Citrix Application Delivery Management service

Bot violation details

Note

You can also view the traffic pattern analytics, even if no violations are observed. For more information, see Behavior checks with no violations

Excessive Client Connections

When a client tries to access the web application, the client request is processed in Citrix ADC appliance, instead of connecting to the server directly. In some scenarios, attackers use automated bots to get access to application or make the application unresponsive, by sending high connections.

Using the Excessive Client Connections indicator, you can analyze scenarios when an application receives unusually high client connections through bots.

Excessive client connections

Under Event Details, you can view:

  • The affected application. You can also select the application from the list if two or more applications are affected with violations.

  • The sensitivity level and change it to low, medium, or high. The Edit Sensitivity option enables you to view and edit the existing behavior check profile or to create a new profile. For more information, see Configure behavior check profiles

  • The graph indicating all violations

  • The violation occurrence time

  • The detection message for the violation, indicating the total IP addresses transacting the application

  • The accepted IP addresses range that the application can receive

Account Takeover

Note

Ensure you enable the advanced security analytics. For more information, see Setting up.

Some malicious bots can steal user credentials and perform various kinds of cyberattacks. These malicious bots are known as bad bots. It is essential to identify bad bots and protect your appliance from any form of advanced security attacks.

Prerequisite

You must configure the Account Takeover settings in Citrix ADM.

  1. Navigate to Analytics > Security > Security Violations

  2. Click the setting icon available next to the time duration list.

  3. From the Account Takeover tab and click Add

    Account takeover

  4. On the Add Application page, specify the following parameters:

    1. Application - Select the virtual server from the list.

    2. Method - Select the HTTP method type from the list. The available options are GET, PUSH, POST, and UPDATE.

    3. Login URL and Success response code - Specify the URL of the web application and specify the HTTP status code (for example, 200) for which you want Citrix ADM to report the account takeover violation from bad bots.

    4. Click Add.

      Account takeover

After you configure the settings, using the Account Takeover indicator, you can analyze if bad bots attempted to take over your account, by giving multiple requests along with credentials.

Account takeover1

Under Event Details, you can view:

  • The affected application. You can also select the application from the list if two or more applications are affected with violations.

  • The graph indicating all violations

  • The violation occurrence time

  • The detection message for the violation, indicating total unusual failed login activity, successful logins, and failed logins

  • The bad bot IP address. Click to view details such as time, IP address, total successful logins, total failed logins, and total requests made from that IP address.

    Account takeover1

Account Takeover for Citrix Gateway

Many users have access to Citrix Gateway for remote access through VPN and also for accessing Citrix Virtual Apps and Desktops. Citrix Gateway logon page for these users is accessible through internet. This login page availability becomes an easy target for account takeover. Some malicious bots can steal user credentials and perform various kinds of cyberattacks such as credential stuffing and password spraying.

  • Credential stuffing – A cyberattack in which the data breach credentials obtained from a service are used in another service to gain access.

  • Password spraying – A cyberattack in which the attacker/bot tries to gain unauthorized access to a service by guessing the credentials repeatedly in a short period of time.

These malicious bots are known as bad bots. In Citrix ADM, you can analyze such unusual logon activities for Citrix Gateway. Using the Account Takeover for Citrix Gateway indicator, as an administrator, you can analyze if bad bots have attempted to take over the Citrix Gateway account, by giving multiple requests along with credentials.

ATO

Under Event Details, you can view:

  • The affected application. You can also select the application from the list if two or more applications are affected with violations.

  • The graph indicating details such as total requests, successful logins, and failed logins.

  • The violation occurrence time

  • The detection message for the violation, indicating total unusual failed login activity, successful logins, and failed logins

  • The bad bot IP address. Click to view details such as time, client IP address, total successful logins, total failed logins, and total requests made from that IP address.

    Gateway clients

Unusually High Upload Volume

Web traffic comprises data that is processed for uploading. For example, if your average upload data per day is 500 MB and if you upload 2 GB data, then this can be considered as an unusually high upload data volume. Bots are also capable to process uploading data quicker than human.

Using the Unusually High Upload Volume indicator, you can analyze abnormal scenarios of upload data to the application through bots.

Unusually large upload volume

Under Event Details, you can view:

  • The affected application. You can also select the application from the list if two or more applications are affected with violations.

  • The graph indicating all violations

  • The violation occurrence time

  • The detection message for the violation, indicating the total upload data volume processed

  • The accepted range of upload data to the application

Unusually High Download Volume

Similar to high upload volume, bots can also perform downloads quicker than human.

Using the Unusually High Download Volume indicator, you can analyze abnormal scenarios of download data from the application through bots.

Unusually large download

Under Event Details, you can view:

  • The affected application. You can also select the application from the list if two or more applications are affected with violations.

  • The graph indicating all violations

  • The violation occurrence time

  • The detection message for the violation, indicating the total download data volume processed

  • The accepted range of download data from the application

Unusually High Request Rate

You can control the incoming and outgoing traffic from or to an application. A bot attack can perform an unusual high request rate. For example, if you configure an application to allow 100 requests/minute and if you observe 350 requests, then it might be a possibility of a bot attack.

Using the Unusually High Request Rate indicator, you can analyze the unusual request rate received to the application.

High request rate

Under Event Details, you can view:

  • The affected application. You can also select the application from the list if two or more applications are affected with violations.

  • The graph indicating all violations

  • The violation occurrence time

  • The detection message for the violation, indicating the total requests received and % of excessive requests received than the expected requests

  • The accepted range of expected request rate range from the application

Website scanners

A web crawler, spider, or search engine bot can download and index contents from the internet. The purpose of these bots is to index the website contents across all over the internet and make those websites appear in search engine results. The web crawler bots start with a certain set of known sources, follow hyperlinks from a page to another page and from another page to more pages, and so on. Good bots follow the rules and index only the pages that are required to be displayed in search engines. Bad bots try to access all possible content from a website and profile the website, which can be later used for targeting the site for various purposes.

Prerequisite

You must configure the Website scanners settings in Citrix ADM.

  1. Navigate to Analytics > Security > Security Violations.

  2. Click the setting icon available next to the time duration list.

  3. From the Website Scanning and Scraping tab and click Add.

    Website scanning settings

  4. On the Add Website Scanning and Scraping Configuration page:

    1. Session Tracking Method - Select the tracking method as Client IP, Citrix Web Application Firewall, Backend Application, or URL.

      Note

      If you select Backend Application, ensure to select Enable Cookie Header option when you enable advanced security analytics.

      Enable cookie header

    2. Application - Select the application from the list.

  5. Click Add.

    Session tracking method

After you configure the settings, using the Website Scanners indicator, you can analyze if the client session (good bot or bad bot) is trying to scan or crawl the entire website.

Website scanner

Under Event Details, you can view:

  • The affected application. You can also select the application from the list if two or more applications are affected with this violation.

  • The sensitivity level and change it to low, medium, or high. The Edit Sensitivity option enables you to view and edit the existing behavior check profile or to create a new profile. For more information, see Configure behavior check profiles

  • The graph indicating the potential scan details.

  • The detection message, indicating the potential scanner sessions detected. Click the number under View potential scanner sessions to view client details.

    Potential sessions

Content Scrapers

Content scraping is the process of using bots to extract business critical information from a targeted source. These bad bots can scrap contents such as images, text, HTML codes, and so on from thousands of pages within a short time. The impact of content scraping can result in plagiarized content, loss in SEO ranking, copyright disclaimer, and so on.

In Citrix ADM, as an administrator, you can analyze if the bad bot is trying to scrap the website contents. You must configure the following prerequisite to view details in Citrix ADM.

Prerequisite

You must configure the Content Scraping settings in Citrix ADM.

  1. Navigate to Analytics > Security > Security Violations.

  2. Click the setting icon available next to the time duration list.

  3. From the Website Scanning and Scraping tab and click Add.

    Website scanning settings

  4. On the Add Website Scanning and Scraping Configuration page:

    1. Session Tracking Method - Select the tracking method as Client IP, Citrix Web Application Firewall, Backend Application, or URL.

      Note

      If you select Backend Application, ensure to select Enable Cookie Header option when you enable advanced security analytics.

      Enable cookie header

    2. Application - Select the application from the list.

  5. Click Add.

    Session tracking method

After you configure the settings, using the Content Scrapers indicator, you can analyze if a client session (good bot or bad bot) is trying to scrap the contents.

Content Scrapers

Under Event Details, you can view:

  • The affected application. You can also select the application from the list if two or more applications are affected with this violation.

  • The graph indicating the potential scrap details.

  • The detection message, indicating the potential scraper sessions detected. Click the number under View potential scraper sessions to view client details.

API Abuse

The process of certifying the user identity who is accessing the server resources is known as API authentication. The API authentication can be through:

  • API key

  • JWT token

  • Certificate

Bad bots can use or steal these authentications and perform various kinds of cyberattacks such as credential stuffing and password spraying. In Citrix ADM, you can analyze such unusual logon activities for APIs.

Using the API Abuse indicator, as an administrator, you can analyze if bad bots have attempted to take over the target resource, by using the API authentication.

API abuse

Under Event Details, you can view:

  • The affected application. You can also select the application from the list if two or more applications are affected with violations.

  • The graph indicating details such as total requests, successful logins, failed logins, and API abuse violations.

  • The violation occurrence time

  • The detection message for the violation, indicating the API authentication successful and failure attempts.

  • The bad bot details. Click to view details such as time, client IP address, total successful logins, total failed logins, and total requests made from that IP address.

    Bad bot client session

Keystroke and mouse dynamics based bot detection

Over 35 percent of the web traffic comprises bots and these bots can perform various tasks at a faster rate than humans. In some scenarios, bots are also involved in tasks that require inputs from keyboard and mouse.

For example, only a human must type a password for accessing a secured resource. Bots can involve in attacks such as account takeover, by automatically providing credentials and trying multiple combinations faster than humans. Apart from violations (Account Takeover, Excessive Client Connections, and so on), Citrix ADM also enables you to detect and get insights on bots based on keystroke and mouse dynamics.

Prerequisites

  • Enable bot insight.

  • Configure the following in Citrix ADC instance:

     add/set bot profile <name> -KMDetection ( ON | OFF )
    
     bind bot profile <name> -KMDetectionExpr -name <string> -expression <expression> -enabled ( ON | OFF ) –comment <string>
    
     add/set bot profile <name> -KMJavaScriptName  <string>
    
     set bot profile <profile_name> -KMEventsPostBodyLimit 8192K
    
  • Add bot policy and bind bot policy to a virtual server.

  • Ensure to check if the Keystroke and Mouse Dynamic based bot detection option is selected in the behavior check profile. For more information, see Configure Behavior Check Profile.

After you configure the prerequisites, the Keystroke and Mouse dynamic based bot detection indicator in Citrix ADM enables you to view bots that are involved in keystroke and mouse dynamics.

Keystroke and mouse bot

Under Event Details, you can view:

  • The affected application. You can also select the application from the list if two or more applications are affected with this violation.

  • The graph indicating the potential bot details.

  • The detection message, indicating the potential bot sessions detected. Click the number under View potential bot sessions to view details, including the bot type and bot category. For more information, see Bot detection.

    Potential bots