Bot configuration

Web and mobile applications are significant revenue drivers for business and most companies are under the threat of advanced cyberattacks, such as bots. A bot is a software program that automatically performs certain actions repeatedly at a much faster rate than a human. Bots can interact with webpages, submit forms, run actions, scan texts, or download content. They can access videos, post comments, and tweet on social media platforms. Some bots, known as chatbots, can hold basic conversations with human users.

With some bad bots performing malicious tasks, it is essential to manage bot traffic and protect your web applications from bot attacks.

The CWAAP bot management detects the incoming bot traffic and mitigate bot attacks to protect your web applications. The bot configuration helps identify bad bots and protect your application from security attacks. Beyond knowing when a bot is interacting with applications or networks, and knowing whether the bot is good or bad, the CWAAP Service platform informs users about the bot activity. The user can then decide on a bot action to apply (allow, block, log, delay, or deceive).

Setting up CWAAP bot configuration

To begin the setup for CWAAP bot configuration, you must first have an asset, and a policy configured to the asset.

  1. Select Configuration > Policies.
  2. Select a policy and click Edit (pencil and paper).
  3. Navigate to Bot Profile tab.

The CWAAP bot profile consists of bot protection techniques and bot signature configuration.

  • Protection. List of bot protection techniques that you can configure as part of CWAAP bot configuration and associate bot actions to it.
  • Signatures. A list of counter measures that protect your web application against bot attacks. Bot signatures help in identifying good and bad bots based on request parameters such as user-agent in the incoming request.

Bot protection techniques

The CWAAP bot protection provides a list of bot techniques that you can configure and then enable or disable it for policy configuration.

Once you have configured your bot technique, you must first enable the technique for it to take effect on the policy.

Following are the list of bot protection techniques that CWAAP bot configuration supports:

  • Allow list
  • Block List
  • Bot Trap
  • Reputation
  • Device Fingerprint
  • Rate Limiting
  • Transactions Processing System (TPS)
  • CAPTCHA

Allow list

A customized list of IP addresses, subnets, and policy expressions that can be bypassed as an allowed list for your bot policy.

Note:

You can configure up to 32 bindings as part of the allow list configuration in a bot profile.

Configure allow list by using the CWAAP GUI:

  1. Click Add.
  2. In the Add to Allow List Bindings page, set the following parameters:

    1. Active. Select to activate the protection technique.
    2. Type. Select type as Expression, IPv4, or Subnet.
    3. Value. Provide the associated Value, and then select the corresponding Response (or Action) to be carried out.
    4. Response. Select response as Log or None.
  3. Click Commit.

Block list

A customized list of IP addresses, subnets, and policy expressions that must be blocked from accessing your web applications. The configured traffic is blocked only when you enable the block list feature.

Note:

You can configure up to 32 bindings as part of the block list configuration in a bot profile.

Configure block list bot protection technique by using the CWAAP GUI:

  1. Click Add.
  2. In the Add to Block List Bindings page, set the following parameters:

    1. Active. Select to activate the protection technique.
    2. Type. Select type as Expression, IPv4, or Subnet.
    3. Value. Provide the associated Value, and then select the corresponding Response (or Action) to be carried out.
    4. Response. Select response as Action and log, log, or None.
  3. Click Commit.

Bot trap

The CWAAP bot trap protection technique randomly or periodically inserts a trap URL in the client response. You can also create a default trap URL and add URLs for that. The URL appears invisible and not accessible if the client is a human user. However, if the client is an automated bot, the URL is accessible and when accessed, the attacker is categorized as bot and any subsequent request from the bot is blocked. The trap technique is effective in blocking attacks from bots.

Configure bot trap protection technique by using the CWAAP GUI:

  1. In the Bot Trap section, Click Add.
  2. In the Add Insertion URLs page, set the following parameters:

    1. Active. Select to activate the specified URL Pattern.
    2. URL Pattern. Provide the URL Pattern (Insertion URL) for your top visited websites, or those frequently visited websites. If no URL is provided, and the bot protection techniquesmeasure is activate the technique and enable it for the policy. Also, a default trap URL is created for all URLs.
  3. Click Commit.

IP reputation

The CWAAP protection technique detects if the incoming bot traffic is from a malicious IP address. As part of the configuration, we set different malicious bot categories and associate a bot action to each of it.

Following are the IP reputation threat detection categories:

  • Botnets
  • DoS
  • IP
  • Mobile Threats
  • Phishing
  • Proxy
  • Reputation
  • Scanners
  • Spam Sources

Each threat type can either be set to one of the following response types.

  • Action and Log – Log the violation details, and take the configured Action type.
  • Log – Capture and log any traffic matching the configurations, but take no Action.
  • None – Take no action if a match occurs.

After setting the response type, you can configure any one of the following bot actions.

  1. Drop
  2. Mitigation
  3. Redirect
  4. Reset

Device fingerprint

The CWAAP bot technique detects if the incoming bot traffic has the device fingerprint ID in the incoming request header and browser attributes of an incoming client bot traffic. The attributes are examined to determine whether the traffic is a Bot or a human. In this technique, the HTTP request header “User Agent” is the determining factor.

If the URL is already provided and it matches with the ADC list, then the domain name lookup occurs. If a matching domain name is identified, the traffic is considered good.

If, however, the domain name returned does not match what the ADC has, then the traffic is dropped and considered bad.

If a user agent search is completed and a match is found, then the traffic is dropped and designated bad.

Configure device fingerprint protection technique by using the CWAAP GUI:

  1. In the Device Fingerprint section, set the following parameters.

    1. Response. Select a bot response.
      1. Action and Log – Log the violation details, and take the configured Action type.
      2. Log. Capture and log any traffic matching the configurations, but take no Action.
      3. None. Take no action if a match occurs.
    2. Action. You can configure any one of the following bot actions.
      1. Drop
      2. Mitigation
      3. Redirect
      4. Reset

Rate limiting

The CWAAP rate limiting protection technique examines the time frame in which a request is received from a Client IP Address, Session ID, or configured resource (incoming URL).

Note:

You can configure up to 32 bindings as part of the rate limiting configuration in a bot profile.

Configure rate limit bot protection technique by using the CWAAP GUI:

  1. In the Rate Limiting section, Click Add.
  2. In the Add to Rate Limit Bindings page, set the following parameters:

    1. Active: Select the Type from the drop-down menu.
    2. Type: Select a rate limit type:

      1. Source_IP – The Rate Limit will be determined by the client IP Address.
      2. Session – The Rate Limit will be determined by the configured cookie name.
      3. URL – The Rate Limit will be determined by the configured URL.
    3. URL: The Rate Limit will be determined by the configured URL.
    4. Rate: Configure the Rate value, which determines the number of requests allowed for a specified time Period
    5. Period: Configure the Period value for the selected Rate value in milliseconds (in multiples of 10)
    6. Response: Select the Response Type and if applicable, the associated Action type.
    7. Action: Select a bot action.
  3. Click Commit.

Bot Transactions Processing System (TPS)

The CWAAP Transaction Processing System (TPS) protection technique examines the number of requests and percentage increase in requests for a configured time interval to determine if the traffic is coming from a bot.

Configure Transaction Processing System (TPS) protection by using the CWAAP GUI:

  1. In the TPS Bindings section, Click Add.
  2. In the Add to TPS Binding page, set the following parameters:
    1. Type: Select the Type from the drop-down menu of either Host or Request URL.
    2. Fixed Threshold: Provide the Fixed Threshold value, which will determine the maximum number of requests allowed within a one second time interval.
    3. % Threshold: Provide the % Threshold value, which will determine the maximum percentage of requests increases allowable within a 30 minute time span.
    4. Response: Select the Response type from the drop-down menu.

      1. Action and Log – Log the violation details, and take the configured Action type.
      2. Log – Capture and log any traffic matching the configurations, but take no Action.
      3. None – Take no action if a match occurs.
    5. Action: Select a bot action.
  3. Click Commit.

CAPTCHA

CAPTCHA is an acronym that stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”. CAPTCHA is designed to test if an incoming traffic is from a human user or an automated bot. CAPTCHA helps to block automated bots that cause security violations to web applications. In CWAAP, CAPTCHA uses the challenge-response module to identify if the incoming traffic is from a human user and not an automated bot.

Note:

Only one binding is allowed per URL. If a binding exists for a URL, and another binding is configured for the same URL, the previous binding information is removed. You can configure only up to 30 bindings per bot profile.

Configure CAPTCHA protection technique by using the CWAAP GUI:

  1. In the CAPTCHA section, Click Add.
  2. In the Add to CAPTCHA Bindings page, set the following parameters:

    1. Wait Time – Determines the duration until the client sends the CAPTCHA response. Allowable range is 10–60 (seconds).
    2. Grace Period – Determines the duration from when the current CAPTCHA response is sent, and a new challenge is not sent.
      1. Allowable range is 60–900 (seconds).
    3. Mute Period – Determines the duration to wait when an incorrect CAPTCHA response is received, and no additional requests from the client will be accepted.
      1. Allowable range is 60–900 (seconds).
    4. Request Length – Determines the size of the request body for the CAPTCHA challenge to be sent to the client. If the request body length exceeds the configured Request Length, the request is dropped.
      1. Allowable range is 10–30,000 (bytes).
    5. Retry Attempts – Determines the number of retry attempts that are allowed.
      1. Allowable range is 1–10.
    6. Select the Response and corresponding Action (if applicable).
  3. Click Commit.

Click Save to apply the configuration to the policy.

Bot configuration