Device Fingerprinting: A New Tool

for Enhanced Application Protection

Whitepaper

SHARE THIS WHITEPAPER

Radwares Device Fingerprinting Whitepaper

Device Fingerprinting: A New Tool for Enhanced Application Protection

There are few concepts in information technology more fundamental than that of user identification.
Understanding who is on the other end of a resource request, associating that user with various sources
of reputational information and making a determination of legitimacy and intended use is a core tenant of
information security.
It so happens that the same principles apply in our physical world, where the use of fingerprints as a means
of identification and authentication dates back thousands of years. In the late nineteenth century, British
surgeon Dr. Henry Faulds published an article discussing fingerprints as a means of personal identification,
recognizing their distinctive patterns from one another. Some uses of fingerprints as authentication date
back even further than that; evidence from thousands of years ago show hand or fingerprints in clay used as
a precursor to signatures.
Fast forward several hundred years and we see a new type of fingerprinting, developed to address the ever
growing challenge of effectively identifying legitimate vs. malicious users of applications and other IT resources.
There is no getting around the need for user identification in information security. In the Internets earlier years, the
Internet Protocol (IP) address was the primary means to initiate and complete transactions. In time, IP address
became a foundational element of user identification and association with certain behaviors or reputational
information. But more recently IP addresses have become a much less reliable means of understanding with whom
youre interacting, and making security decisions about the level of access to be granted.
Increasingly, users access the Internet using shared or pooled network resources with a single router
masking the IP addresses of the devices or users behind each request. Malicious actors have made an
art form out of spoofing IP addresses to not only obfuscate their identity but possibly masquerade as
seemingly legitimate users based on geo-location or positive reputational information about IP addresses
they are able to compromise.
Some of the very technologies that seek to improve
application security or availability further complicate IP
address based identification. Virtual private networks
(VPN) and content delivery networks (CDN) can be
exploited as a smoke screen around actual user or
device identification, further making IP addresses a
less reliable means of positive identification. CDNs
provide a particularly insidious cover for bad actors
as they are generally easy to access and cannot be
blocked by origin servers as accepting transactions
and requests from their IPs is the basis for use of
content distribution capabilities.
Despite the challenges, IP whitelisting or blacklisting
remains a foundational tactic for many information
security operations. But this tactic, left to its own
capabilities, will lead to high rates of false positives
(legitimate users being blocked) and false negatives
(illegitimate users gaining access). Many information
security technologies have responded to the issue of IP
address spoofing, principally by using IP address as one
of the many factors that determine user legitimacy. More

Identification of North Korea

via IP Address
In December 2014, business and technology
headlines were dominated by the news of highprofile attacks and hacks of Sony Corporation,
in apparent retaliation for the launch of the
movie The Interview. In January 2015, the U.S.
government and President Obama claimed to have
credible evidence that these attacks were nation
state sponsored actions of North Korea, and
introduced a series of sanctions in response. When
pressed for more information on the evidence,
the government pointed to specific IP addresses
associated with certain elements of the attacks.
Most in the information security industry raised
serious questions about the legitimacy of this
evidence, and most were left wondering if there
2
was further evidence not being released.

Radwares Device Fingerprinting Whitepaper

specifically, these technologies apply IP address based reputation to isolate certain traffic or users for further
investigation, typically through a series of challenge-and-response tactics. While this is a step towards improved
identification, it can generate latency and requires considerable computing resources when applied liberally to
legitimate users in a false positive scenario.
To keep up with the evolution and innovation occurring
within cyber-criminal operations, organizations need to
successfully protect applications from advanced bots
or collective human threats and website operators need
advanced user/client identification that can detect and
mitigate illegitimate users.
In recent years a new technology has emerged that
is driving a more granular (and more reliable) means
of device and user identification. Device fingerprint
technology employs various tools and methodologies
to gather IP-agnostic information about the source,
including running a JavaScript on the client side. The
device fingerprint uniquely identifies a web tool entity
by combining sometimes dozens of attributes of a
users device to identify and then tracks activities,
generating a behavioral and reputational profile of the
user. Some of the many attributes used in creating a
unique fingerprint include Operating System, browser,
fonts, screen resolution, and plugins.
The attributes of a device are then used to generate
a hash that acts as the fingerprint for that device.
By tracking that devices activities and requests
across various HTTP sessions, a profile is generated
and maintained, which can be applied with security
policies to provide access, deny access or flag the
user/device for more granular challenge-and-response
tactics. Device fingerprinting creates a powerful
new tool for information security technologies to
block illegitimate application abuse. Previously,
IP addresses served as the proxy for users, and
reputational information was generated over time
using the IP address. A users reputation was a key
factor in determining which security policies to apply
to a user. But in reality, users access applications
through a growing array of devices. Device
fingerprinting not only replaces the IP address as the
user proxy, but also enables security policies to be
applied based on the device. This shifts a focus from
IP-based reputation (e.g. geo-location, whitelisting,
blacklisting, etc.) to Device-Based Reputation which
not only more precise but also increasingly important
as users move to multiple mobile devices and the
Internet of Thing (IoT) becomes a reality.

Five Common Factors

Challenging IP-Based Identification
1. Dynamic IP: many users access the Internet
through providers using dynamic hosting
configuration that results in a new IP address
each time they access the Internet.
2. Devices behind NAT: users accessing the
Internet through network address translation
(NAT) devices result in many devices sharing
the same IP address, making it difficult to block
IPs without potentially blocking legitimate
users/devices.
3. Browsing through anonymous proxies: a
large number of anonymous proxy services
have cropped up in recent years, largely in
response to privacy advocates seeking ways
to avoid personal identification of users. They
also provide an excellent cover for bad actors.
4. IP spoofing: a number of tools exist that
enable criminals to modify or forge the header
of an IP packet to include a false source IP
address. This tactic can be used to seek high
levels of access when spoofing IPs of trusted
machines, or simply to evade detection based
on IP addresses previously blacklisted.
5. Accessing origin servers through a CDN:
Content Delivery Network services have grown
to support a high percentage of ecommerce
traffic on the Internet. For all their benefits
related to acceleration of browsing, CDNs
create a number of security challenges,
including the challenge of needing to whitelist
IPs of the CDN in order to ensure access to
origin server content. Criminals exploit this by
making multiple, malicious login attempts while
masking their own IP.
3

Radwares Device Fingerprinting Whitepaper

In and of itself, fingerprinting provides only the means of enhanced device identification and tracking. But when
combined with advanced capabilities in detecting malicious behaviors or application logic abuse (e.g., site
scraping, brute force attacks) fingerprinting can dramatically improve the accuracy of security policy application.

Radware Introduces Device Fingerprinting and Activity Tracking Capabilities

to Attack Mitigation System

IP-agnostic bot detection that boosts

market-leading cyber-attack solution
Radware, the leading provider of application security
solutions, has introduced a new device fingerprinting
feature into its Attack Mitigation System (AMS) suite.
Radware's new Device Fingerprinting module offer IPagnostic source tracking to help addresses the threats
posed by advanced bots, such as web scraping, Web
application DDoS, brute force attacks for password
cracking and clickjacking. Radware's AMS can
detect sources operating in a dynamic IP environment
and activity behind a sNAT (source NAT), such as an
enterprise network or proxy.
Device fingerprinting implemented in Radwares AMS
uses dozens of characteristics of the device in a unique
way to identify and distinguish it from all others. Using
proprietary tracking, Radware can generate device
reputational profiles that combine both historical
behavioral information aiding in the detection and
mitigation of threats such as DDoS, intrusions and
fraudsters alike. By correlating past security violations of
specific devices over time and across visits regardless
of changing IP address, Radware can consistently and
accurately profile legitimate and illegitimate users.

Internet of Things: Complicating

Device Identification and Tracking
Few IT trends are getting more attention
these days than the Internet of Things. If the
prognosticators are believed, the notion of a hyper
connected universe of non-traditional IT assets
will generate an additional 20-50 billion devices
on the Internet over the next several years. This
will further complicate existing challenges of IP
address based identification, as many of these
devices will undoubtedly share network access
points and as a result IP addresses. Add to that
the inevitable wave of vulnerabilities associated
with new devices coming online and the malicious
actors will have a fresh pool of resources to exploit
and leverage for obfuscation.

Not all bots are bad bots. To avoid scenarios search engine bots (Google, Yahoo, etc) are mistakenly identified
as malicious bots, Radware's WAF includes a mechanism that detects and verifies legitimate search engine
bots by running a reverse-DNS lookup process to verify their source and to exclude them from the list of
tracked sources.
Device fingerprinting further bolsters the Radware Attack Mitigation System, an award-winning solution to
protect an enterprises infrastructure against network and application downtime, application vulnerability
exploitation, malware spread, network anomalies, information theft and other types of attack.
2015 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware
in the U.S. and other countries. All other trademarks and names are the property of their respective owners.

4
PRD-Device-Fingerprinting-WP-01-2015/05-US