Fingerprinting can be used to identify clients that connect to your application.
This can be useful when:
-
Significant attacks should be detected faster
-
There is the need to make attack schemes easier visible
-
Limitations on a per-client basis need to be imposed
-
There are multiple clients behind a single IP and you need to differentiate them without a session (Example: Carrier-grade NAT)
-
...
More detailed information can be found here:
There is not too much server-side information that can be used to reach a good uniqueness to identify a single client across multiple IPs.
Basically:
-
TCP/UDP Protocol
-
TLS Protocol
-
HTTP Protocol
- Application-specific headers, cookies, and so on
For more detailed information see: wiki.superstes.eu - WAF
IP metadata can give you some information about the kind of client we might be dealing with.
Networks of hosting providers have a higher probability of being used for cyber attack/bot requests.
Some countries are known to be used as easy/cheap sources of nodes for botnets. Per example: Cloudflare Radar - Security
There are some well-known providers of good-quality GeoIP data.
But if you want to use it commercially it might get expensive fast!
-
ipapi.is - quality might not be the best
If you are interested: Information on how to create GeoIP databases from scratch
To be continued..
This is what I want to dive into here.. (;