Citrix Application Delivery Management service

Bot

A bot is a software program that automatically performs certain actions over and over at a much faster rate than a human. Over 35 percent of your web traffic comprises bots and 80 percent of organizations suffer from bot attacks. They can interact with a webpage, submit forms, click links, scan text, or download content. Bots can even access videos, post comments, and tweet on social media platforms. Some bots can even hold basic conversations with human users. These bots are known as chatbots.

A bot that performs a needful or helpful service such as customer service, chatbots, search engine crawlers are known as good bots. Some malicious bots can scrape or download content from a website, steal user credentials, spread spam content, and perform various other kinds of cyberattacks. These malicious bots are known as bad bots. It is essential to identify bad bots and protect your appliance from advanced security attacks. You can achieve this using a bot management system.

For more information on Bot, see Bot Management.

Configure Bot detection techniques in Citrix ADC

In Citrix ADC, you can configure bot detection techniques to detect the incoming bot traffic. The following are the bot techniques that you configure in Citrix ADC instance:

  • Allow List. This rule has a list of URLs and policy expressions to evaluate if a specific set of good bots that can access to your web resource.

  • Block List. This rule has a list of URLs and policy expressions to evaluate if a specific set of bad bots can access your website.

  • IP reputation. This rule detects if the incoming bot traffic is a malicious IP address.

  • Device fingerprinting. This rule detects if the incoming bot traffic has device fingerprint ID in the incoming request header and browser attributes of an incoming client bot traffic.

  • Rate limiting. This rule rate limits multiple requests coming from the same client.

  • Signatures. This rule detects and blocks bots based on signature detection. It also prevents unauthorized URLs that scrape websites, brute forcing logins, and bots that probe for vulnerabilities.

  • Bot traps. This rule detects bots accessing the script that is enabled on the webpage.

  • TPS. This rule detects the incoming traffic as bots if the maximum requests and the percentage increase in requests exceed the configured time interval.

For more information on configuring Bot management, see Configure Bot management.

Configure bot security violations in Citrix ADM

After you configure the bot management in Citrix ADC, you must enable Bot Security Violations on virtual servers to view insights in Citrix ADM.

To enable Bot Security Violations:

  1. Navigate to Infrastructure > Instances > Citrix ADC and select the instance type. For example, VPX.

  2. Select the instance and from the Select Action list, select Configure Analytics.

  3. Select the virtual server and click Enable Analytics.

  4. On the Enable Analytics window:

    1. Select Bot Security Violations

    2. Under Advanced Option, select Logstream.

      Bot-insight

    3. Click OK.

After enabling Bot Security Violations, navigate to Analytics > Security > Security Violations. Under Bot, select the application and view details. For more details, see Application overview.

View events history

You can view the bot signature updates in the Events History, when:

  • New bot signatures are added in Citrix ADC instances.

  • Existing bot signatures are updated in Citrix ADC instances.

You can select the time duration in bot insight page to view the events history.

Events history

The following diagram shows how the bot signatures are retrieved from AWS cloud, updated on Citrix ADC and view signature update summary on Citrix ADM.

Events scheduler

  1. The bot signature auto update scheduler retrieves the mapping file from the AWS URI.

  2. Checks the latest signatures in the mapping file with the existing signatures in ADC appliance.

  3. Downloads the new signatures from AWS and verifies the signature integrity.

  4. Updates the existing bot signatures with the new signatures in the bot signature file.

  5. Generates an SNMP alert and sends the signature update summary to Citrix ADM.

You can also use the search text box and time duration list, where you can view bot details as per your requirement. When you click the search box, the search box gives you the following list of search suggestions.

  • Instance-IP – Citrix ADC instance IP address

  • Client-IP – Client IP address

  • Bot-Type – Bot type such as Good or Bad

  • Severity – Severity of the bot attack

  • Action-Taken – Action taken after the bot attack such as Drop, No action, Redirect

  • Bot-Category – Category of the bot attack such as block list, allow list, fingerprint, and so on. Based on a category, you can associate a bot action to it

  • Bot-Detection – Bot detection types (block list, allow list, and so on) that you have configured on Citrix ADC instance

  • Location – Region/country where the bot attack has occurred

  • Request-URL – URL that has the possible bot attacks

You can also use operators in your search queries to narrow the focus of your search. For example, if you want to view all bad bots:

  1. Click the search box and select Bot-Type

  2. Click the search box again and select the operator =

  3. Click the search box again and select Bad

  4. Click Search to display the results

    Bot-search

Bot