Bot

A bot is a software program that automatically performs certain actions over and over at a much faster rate than a human. Over 35 percent of your web traffic comprises bots and 80 percent of organizations suffer from bot attacks. They can interact with a webpage, submit forms, click links, scan text, or download content. Bots can even access videos, post comments, and tweet on social media platforms. Some bots can even hold basic conversations with human users. These bots are known as chatbots.

A bot that performs a needful or helpful service such as customer service, chatbots, search engine crawlers are known as good bots. Some malicious bots can scrape or download content from a website, steal user credentials, spread spam content, and perform various other kinds of cyberattacks. These malicious bots are known as bad bots. It is essential to identify bad bots and protect your appliance from advanced security attacks. You can achieve this using a bot management system.

For more information on Bot, see Bot Management.

Configure Bot detection techniques in Citrix ADC

In Citrix ADC, you can configure bot detection techniques to detect the incoming bot traffic. The following are the bot techniques that you configure in Citrix ADC instance:

• Allow List. This rule has a list of URLs and policy expressions to evaluate if a specific set of good bots that can access to your web resource.

• Block List. This rule has a list of URLs and policy expressions to evaluate if a specific set of bad bots can access your website.

• IP reputation. This rule detects if the incoming bot traffic is a malicious IP address.

• Device fingerprinting. This rule detects if the incoming bot traffic has device fingerprint ID in the incoming request header and browser attributes of an incoming client bot traffic.

• Rate limiting. This rule rate limits multiple requests coming from the same client.

• Signatures. This rule detects and blocks bots based on signature detection. It also prevents unauthorized URLs that scrape websites, brute forcing logins, and bots that probe for vulnerabilities.

• Bot traps. This rule detects bots accessing the script that is enabled on the webpage.

• TPS. This rule detects the incoming traffic as bots if the maximum requests and the percentage increase in requests exceed the configured time interval.

For more information, see Configure Bot management.

Configure bot detection techniques in Citrix ADM

In Citrix ADM, you can:

• Configure bot detection techniques and deploy them on the ADC instances build 13.0 36.27 or later with premium license.

• View bot analytics by enabling the Bot Security Violations option for the existing virtual servers configured with bot detection techniques either through StyleBook or directly from the ADC instance.

Along with the existing StyleBook configuration, this enhancement further simplifies the process to configure the bot detection techniques and deploy on the ADC instances.

1. Navigate to Settings > Licensing & Analytics Configuration.

2. Under Virtual Server Analytics Summary, click Configure Analytics.

3. Select the virtual servers and click Enable Security & Analytics.

   

4. In the Enable Security & Analytics page, under Security, click Bot Protections.

   

5. Select the bot options, configure, and click Deploy on ADC(s).

   

   A dialog box appears that the current configuration replaces the existing configuration for the selected applications. Click Yes, continue.

   After the configuration is successfully deployed, the All Virtual Servers page shows the configuration details.

   

   Click Bot Protections to view the configuration in read-only mode.

   

   Additionally, you can also customize the global bot configuration details such as:

   • Enable or disable the signature auto-update to get the latest signatures that provide better protection and traffic management from both good and bad bots.

   • Configure the trap URL that is effective in blocking attacks from automated bots.

6. Under Advanced Settings (optional), click the Global BOT config to customize the settings, and then click Deploy on ADC(s).

   

   A dialog box appears that the current configuration replaces the existing configuration for the selected applications. Click Yes, continue.

You can also edit configuration by selecting the virtual server from the All Virtual Servers page and clicking the Edit Security & Analytics option.

Points to note:

• You can also enable Bot Security Violations to view bot analytics for the virtual servers that are already configured with bot detection techniques.

• If you edit any configuration, the same gets replaced with the existing configuration and applied to all applications.

• You can delete the configuration. In the All Virtual Servers page, click Bot Protections from the Appsec Protection column, and click Delete Config.

  

• If you delete a configuration, it also gets removed immediately from all virtual servers that are using the configuration.

Configure bot security violations in Citrix ADM

You can also continue to enable Bot Security Violations on the existing virtual servers that are already configured with bot detection techniques either through StyleBook or directly from the ADC instance to view bot insights in Citrix ADM.

To enable Bot Security Violations:

1. Navigate to Infrastructure > Instances > Citrix ADC and select the instance type. For example, VPX.

2. Select the instance and from the Select Action list, select Configure Analytics.

3. Select the virtual server and click Enable Analytics.

4. On the Enable Analytics window:

   1. Select Bot Security Violations

   2. Under Advanced Option, select Logstream.

      

   3. Click OK.

After enabling Bot Security Violations, navigate to Security > Security Violations. Under Bot, select the application and view details. For more details, see Application overview.

View events history

You can view the bot signature updates in the Events History, when:

• New bot signatures are added in Citrix ADC instances.

• Existing bot signatures are updated in Citrix ADC instances.

You can select the time duration in bot insight page to view the events history.

The following diagram shows how the bot signatures are retrieved from AWS cloud, updated on Citrix ADC and view signature update summary on Citrix ADM.

1. The bot signature auto update scheduler retrieves the mapping file from the AWS URI.

2. Checks the latest signatures in the mapping file with the existing signatures in ADC appliance.

3. Downloads the new signatures from AWS and verifies the signature integrity.

4. Updates the existing bot signatures with the new signatures in the bot signature file.

5. Generates an SNMP alert and sends the signature update summary to Citrix ADM.

Advanced search

You can also use the search text box and time duration list, where you can view bot details as per your requirement. When you click the search box, the search box gives you the following list of search suggestions.

• Instance-IP – Citrix ADC instance IP address

• Client-IP – Client IP address

• Bot-Type – Bot type such as Good or Bad

• Severity – Severity of the bot attack

• Action-Taken – Action taken after the bot attack such as Drop, No action, Redirect

• Bot-Category – Category of the bot attack such as block list, allow list, fingerprint, and so on. Based on a category, you can associate a bot action to it

• Bot-Detection – Bot detection types (block list, allow list, and so on) that you have configured on Citrix ADC instance

• Location – Region/country where the bot attack has occurred

• Request-URL – URL that has the possible bot attacks

You can also use operators in your search queries to narrow the focus of your search. For example, if you want to view all bad bots:

1. Click the search box and select Bot-Type

2. Click the search box again and select the operator =

3. Click the search box again and select Bad

4. Click Search to display the results