Forum Discussion

dbaimakov's avatar
dbaimakov
Icon for Altocumulus rankAltocumulus
Jul 04, 2023

BoT Defense Profile, Signature Enforcement

Recently, I implemented a BoT Defense/logging profile in transparent mode, expecting the profile to "learn" from the traffic generated by bots. During the initial "learning mode period," I hoped the profile to perform the following tasks:

  • Check for mouse movement and keystrokes to detect human-like behavior.
  • Track requests that deviate from the expected sequence or fail to request objects in a manner consistent with human browsing patterns.
  • Utilize JavaScript to fingerprint browser characteristics and assign an internal score to evaluate if a browser meets the expected features. (I see that blocking for this setting would be a must, however)

Due to the presence of numerous performance testing and stress testing tools that use outdated browsers, we are unable to enable Browser Verification. Will it affect the bullet points above?

When I created the profile, I noticed that it came preloaded with 950 attack signatures specifically to bots. However, after a month of continuous traffic, I observed that there were no signatures ready to be enforced, and there were no signatures waiting for traffic samples.  Could browser verification settings set to none also be the reason for no signature learning, for we have disabled that feature completely.  

I believe this could be because bot signatures are generally static and not as diverse as the advanced (OWASP/MITRE) threats covered by Security Learning and Blocking Settings for polices in F5 and that the actual mitigation comes from Bot Mitigation Settings (Trusted Bot, Untrusted Bot, Suspicious Browser, Malicious Bot, Rate Limiting)

My question is: If I enable CAPTCHA for malicious bots, will the signatures from F5 950 intellectual property be utilized? Is it possible that true learning for these settings only starts when actual blocking is enabled?  Or will it be utilized based as soon as Bot Mitigation Settings are set to block or challenge at least known signatures?

  • Thank you everyone for your input, the issue seems to have resolved itself, the signagures must not have been staged long enough I suppose.