Citrix Application Delivery Management service

Bot violation details

Note

You can also view the traffic pattern analytics, even if no violations are observed. For more information, see Behavior checks with no violations

Excessive Client Connections

When a client tries to access the web application, the client request is processed in Citrix ADC appliance, instead of connecting to the server directly. Web traffic comprises bots and bots can perform various actions at a faster rate than a human.

Using the Excessive Client Connections indicator, you can analyze scenarios when an application receives unusually high client connections through bots.

Excessive client connections

Under Event Details, you can view:

  • The affected application. You can also select the application from the list if two or more applications are affected with violations.

  • The sensitivity level and change it to low, medium, or high. The Edit Sensitivity option enables you to view and edit the existing behavior check profile or to create a new profile. For more information, see Configure behavior check profiles

  • The graph indicating all violations

  • The violation occurrence time

  • The detection message for the violation, indicating the total IP addresses transacting the application

  • The accepted IP addresses range that the application can receive

Account Takeover

Note

Ensure you enable the advanced security analytics and web transaction options. For more information, see Setting up.

Some malicious bots can steal user credentials and perform various kinds of cyberattacks. These malicious bots are known as bad bots. It is essential to identify bad bots and protect your appliance from any form of advanced security attacks.

Prerequisite

You must configure the Account Takeover settings in Citrix ADM.

  1. Navigate to Analytics > Settings > Security Violations

  2. Click the setting icon available next to the time duration list.

  3. From the Account Takeover tab and click Add

    Account takeover

  4. On the Add Application page, specify the following parameters:

    1. Application - Select the virtual server from the list.

    2. Method - Select the HTTP method type from the list. The available options are GET, PUSH, POST, and UPDATE.

    3. Login URL and Success response code - Specify the URL of the web application and specify the HTTP status code (for example, 200) for which you want Citrix ADM to report the account takeover violation from bad bots.

    4. Click Add.

      Account takeover

After you configure the settings, using the Account Takeover indicator, you can analyze if bad bots attempted to take over your account, giving multiple requests along with credentials.

Account takeover1

Under Event Details, you can view:

  • The affected application. You can also select the application from the list if two or more applications are affected with violations.

  • The graph indicating all violations

  • The violation occurrence time

  • The detection message for the violation, indicating total unusual failed login activity, successful logins, and failed logins

  • The bad bot IP address. Click to view details such as time, IP address, total successful logins, total failed logins, and total requests made from that IP address.

    Account takeover1

Unusually High Upload Volume

Web traffic also comprises data that is processed for uploading. For example, if your average upload data per day is 500 MB and if you upload 2 GB data, then this can be considered as an unusually high upload data volume. Bots are also capable to process uploading data quicker than human.

Using the Unusually High Upload Volume indicator, you can analyze abnormal scenarios of upload data to the application through bots.

Unusually large upload volume

Under Event Details, you can view:

  • The affected application. You can also select the application from the list if two or more applications are affected with violations.

  • The graph indicating all violations

  • The violation occurrence time

  • The detection message for the violation, indicating the total upload data volume processed

  • The accepted range of upload data to the application

Unusually High Download Volume

Similar to high upload volume, bots can also perform downloads quicker than human.

Using the Unusually High Download Volume indicator, you can analyze abnormal scenarios of download data from the application through bots.

Unusually large download

Under Event Details, you can view:

  • The affected application. You can also select the application from the list if two or more applications are affected with violations.

  • The graph indicating all violations

  • The violation occurrence time

  • The detection message for the violation, indicating the total download data volume processed

  • The accepted range of download data from the application

Unusually High Request Rate

You can control the incoming and outgoing traffic from or to an application. A bot attack can perform an unusual high request rate. For example, if you configure an application to allow 100 requests/minute and if you observe 350 requests, then it might be a possibility of a bot attack.

Using the Unusually High Request Rate indicator, you can analyze the unusual request rate received to the application.

High request rate

Under Event Details, you can view:

  • The affected application. You can also select the application from the list if two or more applications are affected with violations.

  • The graph indicating all violations

  • The violation occurrence time

  • The detection message for the violation, indicating the total requests received and % of excessive requests received than the expected requests

  • The accepted range of expected request rate range from the application

Website scanners

A web crawler, spider, or search engine bot can download and index contents from the internet. The purpose of these bots is to index the website contents across all over the internet and make those websites appear in search engine results. The web crawler bots start with a certain set of known sources, follow hyperlinks from a page to another page and from another page to more pages, and so on. Good bots follow the rules and index only the pages that are required to be displayed in search engines. Bad bots try to access all possible content from a website and profile the website, which can be later used for targeting the site for various purposes.

Using the Website Scanners indicator, you can analyze if the client session (good bot or bad bot) is trying to scan or crawl the entire website.

Website scanner

Under Event Details, you can view:

  • The affected application. You can also select the application from the list if two or more applications are affected with this violation.

  • The sensitivity level and change it to low, medium, or high. The Edit Sensitivity option enables you to view and edit the existing behavior check profile or to create a new profile. For more information, see Configure behavior check profiles

  • The graph indicating the potential scan details.

  • The detection message, indicating the potential scanner sessions detected. Click the number under View potential scanner sessions to view client details.

    Potential sessions

Bot violation details