Forum Discussion
NimbostratusBot Defense causing a lot of false positives
Hi renaud-gaspard ,
The anomalies could be contributed due to Chromes third part deprecation. If that's in play you might want to consider using Cookies with Independent Partitioned state aka (CHIPs). This would be a modification to the irule and in chrome would need to have this setting ---> chrome://flags/#test-third-party-cookie-phaseout enabled.
Aside from the irule to test and try the issue with "High Number of HTML transactions since JS verification" there could be some tweaks to try for this.
HTML transactions since JS verification" threshold. The default is typically low (5-10). For SPAs returning HTML fragments, maybe try to set to 50-100 based on the traffic pattern.
Static resource paths wont carry cookies. Make sure these are exempt in the Bot Defense profile, add URL allowlist entries:
Pattern Type *.css Glob *.js Glob *.woff Glob *.woff2 Glob *.ttf Glob *.eot Glob *.svg Glob *.png Glob *.jpg Glob *.jpeg Glob *.gif Glob *.webp Glob *.ico Glob *.map Glob /static/* Glob /assets/* Glob /cdn-cgi/* Glob Adjust the path-based patterns (/static/*, /assets/*) to match your actual resource directory structure. You can also use regex if you need more refinement.
#--------------------------------------------------------------- # Purpose: Append SameSite=None; Secure; Partitioned to Bot # Defense (TS*) and persistence (BIGipServer*) cookies # to support cross-domain PBD under Chrome 3P cookie # deprecation (CHIPS). #--------------------------------------------------------------- when RULE_INIT { # Toggle debug logging: 1 = enabled, 0 = disabled (production) set static::cookie_debug 0 } when HTTP_RESPONSE_RELEASE { # Iterate over all Set-Cookie headers in the response # We must use "HTTP::header values" to capture multi-value # Set-Cookie headers — "HTTP::header value" only returns the first # Collect all Set-Cookie headers set num_cookies [HTTP::header count "Set-Cookie"] # Short-circuit if no cookies present if { $num_cookies == 0 } { return } # Build a list of modified cookies, then replace all at once # This avoids modifying the header collection while iterating set new_cookies [list] set modified 0 for { set i 0 } { $i < $num_cookies } { incr i } { set cookie [HTTP::header value "Set-Cookie" $i] # Match TS* (Bot Defense) and BIGipServer* (persistence) cookies if { [string match "TS*" $cookie] || [string match "BIGipServer*" $cookie] } { # Skip if already fully patched (idempotency guard) if { [string match "*Partitioned*" $cookie] } { lappend new_cookies $cookie continue } # Case 1: Has SameSite=None but may be missing Secure and/or Partitioned if { [string match "*SameSite=None*" $cookie] } { if { !([string match "*Secure*" $cookie]) } { append cookie "; Secure" } append cookie "; Partitioned" set modified 1 # Case 2: No SameSite attribute at all — add full attribute chain } else { append cookie "; SameSite=None; Secure; Partitioned" set modified 1 } if { $static::cookie_debug } { log local0.debug "CHIPS_IRULE: Patched cookie: $cookie" } } lappend new_cookies $cookie } # Only rewrite headers if we actually changed something if { $modified } { # Remove all existing Set-Cookie headers HTTP::header remove "Set-Cookie" # Re-insert all cookies (modified + unmodified) foreach c $new_cookies { HTTP::header insert "Set-Cookie" $c } } }
NimbostratusThank you for your answers,
Using the iRule that update the cookie with "SameSite=None; Secure; Partitioned" didn't help solving most of our false positives issues.
However, enabling it slightly changes how browsers handle the third party cookies in Incognito mode. This means the protected websites are now usable in Incognito mode.
We managed to isolate the false positives to specific cases :
- Browser Verification Timed out :
- Happened on a website that has a malformed HTML page : From what I understand, because of the malformed HTML, the challenge wasn't correctly injected and was never solved by the browser, causing this anomaly.
- Also happened after a specific series of action : A new browser tab was opened by mistake after clicking on a link. Because it was opened by mistake, the tab was immediately closed (before the injected challenge had the time to be solved). Later browsing to the site was blocked.
One possible workaround would be to show a CAPTCHA challenge instead of blocking the user entirely.
- Resource request without browser verification cookie
- This happens more frequently, we probably can just disable that specific check, or add the list of static file to the whitelist as Jeff_Granieri suggested.
- Session Opening
- This was reported by someone else and wasn't reproduced during our testing.
If it happens again, we probably can slightly raise the detection threshold.
- This was reported by someone else and wasn't reproduced during our testing.
- High number of HTML transactions since verification challenge:
- This only happens on a specific website/domain.
This website uses various iframes embedding the website into itself, and also has an API endpoint where the returned Content-Type header is "text/html" even if the returned data isn't HTML.
For this specific site we could create a microservice, with challenge-free browser verification.
- This only happens on a specific website/domain.
- Device ID Deletion
- We raised the detection value slightly and it didn't cause any issue since.
As you said, carlbidwell268 , we'll need to tweak this over time, but at least we know have a mostly working profile.
Thank you both for your help
