Bots mitigations overview with advance waf anti bot engine
0 likes161 views
The document provides an overview of bot mitigation techniques available in the F5 Advanced Web Application Firewall (WAF), focusing on detection and prevention methods for managing bot traffic on web applications. It outlines two key detection engines: anomaly-based detection and proactive bot defense, detailing various strategies such as source IP monitoring, device identification, geolocation, and URL-specific traffic analysis. Multiple prevention options, including client-side integrity defenses, CAPTCHA challenges, and request blocking mechanisms, are discussed to effectively mitigate bot-related attacks.
![b. Enable CAPTCHA Challenge
White listing
It is recommended to white list all known Ip’s that access the site and exclude them from the dos profile checks. The
reason is that when under attack the mitigations will not apply on known good sources.
Reporting
Bot defense reporting provides a full overview on the bots (good and bad) that access your web application. Those
graphs are critical when under attack to indicate the offending sources and easily mitigate the attacks.
Irule mitigations
Irule are the F5 swiss army knife that can be used with the anti bot engine. In the following example any source that
access the login php URL will get the proactive bot defense check and be allowed if it pass it. The full commands for
using bot defnse with irule is located here: BotDefense
# EXAMPLE: enable clientside challenges on a specific URL
when BOTDEFENSE_REQUEST {
if {[HTTP::uri] eq "/login.php"} {
BOTDEFENSE::cs_allowed true
}
}
Proactive Bot defense Summary
Proactive bot defense is a dedicated bot detection and mitigations engine which focus on the attack agent capabilities.](https://image.slidesharecdn.com/bots-mitigations-overview-with-advance-waf-anti-bot-engine-181230132844/85/Bots-mitigations-overview-with-advance-waf-anti-bot-engine-6-320.jpg)
Bots mitigations overview with advance waf anti bot engine
- 1. Bots mitigations overview with Advance WAF Anti Bot engine Lior Rotkovtich, 20182712 With more and more bots traffic hitting web applications it has become a necessity to manage bots accessing web applications. To be able to manage bot access to your web application you must first be able to detect them and only then allow or deny them. Those actions can be done by F5 advance WAF and this article will provide an overview of bot mitigations capabilities for versions 12.x , 13.x & 14.0 Advance WAF dos profile is a powerful bot management tool with various options to deal with bots. We classify them into two main types: 1. Anomaly based detection – anomaly engine to identify increase in RPS generated by bots 2. Proactive bot defense – a dedicated anti bot engine to identify bot activity Let’s review each one of them in more details. Anomaly detection engine Bot traffic most often generate increase in RPS. Advance WAF anomaly engine has several detection mechanisms that identify an increase in traffic based on different criteria: By source IP – detects increase of request per second which is the classical indication for a single bot generating traffic from a given IP. “By source IP” measure ratio increase and fixed increase request per second (RPS) from any IP accessing the web application. The ratio RPS anomaly detection is the calculation of the past request per second in compare to the current one. Ratio based should be used when the bot is originating from an already known IP that used to send X amount of traffic and now send 2X or 3X times more traffic. The prevention policy will be activated once this ratio per given source IP is reached. The fixed RPS detection anomaly is the limit of request per second that above it will consider an attack and will trigger the prevention policy. Fixed RPS detection should be used for new source IP’s with spikes that pass the fixed threshold which above it considered to be an attack. By Device ID – detect increase of RPS from a given device ID. The Device ID is the actual http agent that generates the HTTP request which makes the source identification increase more accurate. The reason Device ID exists is that the internet works with gateways also known as NATed traffic ( Network address translation ) that represented by single IP with many devices behind it. Blocking the single source IP will cause to blocking all legitimate users behind this source IP. Similar to “by source IP “there are two anomaly types: ratio based and fixed rate which are calculated as mentioned above. It is recommended to use device ID with the source IP detection to isolate the attacking source behind a source IP. Note that Device ID is done with java script injection, so check it before using it.
- 5. Anti bots capability checks Bots can be of various types and sometimes the only way to detect them is by inspecting their nature which is what the Proactive bot defense does. The anti bot engine is a sophisticated set of checks that has the following configuration: This configuration makes the proactive bot defense easy to use and filter the bad bots. The concept of the anti bot engine is to gradually inspect the source: 1. CSID – are you a browser that support cookie, Java script ? 2. Capabilities script – are you who you say you are ? comparing the browser answer to what the Anti bot engine sees. a. If the score is from 0 to 59 it is assumed to be a browser and the request can pass through. b. If the score is between 60 to 99 it is declared unknown and a CAPTCHA is sent to unknown sources. If the CAPTCHA challenge is solved the client is allowed in. A failed CAPTCHA challenge results in a connection reset. c. If the score is 100 then the request is reset 3. CAPTCHA – are you a human that can type characters ? The configuration reflects those options: If Block Suspicious Browsers is unchecked and CAPTCHA is unchecked à send CSID Challenge If Block Suspicious Browsers is checked and CAPTCHA is checked à send Client Capabilities challenge and give it a score: If score is good, then allow access If score in doubt send a CAPTCHA for human verification If score is bad, then block it If Block Suspicious Browsers is checked but CAPTCHA Challenge is unchecked à do not send CAPTCHA and only block if the score is more than a human Operation mode includes two modes: Always – use it when under attack for immediate response to apply proactive bod defense on the entire virtual server e.g. the site is under DDoS and I want to mitigate all bots traffic now. During attack – use it when other detection is triggered, and then proactive bot defense will be applied. e.g. the site is not under attack and I want to mitigate with proactive bot defense only when any other anomaly engine (mention above) is triggered in transparent mode. Or any request that pass the rate limit of the anomaly engine. The option for during attack provides a very powerful mitigation scenario where when the site is experiencing increase in RPS that indicates bots activity only then examine the sources and if they are suspicious present to those specific sources CAPTCHA challenge or block them if they are being detected by capability script as bots. The configuration will be as follows: 1. Define fixed thresholds for RPS on the anomaly engine in transparent mode 2. Define proactive bot defense to be during attack a. Enable If Block Suspicious Browsers b. Enable CAPTCHA Challenge
- 7. Proactive Bot defense Summary Proactive bot defense is a dedicated bot detection and mitigations engine which focus on the attack agent capabilities. There are several layers of protection with proactive bot defense : Bot signature – is this known bad / good bod ? Bot impersonation checks – is this a valid bot ? Browser check – is this a browser ? Browsers capabilities – which capabilities the browser has compare to what he say CAPTCHA – is this a human ? Proactive bot defense can be used with the anomaly engine the can trigger proactive bot defense once a specific threshold has reached. For example: only if login URL exceeds 20 RPS then apply proactive bot defense. (in transparent mode) Other combinations are also very useful when under attack. For example: sending the client capabilities script and send CATPCHA to verify if the sources is a browser and if this is a human. Proactive bot defense has good reporting that allows fine tuning of the security policy to match bots traffic. Finally irule can be used to utilize proactive bot defense. Under Attack – use F5 SIRT About F5 SIRT F5 Networks, Inc. | 401 Elliot Avenue West, Seattle, WA 98119 | 888-882-4447 | f5.com F5 Networks, Inc. Corporate Headquarters info@f5.com F5 Networks Asia-Pacific apacinfo@f5.com F5 Networks Ltd. Europe/Middle-East/Africa emeainfo@f5.com F5 Networks Japan K.K. f5j-info@f5.com ©2018 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. CS04-00015 0113