Azion Bot Manager
Azion Bot Manager uses advanced intelligent algorithms that allow machine learning and Reputation Intelligence to analyze the behavior of incoming data. This enables the detection of suspicious traffic and bad bots, facilitating the implementation of preventive measures against malicious activities such as credential stuffing, vulnerability scanning, and site scraping.
This Edge Firewall add-on assigns a score to every request based on rules, behaviors, and Reputation Intelligence. If the score exceeds a predetermined threshold, Bot Manager executes the predetermined action.
By using Bot Manager, you can:
-
Enhance user experience
- Reducing the impact of bots on the entire infrastructure.
- Providing bot protection by IP reputation.
- Defining custom rule management to act on individual bots based on previous content extraction activity from requests.
-
Increase visibility
- Measuring the amount and characteristics of the bot traffic trying to access your website, APIs, and applications.
- Using the observability tools provided by Azion to monitor the malicious activity.
- Combining other integrations to enhance Bot Manager efficiency, through the use of fingerprint, captchas, JavaScript injection, or SDKs, to create robust rules.
-
Reduce financial risk
- Protecting your website and applications against credential abuse, card balance verification, and other forms of online fraud.
Implementation
Azion provides the Bot Manager add-on, a comprehensive solution for bot management. Contact the Sales team for more details on the Bot Manager subscription.
Additionally, a lite version is also available in the Marketplace.
How Azion Bot Manager works
On a high-level, Azion Bot Manager works this way:
- A request reaches a domain using Bot Manager.
- Edge Firewall receives the request.
- Bot Manager starts all the analytics processes, including:
- Retrieving the requested data, including device, browser, and network data, fingerprint, among others.
- Identifying and classifying the request according to advanced intelligent algorithms and Reputation Intelligence.
- Defining the behavior according to the rules engine criteria.
- Bot Manager assigns a score to the request.
- If the score is equal to or higher than the predetermined threshold, the predefined preventive action is executed.
Bot Manager is able to execute 7 different actions whenever the request’s score is greater or equals than the defined threshold:
allow
: allows the continuation of the request.deny
: delivers a standard Status Code 403 response.drop
: terminates the request without a response to the user.redirect
: allows the request to be redirected to a new URL/location when the security threshold is reached.custom_html
: allows customized HTML content to be delivered to the user in case of a threshold violation.random_delay
: makes the function wait for a random period between 1 and 10 seconds before allowing the request to proceed.hold_connection
: holds the request, keeping the connection open for 1 minute before dropping it.
All these actions can be configured for web and mobile applications, as well as APIs, offering protection in different environments.
Use cases
Bot Manager was developed by Azion to attend to use cases involving common practices of malicious bots and traffic.
- Reputation Intelligence
- Bot attacking
- Account takeover
- Credential stuffing
- Vulnerability scanning
- Brute force attacks
- Web scraping
Features
Azion Bot Manager is composed by different features that you can take advantage of.
Reputation Intelligence
By using Reputation Intelligence, Bot Manager establishes an additional security perimeter, cataloging the inbound and outbound traffic, based on Network Lists, maintained and constantly updated by Azion. Through these lists, Bot Manager is able to identify the profile of each request trying to reach your site.
Network Lists used by Bot Manager include criterias such as:
- Tor Exit Nodes
- Reputation
- Proxies
- Malware
- Fraud
Bot classification
Based on the scores and Reputation Intelligence, Bot Manager is able to classify different types of bots and traffic.
-
Legitimate traffic: This category is assigned to requests that don’t match either “good bot” or “bad bot” criteria. It typically refers to regular user traffic (non-bots) showing legitimate access patterns without signs of automation or suspicious behavior.
-
Good bots: Identified based on known and trusted User-Agents. These bots are classified as “good” when their User-Agent matches an allowed bot category, like the following ones:
- Social network bot
- Monitoring bot
- Aggregator bot
- Enterprise bot
- Search engine bot
-
Bad Bots: Classified when identifying suspicious or malicious User-Agents, missing or unusual header patterns, and anomalous behaviors like automation attempts. Bad bots fail to meet “good bot” criteria and show signs of malicious activities.
The following table describes the possible classification values and categories (attack types) of Bot Manager and how they are identified, as they can be seen in Real Time Metrics:
classified | botCategory | Identification Method |
---|---|---|
Good Bot | Good Bot | Identified by specific User-Agents associated with social networks, content aggregators, monitoring bots and search engines. |
Bad Bot | Bad Bot Signatures | Detected through User-Agents known for malicious behavior. Includes checking malicious User-Agent signatures and analyzing missing or anomalous headers. |
Bad Bot | Scripted Bots | Identified by suspicious User-Agents that typically indicate automation, such as “headless” or “dalvik”. Also considers unusual User-Agent length. |
Bad Bot | Malicious Browser Behavior | Based on suspicious behaviors, such as missing or forged essential cookies, missing required HTTP headers, and cookie validation failures. |
Bad Bot | Malicious Intent Detected | Uses checks of unusual HTTP headers and methods, like TRACE, to detect potentially malicious intent. |
Bad Bot | Reputation Intelligence | Analyzes user IP addresses against known reputation lists to identify IPs with history of suspicious network activity. |
Bad Bot | Brute Force | Detected based on high frequency of login attempts, IP address variations, and error patterns indicating credential discovery attempts. |
Bad Bot | Scraping | Identified by high URL access variability and request frequency, indicating mass data extraction attempts. |
Bad Bot | Crawling | Detected based on URL variation patterns and request frequency typical of content crawlers systematically navigating websites. |
Bad Bot | Credential Stuffing | Detected by frequency of login attempts, error patterns, and multiple account access attempts typical of credential stuffing attacks. |
Bad Bot | Credential Cracking | Detected by request frequency and specific error patterns indicating password cracking attempts. |
Bad Bot | Account Takeover | Detected by anomalous request patterns and high geographic variation typical of account takeover attempts. |
Legitimate | Non-Bot Like | Classification assigned when no suspicious behavior or bot pattern is identified. |
Under Evaluation | Under Evaluation | When there is insufficient data for complete classification, traffic is placed “under evaluation” until more information becomes available. |
Device identification
Bot Manager leverages advanced techniques to identify and distinguish between legitimate devices and potentially malicious bots attempting to access your digital assets. It’s capable of generating a user ID for each device.
To further enhance its protective capabilities, it allows for the incorporation of additional security layers through other integrations and resources, such as SDKs, JavaScript injection, and Fingerprint to collect more granular data.
Redirect
One of the actions Bot Manager is able to execute is redirect
. It allows the request to be redirected to a new URL/location, specified in the JSON args, when the security threshold is reached.
Custom HTML
Bot Manager allows customized HTML content to be delivered to the user in case of a threshold violation, thanks to the custom_html
action. You can create a custom message to exhibit to users in case of threshold violation.
Delayed response
This action allows for introducing delays in responses in cases where bots attempt to make requests. It increases the cost of the attack by holding the attacker for a longer time in a request that won’t return a valid response, thereby increasing the probability that the attacker will abort or give up on the attack.
Modes
Azion Bot Manager allows you to define the environment in which the function is expected to run, being API or a web application the possible modes. The default mode is web
. If any value other than the string api
(case-sensitive in lowercase) is provided, the web
mode will be used as the default configuration.
By enabling the api
mode, no Set-Cookie
will be executed, and any rules related to the use of cookies in Bot Manager will be ignored.
Logs
The requests will generate logs that can be seen in Real-Time Events and Data Stream. By analyzing the logs generated by Bot Manager, you can get insights to understand if any changes in the function instance’s JSON Args are needed.
Go to Data Stream referenceGo to real-time events reference
You can also check the Bot Manager graphs in Real-Time Metrics
Additional resources
SDKs
Azion Bot Manager can work together with Software Development Kits (SDKs), for both Android and iOS systems, allowing you to customize and tailor security protocols to meet the specific needs of your mobile applications. With SDKs and Bot Manager, you can implement fine-grained controls, address application-specific vulnerabilities, and adapt to evolving threats more effectively.
You can use SDKs to track mobile devices and identify behaviors (such as touching the screen) and device data (model, manufacturer, operational system, etc.) to use as insights for Bot Manager detect and mitigate malicious threats.
JavaScript injection
When the JavaScript file is inserted in your edge application, it collects data on the actions made by the device used in a request. It’s available for use with web browsers. With JavaScript injection, more data will be collected, such as manufacturer and hardware used, to execute request rules.
This data can be used to create more robust rules and behaviors on the Bot Manager args in order to detect and mitigate threats more effectively.
Rate Limiting
Rate limiting integration establishes thresholds for the number of requests a user or system can make within a specified timeframe, effectively mitigating the impact of brute force attacks or excessive bot activities. By working jointly with rate limiting, the bot management measures gain an additional layer of defense against automated threats.
Fingerprint
A set of information (IP, User-Agent
header) creates a hash for devices accessing your edge applications. The information is gathered by tracing the device’s session and provides a more accurate detailing of the request’s device, increasing the precision of Bot Manager logs.
If you use Fingerprint with Bot Manager, you can also enable the use of Azion Real-Time Metrics to query consolidated data via GraphQL API related to the access to the application protected by Bot Manager, facilitating the identification of patters and use this intelligence to optimize the rules. With this feature, you can define a threshold and take a specific action when the threshold is violated and the device or user is identified as malicious, based on the fingerprint data.
Captcha
By using the redirect
action, the defined URL/location can contain a Captcha integration to add an additional security layer. It helps you to increase security and malicious traffic detection, challenging all the request previously violating any threshold to guarantee is legitimate.
Custom rules
Azion will provide you with easy-to-go configurations, that should be enough for most of the cases. If you need a more detailed configuration, you can add new custom rules based on your business needs. It’s also possible to add more criteria and behaviors to be executed by the Rules Engine, building more comprehensive responses to possible attacks.