Traffic Filtering by Fingerprints

Tempesta FW provides traffic filtering by TF (Tempesta Fingerprints) clients fingerprints. Currently TLS (TFt) and HTTP (TFh) fingerprints are supported. The filtering is applied by connections and records/messages number per second.

The fingerprint computation and filtration are enabled with tft and tfh configuration options.

As opposed to JA3 and JA4 hashes using cryptographic MD5 and SHA-256 hashes, TF employs faster hashing more suitable for automatic classification (machine learning) usage.

The hashes are commuted as:

TLS (tft)

1. 3 bits: ALPN: h2, http/1.1,http/1.1,h2, h2,http/1.1
2. 1 bit: set if has unknown ALPN
3. 1 bit: found vhost for SNI
4. 1 bit: abbreviated handshake
5. 1 bit: TLS version
6. alignment to 1 byte
7. 2 bytes: sum * 11 + cipher_suite (11 is just a small prime, relatively far from a power of 2). This scheme represents the order of cipher suites.
8. 2 bytes: sum * 11 + extension_type
9. 2 bytes: sum * 11 + elliptic_curve

HTTP (tfh)

1. 1 bit: http version (h1 or h2)
2. 5 bits: HTTP method (tfw_http_meth_t value)
3. 5 bits: number of Cookie values (all bits set for 31 and more cookies, within one or several headers)
4. 6 bits: number of headers (all bits set for 63 and more headers)
5. 1 bit: has Referer
6. alignment to 3 bytes
7. 4 bytes: sum * 11 + header, where header is a 4 bytes HTTP/1 header prefix or value from static of decoded dynamic table value for HTTP/2

If TF is configured, Tempesta FW computes the TLS and HTTP hashes and logs them into the access log.

The following explains how to use TF directives in the configuration, along with available options and examples

Syntax:         tft <storage_size> { }
Default:        tft 2097152;
Context:        global
Reconfig:       true
Repeat:         false

storage_size is the size of an internal LRU storage of online clients’ fingerprints. The value must be a multiple of 2097152 bytes (2MB) and is optional. Default is 25 * 2^21 bytes(50 MB).

Minimum is 2^21 bytes.

Maximum is 128849018880 bytes (120 GB).

tft storage_size=2097152 {
}

tft {
}

tft {
    hash deadbeef12345678 10 1000;
    hash aeae463fe56e8e87 10 1000000;
}

This empty configuration says to Tempesta FW that it has to compute fingerprints for all clients and compute their connection, HTTP requests and/or TLS records rates. Tempesta FW does not block anything with an empty TF configuration, but can immediately drop TLS connections and HTTP requests according to reloaded configuration with specific hash values.

Has the same syntax as tft.

Syntax:         hash <hash_string> <connections_per_second> <records_per_second>;
Default:        none
Context:        tfh, tft
Reconfig:       true
Repeat:         true

hash_string is a fingerprint itself represented by a hex string without any prefixes. The value may be retrieved from dmesg, mmap access log buffer or Clickhouse database supplied by tfw_logger process. No default value.

connections_per_second is an allowed number of connections for clients identified by hash_string. No default value.

records_per_second is an allowed number of TLS records (if inside tft) or HTTP messages (if inside tfh). No default value.

hash deadbeef12345678 10 1000;
hash aeae463fe56e8e87 0 0;

Zero values for connections_per_second and records_per_second mean that TLS connections or HTTP requests having such hashes will be blocked.

In cases of high traffic and numerous hashes to block, updating and reloading the main configuration may not be practical. It’s possible to encounter thousands of blocking hashes, which would make the configuration file difficult to read and maintain.

For such situations, it’s useful to separate the blocking hashes into a different file and include that file in the main configuration. Moreover, this approach allows you to organize hashes into logical groups, each in its own file.

Here is an example:

/etc/tempesta/tempesta_fw.conf

listen 443 proto=https,h2;
access_log dmesg;
server 127.0.0.1:8000;

...

tft {
    !include /etc/tempesta/tft/
}
tfh {
    !include /etc/tempesta/tfh/
}

...    

/etc/tempesta/tft/high-risk.conf

hash b7007c90000 1 1;
hash cd00ade0000 1 1;
....

/etc/tempesta/tfh/high-risk.conf

hash 55cbf8cce0170011 1 1;
hash 113fa8cce1120000 1 1;
...

With such a configuration, we can easily add new blocking records or remove existing ones.

echo "hash b7007c90000 1 1;" >> /etc/tempesta/tft/high-risc.conf
service tempesta reload

echo "hash b7007c90000 1 1;" >> /etc/tempesta/tfh/new-group.conf
service tempesta reload

sed -i "/b7007c90000/d" /etc/tempesta/tft/high-risc.conf
service tempesta reload