DoS attacks on encrypted traffic are on the rise. SSL/TLS protocols are widely adopted to secure web applications, protect user data, and ensure privacy across the internet.
As more online businesses adopt SSL/TLS (Transport Layer Security) to safeguard data and ensure end-to-end encryption, attackers are increasingly targeting encrypted flows themselves.
While SSL/TLS provides privacy and integrity, it also creates a visibility gap.
Traditional Layer 7 (application layer) detection mechanisms can’t easily inspect encrypted payloads, making it difficult to distinguish between legitimate users and malicious bots hidden within encrypted sessions.
Compounding the challenge, most organizations are unwilling or unable to share their SSL certificates or decrypt large volumes of traffic for analysis.
Decryption at scale introduces significant performance overhead, increases computational costs, and can expose sensitive data.
As a result, security teams are seeking new methods to identify and mitigate encrypted-layer attacks without breaking encryption.
Understanding TLS Fingerprinting (TLSFP)
Each client initiating a TLS/SSL connection sends a “Client Hello” packet containing unique characteristics such as cipher suites, extensions, and TLS version.
A TLS Fingerprint (TLSFP) is a unique identifier derived from these attributes.
Since every client type (browser, bot, tool, or script) exhibits a specific fingerprint, Bots often have different TLS stacks than browsers, malware families tend to reuse TLS libraries, creating consistent fingerprints, TLSFPs can be used to reliably identify and classify SSL clients without decrypting their traffic.
This technique provides a powerful foundation for detecting anomalies in encrypted traffic and identifying suspicious clients before they overwhelm application resources.
A fingerprint is calculated by gathering fields such as TLS version, cipher suites and extensions, etc., from the Client Hello message and hashing them into a fingerprint value distinguished with the Client tool.
Web DDoS Protection Using TLSFP
In traditional SSL/TLS-based DDoS attacks, massive volumes of encrypted traffic originate from a relatively small set of malicious TLSFPs.
Radware’s patented behavioral analysis solution detects and mitigates these threats by continuously profiling TLSFP behavior, learning the TLSFP used by known applications, while detecting abnormal TLSFP behavior treating them as malicious.
Traffic from malicious TLSFPs is blocked, while legitimate encrypted sessions are safely passed through to the target servers, ensuring service continuity even under attack.
Each malicious TLSFP sending high volume TLS/SSL connections hides behind it even higher RPS traffic volume, which can be mitigated during TLS/SSL session establishment.
The Evolution: Randomized TLSFP Attacks
Recently, attackers have evolved their tactics with Randomized TLSFP attacks, a more sophisticated and evasive method.
Instead of relying on a few identifiable tools, adversaries now generate hundreds or thousands of unique TLS fingerprints, each initiating a small volume of SSL/TLS connections while raising the total TLS/SSL volume.
By spoofing fields in the Client Hello message, attackers create a flood of TLS/SSL connections with varied fingerprints, many of them will not complete a full TLS/SSL handshake.
This new form of attack overwhelms servers with massive numbers of SSL/TLS handshakes and makes it difficult for traditional detection algorithm systems to identify patterns.
Mitigating Randomized TLSFP Attacks
Radware’s Randomize Protection technology was developed to specifically detect and counter this new breed of attacks.
Instead of focusing on traffic rate per TLSFP, the system identifies attacks based on the increase in the number of unique TLSFPs observed across SSL/TLS connections.
Once an anomaly is detected, Radware’s protection mechanisms:
- Ensure legitimate TLSFP traffic continues to flow to the server.
- Drop traffic initiated by randomized TLSFPs.
This approach maintains protection efficacy while ensuring minimal impact on genuine users.
Integration with Behavioral Mitigation
Randomize Protection operates as part of a layered defense architecture.
By integrating with Radware’s behavioral detection engine, it enables the system to:
- Block traffic from malicious TLSFP attackers.
- Simultaneously drop randomized TLSFP traffic.
The result is a comprehensive defense against both traditional and modern SSL/TLS-based DDoS threats preserving visibility, maintaining performance, and ensuring uninterrupted service availability.
Case Study: When Randomized Fingerprints Mask an RPS Attack
A recent incident illustrates how attackers are blending fingerprint randomization with sustained behavioral attacks over TLS/SSL to evade detection.
At the onset of the attack, telemetry showed a burst of fingerprint diversity with a sharp rise in the number of unique TLS fingerprints, quickly hitting the system’s display cap of over 2,500 unique fingerprints.
However, in the accompanying graph that tracks Client Hello per second, the rate remained consistently high even after the visible number of fingerprints dropped. It is obvious there is a sustained behavioral attack originating from a small subset of malicious TLS fingerprints.
In essence, the attackers:
- Began with a flood of randomized TLSFPs to create noise and mask behavioral indicators.
- Transitioned to a concentrated RPS attack using a few known fingerprints to sustain the load.
Visual Evidence:
- Unique TLSFP Count Over Time - shows the initial spike to 2,500.
- Client Hello per Second — sustained high RPS as fingerprints decline.
Key Insights:
- Attackers may use large-scale fingerprint randomization as camouflage before focusing on a few malicious fingerprints.
- Detecting high diversity along with malicious TLSFP is crucial for accurate, timely mitigation.