(github.com)

545 points mmh0000 | 4 comments | 03 Apr 25 15:24 UTC | HN request time: 0.001s | source

Show context

VladVladikoff ◴[03 Apr 25 17:46 UTC] No.43573068[source]▶

Wait a sec… if the TLS handshakes look different, would it be possible to have an nginx level filter for traffic that claims to be a web browser (eg chrome user agent), yet really is a python/php script? Because this would account for the vast majority of malicious bot traffic, and I would love to just block it.

replies(4): >>43573098 #>>43573360 #>>43574581 #>>43574731 #

gruez ◴[03 Apr 25 17:49 UTC] No.43573098[source]▶

>>43573068 #

That's basically what security vendors like cloudflare does, except with even more fingerprinting, like a javascript challenge that checks the js interpreter/DOM.

replies(1): >>43573395 #

1. walrus01 ◴[03 Apr 25 18:16 UTC] No.43573395[source]▶

>>43573098 #

JS to check user agent things like screen window dimensions as well, which legit browsers will have and bots will also present but with a more uniform and predictable set of x and y dimensions per set of source IPs. Lots of possibilities for js endpoint fingerprinting.

replies(1): >>43584789 #

2. Fripplebubby ◴[04 Apr 25 16:35 UTC] No.43584789[source]▶

>>43573395 (TP) #

I also present a uniform and predictable set of x and y dimensions per source IPs as a human user who maximizes my browser window

replies(1): >>43585062 #

3. gruez ◴[04 Apr 25 16:57 UTC] No.43585062[source]▶

>>43584789 #

Maximizing reduces the variations, but there's still quite a bit of variation because of different display resolution + scaling settings + OS configuration (eg. short or tall taskbars).

replies(1): >>43585374 #

4. walrus01 ◴[04 Apr 25 17:23 UTC] No.43585374{3}[source]▶

>>43585062 #

Or settings like auto-hide MacOS dock vs not auto hide, affecting the vertical size of the browser window.

↑

Curl-impersonate: Special build of curl that can impersonate the major browsers