Manual Chapter : Creating Bot Defense Profiles

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Creating Bot Defense Profiles

About bot signatures

Bot signatures
identify web robots by looking for specific patterns in the headers of incoming HTTP requests. Bot detection includes many signatures that identify bots, and you can also write your own for customized bot defense.
Bot signatures carefully identify bots and have a low rate of producing false positive results. The signatures identify the type of bot for classification and investigative purposes, and can distinguish between benign and malicious bots.
Benign bots can be useful for providing Internet services such as search engine bots, index crawlers, site monitors, and those used to establish availability and response time. Some environments may not want to block benign bot traffic. But attackers use malicious bots for more harmful purposes such as harvesting email addresses, producing spam, and developing exploitation tools. You may want to block malicious bots because they can orchestrate DoS attacks, waste internet resources, and search for vulnerabilities to exploit in your application.
Being able to classify bots allows you to treat them differently. You can report, block, or do nothing when a signature matches a malicious or benign bot. Further, malicious and benign bots fall into more specific bot signature categories that can be handled as needed. You can create new categories if needed for custom bot signatures.

Creating a bot defense profile

Because this defense mechanism uses reverse lookup, you need to configure a DNS Server (
System
Configuration
Device
DNS
) and a DNS Resolver (
Network
DNS Resolver
DNS Resolver List
) for it to work. The DNS Resolver must use the default route domain in its Route Domain Name field. If you are not sure of the default route domain, you can check it under
Network
Route Domains
. The Partition Default field is defined as Yes for the default route domain.
You can configure Application Security Manager (ASM) to protect your web site against attacks by bots before the attacks occur. Bot defense checks all traffic (except whitelisted URLs) coming to the web site, not simply suspicious traffic. Bot defense uses a set of JavaScript evaluations and bot signatures to make sure that browsers visiting your web site are legitimate.
This task described how to create a bot defense profile using the bot defense system default configurations. The enforcement mode is Transparent, meaning that violations will be logged but not mitigated and the profile template is Balanced, meaning that browser verification is after access and device IDs are generated after access.
  1. On the Main tab, click
    Security
    Bot Defense
    Bot Defense Profiles
    .
  2. Click
    Create
    .
    The
    Bot Profile Configuration
    screen opens on the
    General Settings
    tab.
  3. Enter the
    Profile Name
    and click
    Create
    .
You have now configured a bot defense profile.
After you have configured a bot defense profile, you must assign it to a virtual server. Only then will bot defense protection begin on network traffic.

Assigning a bot defense profile to a virtual server

Before beginning to configure bot defense logging, ensure that you have configured a remote publisher. The logging format is Splunk (comma-separated key value pairs).
  1. On the Main tab, click
    Security
    Event Logs
    Logging Profiles
    Create New Logging Profile
    .
  2. Enter a
    Profile Name
    and enable
    Bot Defense
    .
  3. In the
    Bot Defense
    tab, select the desired Remote Publisher.
    The recommended configuration is:
    • Log Requests by Classification
      : Unknown enabled
    • Log Requests by Mitigation Action
      : all enabled except None.
  4. Click
    Create
    to save the configuration.
  5. On the Main tab, click
    Local Traffic
    Virtual Servers
    Virtual Server List
    and select the virtual server to associate the bot defense logging to.
  6. Click
    Security
    Policies
    .
  7. Under Policy Settings, for Bot Defense Profile, select
    Enabled
    and select the bot defense profile from the menu.
  8. In the
    Log Profile
    section, select local-bot-defense and the remote bot defense logging you created from the
    Available
    list and move it to the
    Selected
    list.
  9. Click
    Update
    to save the Policy Settings.
You can view the bot defense traffic by navigating to
Security
Event Logs
Bot Defense
Bot Traffic
.

Enforcing staged bot signatures

Signatures that are updated by Live Update are moved to staging. Requests that match signatures in staging are logged but not mitigated. You need to periodically review
Signature Enforcement
and choose which signatures to enforce to maintain optimum bot defense.
  1. On the Main tab, click
    Security
    Bot Defense
    Bot Defense Profiles
    .
  2. Click the name of the profile with
    Signature Staging upon Update
    enabled and then click the
    Signature Enforcement
    tab.
  3. Review the number of signatures ready to be enforced; select those you want to enforce and click
    Enforce
    .