Posted On: Sep 27, 2023
AWS WAF now supports JA3 match, enabling customers to inspect incoming requests’ JA3 fingerprints. Customers can use the JA3 match to implement custom logic to block malicious clients or allow requests from expected clients only.
Customers could already use WAF match conditions to inspect the contents of request headers and compare its origin against the provided criteria. As customers strive to enhance their security measures, they have asked for SSL/TLS inspection capabilities, so they can detect specific fingerprints within encrypted traffic. Now, WAF customers can use JA3 match to analyze unique TLS handshake characteristics. JA3 match allows you to inspect SSL/TLS fingerprints in the form of 32-character hash fingerprint of the TLS Client Hello packet of an incoming request. The fingerprint encapsulates information about how the client communicates and can be used by customers to detect clients that share the same pattern. For instance, you can create a rule that inspects the JA3 fingerprint and triggers a rule action if it matches a known malicious fingerprint associated with previous attacks.
There is no additional cost for using this feature, however, standard AWS WAF charges still apply. For more information about pricing, visit the AWS WAF Pricing page. It is available in all AWS Regions where AWS WAF is available for Amazon CloudFront and Application Load Balancer origin types. To learn more, see the AWS WAF developer guide.