Firewall Concepts

To safeguard your application against malicious activity, Vercel's platform-wide firewall is the first line of defense, inspecting requests as they arrive at Vercel's Edge Network. Once a request passes this layer, deployment protection checks whether it can continue based on access rules set at the level of your project.

If allowed to go through, the request is subject to the rules that you configured with the Web Application Firewall (WAF) at the level of your project. If the request is not blocked by the WAF rules, your deployment can process and serve it.

If you enabled a persistent action for a WAF rule and it blocks the request, the source IP address is stored in the platform firewall so that future requests from this source continue to be blocked for the specified time period. These future blocks happen at the level of the platform-wide firewall.

A Denial of Service (DoS) attack happens when one device attempts to exhaust the resources of a system using methods such as sending a large amount of data to a server or network. These attacks can often be mitigated by finding and closing off the connection to the source of the attack.

A Distributed Denial of Service (DDoS) attack happens when multiple connected devices are used to simultaneously overwhelm a site with targeted, illegitimate traffic. The goal of DoS and DDoS attacks is to disrupt access to the servers hosting the site.

The OSI model is a concept that outlines the different communication steps of a networking system. Different attack types can target different layers of the OSI model.

DDoS attacks target either the network (layer 3), the transport (layer 4) or the application (layer 7) layer of the OSI model. Vercel mitigates against these attacks, and protects the entire platform and all customers from attacks that would otherwise affect reliability.

The goal of a layer 3 (L3) DDoS attack is to slow down and ultimately crash applications, servers, and entire networks. These attacks are often used to target specific IP addresses, but can also target entire networks.

The goal of a layer 4 (L4) DDoS attack is to crash and slow down applications. They target the 3-way-handshake used to establish a reliable connection between TCP connections. This is often called a SYN flood. Layer 4 DDoS attacks are used to target specific ports, but can also target entire protocols.

The goal of a Layer 7 (L7) DDoS attack is to crash and slow down software at the application layer by targeting protocols such as HTTP, which is often done with GET and POST requests. They are often silent and look to leverage vulnerabilities by sending many innocuous requests to a single page. Vercel provides sophisticated proprietary L7 mitigation and is constantly tuning and adjusting attack detection techniques.

Vercel Firewall leverages JA3 and JA4 TLS fingerprints to identify and restrict malicious traffic. TLS fingerprints allow the unique identification of user sessions inspecting details in the Transport Layer Security (TLS) protocol initiation process.

TLS fingerprinting is a process used to identify and categorize encrypted network traffic.

It creates a unique identifier from the details of a TLS client hello packet, such as the version of TLS, supported cipher suites, and included extensions.

• TLS fingerprints allow the unique identification of user session
• JA3 and JA4 transform the TLS handshake details into a hash
• The hash is used as a fingerprint to monitor and restrict access
• The hash can then be read from your Functions through the request headers

Controlling access by TLS fingerprint allows us to mitigate malicious actors that use sophisticated methods of attack. For example, a DDoS attack that is spread across multiple user agents, IPs, or geographic locations might share the same TLS fingerprint. With fingerprinting, the Vercel Firewall can block all of the traffic that matches that TLS fingerprint.

JA4 is part of the JA4+ suite. It offers a more granular and flexible approach to network fingerprinting, helping to mitigate malicious traffic and prevent bot traffic.

With JA4, it's possible to identify, track, and categorize server-side encrypted network traffic. This is crucial in detecting and mitigating potential security threats, as it provides a more comprehensive view of the network traffic when used in conjunction with other fields.

JA3 is a tool that uses TLS fingerprinting to track and identify potential security threats. It specifically focuses on the details of the TLS client hello packet, generating a unique hash from it. This client hello packet contains specific information such as the TLS version, supported cipher suites, and any extensions used.

In the Allowed Requests view of the Vercel WAF monitoring page, you can group the web traffic by JA4 Digest to review the fingerprints of the live traffic or the past 24 hours.

The following headers are sent to each deployment and can be used to process the request before sending back a response. These headers can be read from the Request object in your Function.

Unique client fingerprint hash generated by the JA4 algorithm. JA4 is preferred as it offers a more granular and flexible approach to network fingerprinting, which helps with mitigating malicious traffic.

Unique client fingerprint hash generated by the JA3 algorithm.