLS Fingerprint Matcher field and click Add exact value after it.

  • Enter the fingerprint you obtained in the previous step.

  • Click Save changes.


Concepts


API References