Manual Chapter : Creating Bot Defense Profiles

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0
Manual Chapter

Creating Bot Defense Profiles

About bot signatures

Bot signatures identify web robots by looking for specific patterns in the headers of incoming HTTP requests. Bot detection includes many signatures that identify bots, and you can also write your own for customized bot defense.

Bot signatures carefully identify bots and have a low rate of producing false positive results. The signatures identify the type of bot for classification and investigative purposes, and can distinguish between benign and malicious bots.

Benign bots can be useful for providing Internet services such as search engine bots, index crawlers, site monitors, and those used to establish availability and response time. Some environments may not want to block benign bot traffic. But attackers use malicious bots for more harmful purposes such as harvesting email addresses, producing spam, and developing exploitation tools. You may want to block malicious bots because they can orchestrate DoS attacks, waste internet resources, and search for vulnerabilities to exploit in your application.

Being able to classify bots allows you to treat them differently. You can report, block, or do nothing when a signature matches a malicious or benign bot. Further, malicious and benign bots fall into more specific bot signature categories that can be handled as needed. You can create new categories if needed for custom bot signatures.

Creating a bot defense profile

Because this defense mechanism uses reverse lookup, you need to configure a DNS Server ( System > Configuration > Device > DNS ) and a DNS Resolver ( Network > DNS Resolver > DNS Resolver List ) for it to work.

You can configure Application Security Manager (ASM) to protect your web site against attacks by bots before the attacks occur. Bot defense checks all traffic (except whitelisted URLs) coming to the web site, not simply suspicious traffic. Bot defense uses a set of JavaScript evaluations and bot signatures to make sure that browsers visiting your web site are legitimate.

This task described how to create a bot defense profile using the bot defense system default configurations. The enforcement mode is Transparent, meaning that violations will be logged but not mitigated and the profile template is Balanced, meaning that browser verification is after access and device IDs are generated after access.
  1. On the Main tab, click Security > Bot Defense > Bot Defense Profiles .
  2. Click Create.
    The Bot Profile Configuration screen opens on the General Settings tab.
  3. Enter the Profile Name and click Create.
You have now configured a bot defense profile.
After you have configured a bot defense profile, you must assign it to a virtual server. Only then will bot defense protection begin on network traffic.

Assigning a bot defense profile to a virtual server

Before beginning to configure bot defense logging, ensure that you have configured a remote publisher. The logging format is Splunk (comma-separated key value pairs).
  1. On the Main tab, click Securit > Event Logs > Logging Profiles > Create New Logging Profile .
  2. Enter a Profile Name and enable Bot Defense.
  3. In the Bot Defense tab, select the desired Remote Publisher.
    The recommended configuration is:
    • Log Requests by Classification: Unknown enabled
    • Log Requests by Mitigation Action: all enabled except None.
  4. Click Create to save the configuration.
  5. On the Main tab, click Local Traffic > Virtual Servers > Virtual Server List and select the virtual server to associate the bot defense logging to.
  6. Click Security > Policies .
  7. Under Policy Settings, for Bot Defense Profile, select Enabled and select the bot defense profile from the menu.
  8. In the Log Profile section, select local-bot-defense and the remote bot defense logging you created from the Available list and move it to the Selected list.
  9. Click Update to save the Policy Settings.
You can view the bot defense traffic by navigating to Security > Event Logs > Bot Defense > Bot Traffic .

Enforcing bot signatures

Signatures that are updated by Live Update are moved to staging. Requests that match signatures in staging are logged by not mitigated. You need to periodically review Signature Enforcement and choose which signatures to enforce to maintain optimum bot defense.
  1. On the Main tab, click Security > Bot Defense > Bot Defense Profiles .
  2. Click the name of the profile with Signature Staging upon Update enabled and then click the Signature Enforcement tab.
  3. Review the number of signatures ready to be enforced; select those you want to enforce and click Enforce.