Detecting Application Layer DDoS Attacks Using TLS Fingerprinting

Application layer DDoS attacks are some of the most complex and devastating attacks on the modern internet. Unlike their lower-layer counterparts, application-layer DDoS attacks utilize the widely accepted TLS encryption, commonly used across the internet, to their advantage so that identification and mitigation do not happen easily. Previous research has had different levels of success at identifying DDoS attacks and differentiating them from legitimate human traffic as well as legitimate flash flood events. Adding TLS fingerprinting details of a client/server communication to the identification methodology previously used and tested by researchers will increase fidelity in identifying application-layer DDoS attacks. The combined identification methodology and JA3 fingerprinting technique were tested against the Canadian Institute of Cybersecurity’s DDoS dataset created in 2019. TLS Fingerprinting successfully identified illegitimate traffic by providing details of the user/client operating system, browser information, and application components.