Bot Manager Standard is designed to mitigate basic bots through a browser challenge. Bot Manager Advanced has this capability, but it also automatically detects good bots and bots that are spoofing good bots. Additionally, you may define a custom traffic profile through which bots will be identified and mitigated.
Bot Manager Advanced adds an additional layer of security that is dedicated to bot detection and mitigation. It is designed to automatically detect good bots (e.g., search bots) and bad bots, including those that spoof good bots, by analyzing requests and behavior. You may even customize how bad bots are detected and mitigated by defining custom criteria that profiles a bad bot and the action that we will take for that traffic. Bot Manager Advanced is also able to mitigate basic bots by requiring a web browser to resolve a JavaScript challenge before our service will resolve traffic. Finally, it provides actionable near real-time data on detected bots through which you may fine-tune your configuration to reduce false positives.
Bot Manager Advanced is a powerful tool through which you may mitigate undesired bot traffic and prevent them from performing undesired or malicious activity, such as scraping your siteRefers to harvesting data from your site., cardingRefers to the process through which stolen credit cards are authorized., taking over accounts through credential stuffing, spamming your forms, launching DDoS attacks, and committing ad fraud.
Bot Manager Advanced inspects each request to determine whether the client:
Matches a rule. A rule defines the criteria that our service will use to identify a bad bot.
You may identify bots using:
Our request and behavioral analysis that assigns a bot score to the request that defines our level of confidence that it is a bot.
You may set actions based off of bot score thresholds.
For example, you may redirect requests whose bot score is between 50 and 80% and block requests whose bot score is greater than 80%.
Key information:
If a request satisfies multiple criteria, then the above order determines the action that will be applied to it. Specifically, the order of precedence is:
The type of actions that can be applied to bot traffic are:
Mode | Description |
---|---|
Alert |
Generates an alert. Use this mode to track detected threats through the Bots dashboard without impacting production traffic. |
Browser challenge |
Sends a browser challenge to the client. The client must solve this challenge within a few seconds. Response The results of the above browser challenge determines what happens next.
Key information:
|
Block |
Drops the request and the client will receive a 403 Forbidden response. |
Returns a custom response.
|
|
Redirect |
Redirects requests to the specified URL. Key information:
|
Each rule within a Bot Manager configuration identifies bot traffic. Each rule contains:
A rule ID and message that will be associated with requests identified by this rule.
Assigning a unique ID and message to each rule makes it easy to identify requests detected as a result of a specific rule.
A rule ID must be a number between 77,000,000 and 77,999,999.
A Bot Manager configuration may contain up to 10 rules.
A request must satisfy at least one rule before WAF will consider it bot traffic. There are two types of rules, which are:
Custom Matches: This type of rule is satisfied when a match is found for each of its conditions. A condition defines what will be matched (i.e., variable), how it will be matched (i.e., operator), and a match value.
Certain variables match on key-value pairs. If you match on multiple keys within a single variable, WAF will only need to find one of those matches to satisfy that variable.
For example, if you set up a request header variable to match for Authorization and Content-Type, then requests that contain either or both of those headers will satisfy that variable.
Edgio Reputation DB: This type of rule is satisfied when the client's IP address matches an IP address defined within our reputation database. Our reputation database contains a list of IP addresses known to be used by bots.
Example #1
This example assumes that your Bot Manager configuration contains the following two rules:
Rule |
Type |
Description |
---|---|---|
1 |
Custom matches |
This rule contains a single condition. |
2 |
Custom matches |
This rule contains two conditions. |
Assuming the above configuration, WAF identifies bot traffic whenever either of the following conditions are met:
A match is found for the variables defined in both of the second rule's conditions.
Example #2
This example assumes that your Bot Manager configuration contains the following two rules:
Rule |
Type |
Description |
---|---|---|
1 |
Custom matches |
This rule contains two conditions. |
2 |
Edgecast Reputation DB |
This rule is satisfied when the client's IP address matches an IP address within our reputation database. |
Assuming the above configuration, WAF identifies bot traffic whenever either of the following conditions are met:
A condition determines how requests will be identified through variables, operators, match values, and negative matching.
A variable identifies the request element that WAF will analyze. We support the following request elements:
ASN: Identifies requests by the Autonomous System Number (ASN) associated with the client's IP address.
Specify a regular expression to match for multiple ASNs.
Example:
Use the following pattern to match for requests from either 15133 or 14153:
15133|14153
Country: Identifies requests by the country from which the request originated. Specify the desired country using a country code.
Specify a regular expression to match for multiple country codes.
Example:
Use the following pattern to match for requests from the United States, Canada, or Mexico:
US|CA|MX
IP address: Identify requests by the requester's IP address. Specify a comma-delimited list of the desired IP address(es) using standard IPv4/IPv6 and CIDR notation. Specify a subnet by appending a slash (/) and the desired bit-length of the prefix (e.g., 11.22.33.0/22). Do not specify more than 1,000 IP addresses or IP blocks.
Example:
Request cookies: Match against all or specific cookies.
Specific Cookies: Define the name of the desired cookie within this variable and specify the desired cookie value or pattern within the Match value option.
Setting up a cookie variable also allows you to define whether WAF uses a regular expression, a negative match, or both when comparing the value assigned to the variable against cookies. Use a negative match to find requests whose payload does not contain the specified cookie.
Request header: Match against all or specific request headers.
Specific Request Headers: Define the name of the desired request header within this variable and specify the desired header value or pattern within the Match value option.
Setting up a request header variable also allows you to define whether WAF uses a regular expression, a negative match, or both when comparing the value assigned to the variable against request headers. Use a negative match to find requests whose payload does not contain the specified request header.
Request query: Match against the request's query string. Specify the desired value or pattern within the Match value option.
Request URI: Match against the request's URL path and query string. Define a URL path that starts directly after the hostname. Exclude the protocol and hostname when defining this property.
WAF does not transform edge CNAME URLs to CDN URLs prior to performing this comparison.
Sample values:
/marketing?id=123456
/resources/images
Request URL path: Match against the request's URL path. Define a URL path that starts directly after the hostname. Exclude the protocol, hostname, and query string when defining this property.
Our service does not transform edge CNAME URLs to CDN URLs prior to performing this comparison.
Sample values:
/marketing
/resources/images
All variables support the ability to match on the number of times that a request element is found within the request. Set up a variable to match on the number of instances instead of inspecting the element for a specific value or regular expression pattern by marking the Count option.
You may define zero or more keys when setting up variables that match on key-value pairs. WAF must find at least one of the specified keys in the request before that variable will be satisfied. For example, if you set up a request header variable to match for Authorization and Content-Type, then requests that contain either or both of those headers will satisfy that variable.
An operator determines how WAF will compare a match value against the request element identified by a variable.
Exact match: A match is found when the request element is an exact match to the specified match value.
Avoid enabling the Negative match option with the Exact match operator. This configuration will not yield the expected set of matches.
Value match: A match is found when the request element occurs the exact number of times defined in the match value.
The Value match operator should only be used when the Count option has been enabled.
WAF uses a match value to identify threats.
Example:
This example assumes the following configuration:
Variable: Request header = Authentication
Match value: 1
We will now examine how the Count option affects comparisons for this configuration.
The type of comparison that will be performed is determined by the Operator option.
You may exempt traffic from bot detection by URL, user agent, JA3 fingerprint, and cookie.
Key information:
Our service will only bypass bot detection when it finds an exact match for a JA3 fingerprint exception.
Use the Bot dashboard to find the JA3 fingerprint that corresponds to a false positive.
You may create, modify, and delete Bot Manager configurations.
Key information:
To create a Bot Manager configuration
Navigate to the Bot Manager page.
Optional. Set up a browser challenge, custom response, or redirect that can be applied to known bots, spoofed bots, and bots detected through rules.
Unlike other actions, alert and block actions do not require configuration before they can be applied to bot traffic.
From the Actions section, select the desired action:
Browser challenge: Perform the following steps:
From the HTTP status code option, determine the HTTP status code for the response provided to clients that are being served the browser challenge.
Setting this option to certain status codes (e.g., 204) may prevent clients that successfully solve a browser challenge from properly displaying your site.
Custom response: Perform the following steps:
From the Custom response headers option, define each desired custom response header on a separate line.
Example:
Perform the following steps to automatically detect known bots:
From the Bot Token option, select whether to apply an action to all known bots (all), a specific bot, or to 200+ bots (other):
Choose other to apply an action to 200+ known good bots. This option excludes the known bots that are listed within the Bot Token option.
From the Action type option, select the action that will be applied to the known bot(s) selected in the previous step.
The Spoofed Bots section in the Known bots tab determines how to handle traffic spoofing the known bots selected in the previous step. From the Action type option, select the desired action.
The Spoofed Bots section does not apply to the 200+ known bots defined within the other category.
Create rules for identifying bots from the Rules tab.
In the Rule type option, select the type of rule that will be created.
Custom Matches: This type of rule is satisfied when a match is found for each of its conditions.
Certain variables (e.g., request cookies and request header) match on name and value. If you have selected this type of variable, then perform the following steps:
From the Name option, type the desired name.
For example, match for requests that contain an Authorization header by setting this option to Authorization.
Optional. Mark the Count option to match by the number of instances that a match is found instead of by inspecting that request element.
From the Operator option, select an operator that determines how WAF will compare the match value to the request element identified by the above variable.
Optional. Identify traffic that will bypass bot detection.
Add the desired URL(s), user agent(s), JA3 fingerprint(s), and cookie(s) as exception(s).
Place each entry on a separate line.
To modify a Bot Manager configuration
Navigate to the Bot Manager page.
Make the desired changes.
Key tasks:
Custom matches only
Delete variables and matches within a variable by clicking .
Custom matches only
Delete a condition by clicking Delete Condition.
A rule must have at least one condition. Therefore, you cannot delete the root condition.
To delete a Bot Manager configuration
Navigate to the Bot Manager page.