R.I.P. to IP Address Based Security
It could have been anyone. The scene of the 1902 Paris murder of Joseph Reibel held little in the way of clues, no signs of robbery and no witnesses to speak of. There was however, one piece of physical evidence observed by an innovative criminologist named Alphonse Bertillon. A fingerprint left on a broken plane of glass. At that time, few criminologists would have even noticed such a thing, much less considered it a tool in identifying suspects. But Bertillon, already recognized for introducing new methods of identification, went through the laborious task of comparing the print with thousands he had on record of individuals with previous convictions. And sure enough, a match emerged; an ex-convict named Henri-Leon Scheffer, who subsequently confessed to the crime. And like that, history was made in the use of fingerprints as a means of identification.
A not entirely dissimilar movement is afoot in information security. The advancement of device fingerprinting as a dramatic improvement upon the use of IP addresses for identification and blocking. Perhaps more notable as the advancements in device fingerprinting are the reasons that we believe we are seeing the death of the IP address as the primary tool for device identification.
Here are five reasons the IP address has a rapidly decreasing value in security, all of which are primary motivations for the development of device fingerprinting technology within security products:
- Dynamic IP: Today’s reality is that many users access the Internet through providers using dynamic hosting configuration that results in a new IP address each time they access the Internet. When you combine this with the increased mobility of today’s user, organizations are quickly faced with a challenging situation with regard to user identification.
- Devices behind NAT: Users accessing the Internet through Network Address Translation (NAT) devices result in many devices sharing the same IP address, making it difficult to block IPs without potentially blocking legitimate users/devices.
- Browsing through Anonymous Proxies: A large number of anonymous proxy services have cropped up in recent years, largely in response to privacy advocates seeking ways to avoid personal identification of users. Trouble is, they also provide an excellent cover for bad actors.
- IP Spoofing: Any number of tools are readily available that enable users (including criminals) to modify or forge the header of an IP packet to include a false source IP address. This tactic can be used to seek high levels of access when spoofing IPs of trusted machines, or simply to evade detection based on IP addresses previously blacklisted.
- Accessing Origin Servers through a CDN: Content Delivery Network services have grown to support a high percentage of ecommerce traffic on the Internet. For all their benefits related to acceleration of browsing, CDNs create a number of security challenges, including the challenge of needing to whitelist IPs of the CDN in order to ensure access to origin server content. Criminals often exploit this by making multiple, malicious login attempts while masking their own IP. For more on this dynamic, take a look at my colleague David Hobbs’ recent blog post on CDNs
What is clear from these examples is that we’ve reached a tipping point on use of IP address as the means of precise user or device identification. The IP address has “jumped the shark” if you will, and needs to be replaced by new, more accurate technologies that are not prone to error caused by some of the dynamic listed above. Enter the device fingerprint, a rapidly growing technology that employs various tools and methodologies to gather IP-agnostic information about the source, including running a JavaScript on the client side. The device fingerprint uniquely identifies a web tool entity by combining sometimes dozens of attributes of a user’s device to identify and then track their activities, generating a behavioral and reputational profile of the user.
Much like Scheffer did over a hundred years ago, users and devices will leave clues over time about their intentions within an application. Identification of their behavior as anomalous, potentially malicious can be tracked over time to define a degree of risk to the device. From there, security measures such as advanced challenge-and-response can be applied to confirm with high accuracy their legitimacy as a user.
Why is all of this so important now? When you consider the high percentage of bot generated traffic (over 50% by most estimated), it is clear that organizations need more advancement in botnet (malicious or otherwise) identification. Most of the major security threats such as application DDoS, brute force, and SQL injection are executed at least in part through botnets. Add to that the unnecessary and unproductive burden these botnets put onto transactional processing capacity and a very rich ROI can be defined for more successful and precise bot detection and blocking.
In an interesting twist, the use of device fingerprinting to identify potentially malicious devices has a “turning of the tables” element to it. After all, security and networking devices themselves have a definable fingerprint that has been used by some bad actors to clearly identify exactly what technologies are deployed within a network. With these network elements well defined, they can then target specific known or zero-day vulnerabilities for exploit. Now use of the fingerprint can shift to better protect organizations from these orchestrated attacks.
Information security professionals, like modern day Bertillon’s, have tremendous opportunity to advance their security posture through the use of new technologies. We are excited by the broad potential of device fingerprinting in the area of information security and pleased by the response we are getting early in our introduction of the technology into our security portfolio.