Bot violation details

Note

• You can also view the traffic pattern analytics, even if no violations are observed. For more information, see Behavior checks with no violations.

• You can view the following Bot violations after you configure the advanced security analytics option. A virtual server is automatically enabled with a default profile if no profile is configured. For more information, see advanced security analytics.

Excessive Client Connections

When a client tries to access the web application, the client request is processed in Citrix ADC appliance, instead of connecting to the server directly. In some scenarios, attackers use automated bots to get access to application or make the application unresponsive, by sending high connections.

Using the Excessive Client Connections indicator, you can analyze scenarios when an application receives unusually high client connections through bots.

Under Event Details, you can view:

• The affected application. You can also select the application from the list if two or more applications are affected with violations.

• The sensitivity level and change it to low, medium, or high. The Edit Sensitivity option enables you to view and edit the existing behavior check profile or to create a new profile. For more information, see Configure behavior check profiles

• The graph indicating all violations

• The violation occurrence time

• The detection message for the violation, indicating the total IP addresses transacting the application

• The accepted IP addresses range that the application can receive

Account Takeover

Some malicious bots can steal user credentials and perform various kinds of cyberattacks. These malicious bots are known as bad bots. It is essential to identify bad bots and protect your appliance from any form of advanced security attacks.

After you configure the advanced security analytics option, using the Account Takeover indicator, you can analyze if bad bots attempted to take over your account, by giving multiple requests along with credentials.

Under Event Details, you can view:

• The affected application. You can also select the application from the list if two or more applications are affected with violations.

• The graph indicating all violations

• The violation occurrence time

• The detection message for the violation, indicating total unusual failed login activity, successful logins, and failed logins

• The bad bot IP address. Click to view details such as time, IP address, total successful logins, total failed logins, and total requests made from that IP address.

  

Account Takeover for Citrix Gateway

Note

The prerequisite to view Account Takeover for Citrix Gateway is to enable the Gateway Insight option. In Citrix ADM, the Gateway Insight will be automatically enabled for all managed Advanced or Premium Citrix Gateway instances’ licensed Gateway virtual servers. As an administrator, you can disable Gateway Insight for the auto-enabled virtual servers and manually enable it whenever required. For more information, see Auto-enabling Gateway Insight and Account Takeover for Citrix Gateway in Release notes.

Many users have access to Citrix Gateway for remote access through VPN and also for accessing Citrix Virtual Apps and Desktops. Citrix Gateway logon page for these users is accessible through internet. This login page availability becomes an easy target for account takeover. Some malicious bots can steal user credentials and perform various kinds of cyberattacks such as credential stuffing and password spraying.

• Credential stuffing – A cyberattack in which the data breach credentials obtained from a service are used in another service to gain access.

• Password spraying – A cyberattack in which the attacker/bot tries to gain unauthorized access to a service by guessing the credentials repeatedly in a short period of time.

These malicious bots are known as bad bots. In Citrix ADM, you can analyze such unusual logon activities for Citrix Gateway. Using the Account Takeover for Citrix Gateway indicator, as an administrator, you can analyze if bad bots have attempted to take over the Citrix Gateway account, by giving multiple requests along with credentials.

Under Event Details, you can view:

• The affected application. You can also select the application from the list if two or more applications are affected with violations.

• The graph indicating details such as total requests, successful logins, and failed logins.

• The violation occurrence time

• The detection message for the violation, indicating total unusual failed login activity, successful logins, and failed logins

• The bad bot IP address. Click to view details such as time, client IP address, total successful logins, total failed logins, and total requests made from that IP address.

  

Prerequisite

You must enable Gateway Insight to view the Account Takeover for Citrix Gateway violation.

1. Navigate to Security > Security Violations and click the Settings icon.

2. In the All Virtual Servers page:

   1. Select the Citrix Gateway virtual server and then click Enable Analytics.

      The Enable Analytics window is displayed.

   2. Select Gateway Insight.

   3. Click Save.

      

Unusually High Upload Volume

Web traffic comprises data that is processed for uploading. For example, if your average upload data per day is 500 MB and if you upload 2 GB data, then this can be considered as an unusually high upload data volume. Bots are also capable to process uploading data quicker than human.

Using the Unusually High Upload Volume indicator, you can analyze abnormal scenarios of upload data to the application through bots.

Under Event Details, you can view:

• The affected application. You can also select the application from the list if two or more applications are affected with violations.

• The graph indicating all violations

• The violation occurrence time

• The detection message for the violation, indicating the total upload data volume processed

• The accepted range of upload data to the application

Unusually High Download Volume

Similar to high upload volume, bots can also perform downloads quicker than human.

Using the Unusually High Download Volume indicator, you can analyze abnormal scenarios of download data from the application through bots.

Under Event Details, you can view:

• The affected application. You can also select the application from the list if two or more applications are affected with violations.

• The graph indicating all violations

• The violation occurrence time

• The detection message for the violation, indicating the total download data volume processed

• The accepted range of download data from the application

Unusually High Request Rate

You can control the incoming and outgoing traffic from or to an application. A bot attack can perform an unusual high request rate. For example, if you configure an application to allow 100 requests/minute and if you observe 350 requests, then it might be a possibility of a bot attack.

Using the Unusually High Request Rate indicator, you can analyze the unusual request rate received to the application.

Under Event Details, you can view:

• The affected application. You can also select the application from the list if two or more applications are affected with violations.

• The graph indicating all violations

• The violation occurrence time

• The detection message for the violation, indicating the total requests received and % of excessive requests received than the expected requests

• The accepted range of expected request rate range from the application

Website scanners

A web crawler, spider, or search engine bot can download and index contents from the internet. The purpose of these bots is to index the website contents across all over the internet and make those websites appear in search engine results. The web crawler bots start with a certain set of known sources, follow hyperlinks from a page to another page and from another page to more pages, and so on. Good bots follow the rules and index only the pages that are required to be displayed in search engines. Bad bots try to access all possible content from a website and profile the website, which can be later used for targeting the site for various purposes.

After you configure the security profile, using the Website Scanners indicator, you can analyze if the client session (good bot or bad bot) is trying to scan or crawl the entire website.

Under Event Details, you can view:

• The affected application. You can also select the application from the list if two or more applications are affected with this violation.

• The sensitivity level and change it to low, medium, or high. The Edit Sensitivity option enables you to view and edit the existing behavior check profile or to create a new profile. For more information, see Configure behavior check profiles

• The graph indicating the potential scan details.

• The detection message, indicating the potential scanner sessions detected. Click the number under View potential scanner sessions to view client details.

  

Content Scrapers

Content scraping is the process of using bots to extract business critical information from a targeted source. These bad bots can scrap contents such as images, text, HTML codes, and so on from thousands of pages within a short time. The impact of content scraping can result in plagiarized content, loss in SEO ranking, copyright disclaimer, and so on.

In Citrix ADM, as an administrator, you can analyze if the bad bot is trying to scrap the website contents. You must configure the following prerequisite to view details in Citrix ADM.

After you configure the advanced security analytics option, using the Content Scrapers indicator, you can analyze if a client session (good bot or bad bot) is trying to scrap the contents.

Under Event Details, you can view:

• The affected application. You can also select the application from the list if two or more applications are affected with this violation.

• The graph indicating the potential scrap details.

• The detection message, indicating the potential scraper sessions detected. Click the number under View potential scraper sessions to view client details.

API Abuse

The process of certifying the user identity who is accessing the server resources is known as API authentication. The API authentication can be through:

• API key

• JWT token

• Certificate

Bad bots can use or steal these authentications and perform various kinds of cyberattacks such as credential stuffing and password spraying. In Citrix ADM, you can analyze such unusual logon activities for APIs.

Using the API Abuse indicator, as an administrator, you can analyze if bad bots have attempted to take over the target resource, by using the API authentication.

Under Event Details, you can view:

• The affected application. You can also select the application from the list if two or more applications are affected with violations.

• The graph indicating details such as total requests, successful logins, failed logins, and API abuse violations.

• The violation occurrence time

• The detection message for the violation, indicating the API authentication successful and failure attempts.

• The bad bot details. Click to view details such as time, client IP address, total successful logins, total failed logins, and total requests made from that IP address.

  

Keystroke and mouse dynamics based bot detection

Over 35 percent of the web traffic comprises bots and these bots can perform various tasks at a faster rate than humans. In some scenarios, bots are also involved in tasks that require inputs from keyboard and mouse.

For example, only a human must type a password for accessing a secured resource. Bots can involve in attacks such as account takeover, by automatically providing credentials and trying multiple combinations faster than humans. Apart from violations (Account Takeover, Excessive Client Connections, and so on), Citrix ADM also enables you to detect and get insights on bots based on keystroke and mouse dynamics.

Prerequisites

• Enable bot insight.

• Configure the following in Citrix ADC instance:

   add/set bot profile <name> -KMDetection ( ON | OFF )
  
   bind bot profile <name> -KMDetectionExpr -name <string> -expression <expression> -enabled ( ON | OFF ) –comment <string>
  
   add/set bot profile <name> -KMJavaScriptName  <string>
  
   set bot profile <profile_name> -KMEventsPostBodyLimit 8192K
   <!--NeedCopy-->