JA3 and its successor JA4 are TLS fingerprinting methods. They hash characteristics of a client's TLS ClientHello message (the cipher suites it offers, its extensions, and supported versions) into a compact string that identifies the client software and library. Bot-management and DDoS defenses use these fingerprints to recognize and filter traffic from known malicious tooling.
Why it matters in DDoS testing
TLS fingerprinting is a behavioral Layer 7 control, not a threshold-on-a-counter, so it fails differently from a rate limit. A DDoS test probes its detection boundary: an adaptive attacker can rotate cipher ordering, extensions, and TLS parameters to vary its fingerprint and evade a defense tuned against a static allowlist. The question worth measuring is whether the fingerprinting rules have been tuned against the observed fingerprint space or only against a handful of known-bad signatures.
For where behavioral L7 controls sit in a complete assessment, see The Complete Guide to DDoS Testing.