Technical GuideBy John AlthousePatent Pending
Inbound Detection with JA4+
A technical guide for using JA4+ network fingerprinting to identify inbound bots, fraud, hacking tools, session hijacking, and other non-human or nefarious actors. JA4+ focuses on fingerprinting clients at the protocol level and is designed to be used in conjunction with other layer 7 fingerprinting methods.
Required Reading
Video: JA4+ Network Fingerprinting by John Althouse
JA4+ Methods
JA4+ is a set of fingerprinting methods utilized heavily within the security community and by many Fortune 500 companies including Microsoft, Amazon, and Google, with support from both open source and vendor tools. JA4+ is maintained full-time by FoxIO with research, development, and intel.
| Full Name | Short Name | Description |
|---|---|---|
| JA4 | JA4 | TLS Client Fingerprinting |
| JA4Server | JA4S | TLS Server Response / Session Fingerprinting |
| JA4HTTP | JA4H | HTTP Client Fingerprinting |
| JA4Latency | JA4L | Client to Server Latency / Light Distance |
| JA4LatencyServer | JA4LS | Server to Client Latency / Light Distance |
| JA4X509 | JA4X | X509 TLS Certificate Fingerprinting |
| JA4SSH | JA4SSH | SSH Traffic Fingerprinting |
| JA4TCP | JA4T | TCP Client Fingerprinting |
| JA4TCPServer | JA4TS | TCP Server Response Fingerprinting |
| JA4TCPScan | JA4TScan | Active TCP Fingerprint Scanner |
| JA4DHCP | JA4D | DHCP Fingerprinting |
| JA4DHCPv6 | JA4D6 | DHCPv6 Fingerprinting |
Light Distance / Location Measuring
JA4L measures the light distance/latency between the first few packets in a connection. We use the first few packets as these are low-level machine generated so there is nearly zero processing delay in creating and sending these packets. This essentially measures the estimated distance between the client (or proxy exit node) and server. Time is measured in microseconds. 1ms = 1000 microseconds.
For TCP, measurements are determined by looking at the TCP 3-way handshake and the protocol handshake. For UDP, we look at the QUIC (HTTP/3) handshake which is the protocol handshake.
Distance Formula
D = jc/p
- D = Distance
- j = JA4L_a (or delta between JA4L_a and JA4L_c for proxies)
- c = Speed of light per microsecond in fiber (0.128 miles or 0.206 km)
- p = Propagation delay factor (1.5 for good terrain, 2.0 for poor terrain)
An example:
JA4L = 5191_42_45014 and JA4LS = 27_64_786. Part a is the one-way latency within the TCP handshake. Part b is the observed TTL. Part c is the one-way latency of the L7 application protocol negotiation.If part c is significantly higher than part a (off by more than 2x magnitude above 2000), the client is possibly connecting through a proxy. The delta between part a and part c represents the one-way latency between the client and proxy exit node.
Propagation Delay Factor
| Hop Count | Propagation Delay Factor |
|---|---|
| <= 21 | 1.5 |
| 22 | 1.6 |
| 23 | 1.7 |
| 24 | 1.8 |
| 25 | 1.9 |
| >= 26 | 2.0 |
Initial TTL Estimation
| Device / OS | Initial TTL |
|---|---|
| Cisco, F5, networking devices | 255 |
| Windows | 128 |
| Mac, Linux, phones, IoT | 64 |
Example Calculation
With JA4L: 5191_42_45014 and a delta of 39,823 (8.67x between parts a and c), we conclude the client connects through a proxy. The proxy is within 415 miles of the server (5191 x 0.128 / 1.6 = 415 miles) and the client is within 3,185 miles of the proxy node ((45014 - 5191) x 0.128 / 1.6 = 3,185 miles).
Notes on Proxies and VPNs
Proxies: The proxy node handles TCP handshakes and bare packets (ACK, FIN, etc.). The application handshake is handled by the client.
VPNs: A VPN does not handle TCP packets so those packets pass through the VPN. In a VPN connection, parts a and c represent the total distance between client, VPN exit node, and server.
VPNs: A VPN does not handle TCP packets so those packets pass through the VPN. In a VPN connection, parts a and c represent the total distance between client, VPN exit node, and server.
Detection of Residential Proxied Traffic
Currently, the industry uses source-IP enrichment to identify residential proxy IPs. The problem is that real users exist at these IPs, so blocking them is not an option and alerting on them creates too many false positives. With JA4+, we can tell on a per-session basis if the client is connecting directly or through a proxy.
When a client connects through a proxy, the proxy initiates the TCP 3-way handshake but generally does not intercept or alter any other traffic. We detect proxied traffic by identifying discrepancies between a client's User-Agent string and its JA4T fingerprint, combined with discrepancies in the JA4L fingerprint.
| Application | JA4 | JA4H_ab | JA4T | JA4L | User-Agent |
|---|---|---|---|---|---|
| Chrome / Mac | t13d1517h2_8daaf6152771_b0da82dd1658 | ge20nn18enus_54f3699ce60f | 65535_2-1-3-1-1-8-4-0-0_1460_6 | 1 | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)... |
| Application | JA4 | JA4H_ab | JA4T | JA4L | User-Agent |
|---|---|---|---|---|---|
| Curl / Linux | t13i130900_f57a46bbacb6_28956e186419 | ge11nn050000_15d86dce804e | 64240_2-4-8-1-3_1460_7 | 201 | curl/8.10.1 |
OS Identification via JA4T
| JA4T Pattern | Operating System |
|---|---|
| *_2-4-8-1-3_* | Linux-based |
| *_2-1-3-1-1-4_* | Windows-based |
| *_2-1-3-1-1-8-4-0-0_* | Darwin-based (macOS / iOS) |
OS Identification via JA4L_b (Observed TTL)
| JA4L_b Range | Operating System |
|---|---|
| 20-64 | Linux or Darwin-based |
| 80-128 | Windows-based |
| 200-255 | Networking (Cisco/Juniper/F5) or custom bots |
JA4L-Delta for Proxy Detection
The JA4L-Delta is calculated as JA4L_c / JA4L_a. Normal direct connections have a delta of 0.8 or 0.9. A delta greater than 2.0 indicates a proxied connection. The higher the delta, the further away the true client is from the proxy exit node.
| JA4L Example | JA4L-Delta | Assumption |
|---|---|---|
| 6044_115_4835 | 0.8 | Windows connecting directly or through VPN |
| 3378_52_7036 | 2.0 | Connecting via a unix or mac-based proxy |
Proxied Connection Detection Logic
A mismatch between the claimed OS in the UA string vs the JA4T fingerprint and JA4L_b, along with a JA4L-Delta greater than 2.0.
Direct Connection Example
UA: Mozilla/5.0 (Windows NT 10.0; Win64; x64) ... Chrome/138.0.0.0
JA4T: 64240_2-1-3-1-1-4_1460_8 matches Windows
JA4L: 5241_114_4893 TTL 114 = Windows range
JA4L-Delta: 0.9 direct connection
Proxied Connection Example
UA: Mozilla/5.0 (Windows NT 10.0; Win64; x64) ... Chrome/138.0.0.0
JA4T: 65535_2-4-8-1-3_1460_4 Android TV, not Windows!
JA4L: 3242_45_15023 TTL < 64 = iOS/Unix, not Windows!
JA4L-Delta: 4.6 > 2.0 = proxied connection!
Additional Check
Most residential proxies do not support QUIC while Chrome prefers it. Chrome connecting over TCP when it should connect over QUIC is another indicator that the connection is being proxied. This is especially anomalous from a residential IP where there are typically no devices to prevent UDP connections.
Detection of Bots, Intercepting Proxies & Hacking Tools
Intercepting proxies like Evilginx are designed to alter or capture traffic being transmitted through them. These are common in session hijacking and account takeovers. Intercepting proxies initiate all communication to the server, so all fingerprints observed server-side will be that of the proxy program or its underlying libraries.
Browser vs Program Fingerprints
| Program | JA4 | JA4H_ab |
|---|---|---|
| Chrome (HTTP/1.1) | t13d1517h2_8daaf6152771_b0da82dd1658 | ge11nn08enus_050dd5cfb971 |
| Chrome (HTTP/2) | t13d1517h2_8daaf6152771_b0da82dd1658 | ge20nn18enus_54f3699ce60f |
| Firefox (HTTP/1.1) | t13d1715h2_5b57614c22b0_5c2c66f702b0 | ge11nn17enbd_197646d7c85b |
| Go HTTP Client | t13i130900_f57a46bbacb6_e7c285222651 | ge11nn080000_a50ca53839a3 |
| GoLang (Sliver) | t13d190900_9dc949149365_97f8aa674fd9 | po11nn060000_eeacb637adbb |
| GoLang (Evilginx) | t13d141000_cbb2034c60b8_e7c285222651 | ge10nn100000 |
| GPTBot | t12d250700_63461df8c1ab_6b16546de802 | ge11nn170000_5da8ef2853aa |
| BingBot | t13d170900_5b57614c22b0_97f8aa674fd9 | ge11nn100000_5bd14236735b |
Detection Logic
Browsers have an ALPN in their TLS ClientHello so JA4_a ends in
If the User-Agent claims to be a browser but JA4_a ends in 00 (missing ALPN) OR JA4H_a ends in 0000 AND JA4T does not match the claimed OS, then the client is either going through an intercepting proxy or is a bot/hacking tool with a faked User-Agent. Either is bad.
h1, h2, or h3. Non-browsers typically do not list an ALPN so JA4_a ends in 00. Browsers prefer HTTP/2 or HTTP/3 and always list a primary accept language. Non-browsers use HTTP/1.0 or 1.1 and do not, so JA4H_a ends in 0000 instead of the locale.If the User-Agent claims to be a browser but JA4_a ends in 00 (missing ALPN) OR JA4H_a ends in 0000 AND JA4T does not match the claimed OS, then the client is either going through an intercepting proxy or is a bot/hacking tool with a faked User-Agent. Either is bad.
Detection of VPN Traffic
Passive Detection
VPN technologies like OpenVPN and WireGuard encapsulate the encrypted payload within a VPN header. This overhead reduces the maximum packet payload size by a fixed amount. By analyzing the reduced MSS along with any reductions in window size, it is possible to determine if a connection is coming from a VPN and what technology is being used.
In most cases, observing a JA4T_c (MSS) below 1300 is an easy way to identify VPN traffic. Specific JA4T fingerprints can identify specific VPN services and their options.
VPN Fingerprints
| OS | VPN | JA4T |
|---|---|---|
| Windows 10 | None | 64240_2-1-3-1-1-4_1460_8 |
| Windows 10 | PIA OpenVPN (TCP - Large MTU) | 65142_2-1-3-1-1-4_1284_8 |
| Windows 10 | PIA OpenVPN (UDP - Large MTU) | 64768_2-1-3-1-1-4_1286_8 |
| Windows 10 | PIA OpenVPN (TCP/UDP - Small MTU) | 65340_2-1-3-1-1-4_1210_8 |
| Windows 10 | PIA WireGuard | 65340_2-1-3-1-1-4_1210_8 |
| Windows 10 | NordVPN WireGuard (port 22) | 64860_2-1-3-1-1-4_1380_8 |
VPN/Proxy Fingerprints
| OS | VPN/Proxy | JA4T |
|---|---|---|
| Windows 10 | PIA Streaming Optimized | 64240_2-4-8-1-3_1460_7 |
| Windows 10 | NordVPN (port 443) | 65535_2-4-8-1-3_1460_9 |
| macOS | iCloud Relay | 64240_2-4-8-1-3_1380_13 |
Most VPN services have a proxy option. NordVPN and SurfsharkVPN proxy destination ports 53, 80, 443, 5060 and 8080. PIA uses a proxy on their Streaming Optimized servers. The iCloud Relay JA4T is unique to iCloud Relay.
Known False Positives
Wireless carriers have their own overhead for their wireless networks. Each network has a different MSS. This can be mapped out and mitigated, especially when correlating with User-Agent strings.
| OS / Device | Carrier | JA4T |
|---|---|---|
| macOS | WiFi | 65535_2-1-3-1-1-8-4-0-0_1460_6 |
| macOS | Verizon | 65535_2-1-3-1-1-8-4-0-0_1388_6 |
| macOS | T-Mobile | 65535_2-1-3-1-1-8-4-0-0_1360_6 |
| Android 12 | Bell Canada | 42600_2-4-8-1-3_1420_12 |
| Android 12 | Google Fi | 42600_2-4-8-1-3_1348_12 |
| Android 13 | Videotron | 65535_2-4-8-1-3_1400_9 |
| OS / Device | Carrier | JA4T |
|---|---|---|
| macOS | WiFi | 65535_2-1-3-1-1-8-4-0-0_1460_6 |
Active Detection
FoxIO has code that will actively confirm a client's maximum segment size. This works over both TCP and UDP, utilizing QUIC (HTTP/3). This active check mitigates deliberate altering of the MSS in TCP SYN packets or clients that only communicate over UDP/QUIC.
Bringing it All Together
Combining everything together allows very specific detection of exact clients and the transport medium they are using. By correlating JA4, JA4H, JA4T, JA4L, and JA4LS fingerprints with User-Agent strings and source-IP enrichment, it is possible to take action on residential proxied traffic, detect bots and hacking tools, identify VPN usage, and estimate client geolocation -- all on a per-session basis.
Programming Guides
JA4 Programming GuideJA4H - HTTP FingerprintingJA4L - Light DistanceJA4T - TCP FingerprintingJA4SSH Programming GuideJA4X - X509 FingerprintingJA4D - DHCP Fingerprinting
Resources
Ready to implement JA4+?
Start with the hands-on labs or explore the JA4+ database for fingerprint lookups.