Skip to main content

Bot Mitigation

IO River's bot mitigation feature provides intelligent protection against automated bot traffic, ensuring that only legitimate human users can access your content and APIs. This security mechanism is configured once, and is integrated seamlessly into your CDN providers.

Overview

Bot mitigation can

  • Protect access to specific web pages (does not require any change on your application)
  • Protect access to specific page actions / API requests (which requires integration with your frontend code).

When a request matches the configured rule parameters, the CDN will validate that the client is not a bot before allowing access to the requested resource. This challenge-response mechanism happens transparently at the edge, protecting your origin servers and intellectual property from bot traffic, while minimizing impact on legitimate users.

Protecting an entire page is simple and requires no integration with your application, but it has one downside: whenever the page is loaded for the first time during the user's session, the interaction is checked for bot activity. Conversely, protecting a page action requires more integration. For example, if the page is displaying the shopping cart, you might want to protect just the press of the Buy button rather than the entire page.

The default behavior attempts to be non-interactive, and would usually forward the request to the origin automatically after it validates that the user is not a bot, which takes a short time. You can change this behavior for each rule, ranging from fully-interactive where users are always required to answer a challenge, to non-interactive where users are given a second chance to prove they are human. The default challenge behavior is a good balance between keeping user activity uninterrupted, while still not blocking legitimate users.

Bot mitigation can be applied in:

  • Custom Rules: Apply bot detection to specific traffic patterns or endpoints
  • Rate Limiting Rules: Combine bot validation with rate limiting for enhanced protection

Protecting Entire Pages

How It Works

When bot mitigation is enabled for a web page:

  • The WAF engine evaluates incoming requests against your configured rule parameters, e.g. URL path is /login.html, whose action is CHALLENGE
  • Requests matching the criteria trigger a bot validation challenge
  • Typically, this validation takes a short time and does not require client interaction
  • If the validation results are lower than a pre-configured threshold the WAF engine will present the client with an interactive puzzle
  • The client must successfully complete the validation to prove it's a legitimate browser
  • Once validated, either silently or through an interactive puzzle, the request is allowed to proceed
  • Failed validation attempts are blocked at the edge

This approach provides robust protection against various types of automated threats, including scrapers, credential stuffing attacks, and DDoS attempts, while maintaining a smooth experience for real users.

If you need added protection, you can set the rule action to INTERACTIVE-CHALLENGE which always presents the client with an interactive puzzle.

Configuring Bot Mitigation

Create a custom rule or a rate limiting rule:

  • Go to the SECURITY > WAF page and select the Custom Rules tab, or go to the SECURITY > RATE LIMITING page
  • Click CREATE to open the Create Custom rule dialog
  • Define the parameters when the rule triggers
  • Select CHALLENGE or INTERACTIVE-CHALLENGE as the action

Monitoring Bot Mitigation

Activity of the bot challenge can be seen in the Security Analytics page:

  • The Challenge Invoked value indicate how many page requests caused a bot mitigation to take place
  • Add a filter on the Action to show the challenges invocation over time (you can do that from the Action top-table)

Protecting Page Actions / API requests

How it Works

To protect a specific page action, you will need to:

  • Integrate the IO River bot-mitigation Java Script code into your frontend page code
  • Add headers that contain the identity the action you want to protect (e.g. Buy action) and a key that identifies your service (as an added precaution)
  • Create a custom rule or rate limit that activates the bot-mitigation challenge when the relevant API request is called

Adding Bot-mitigation Code to your Frontend Page

Add the following code to your page HTML head:

<script src="https://challenge.ioriver.io/challenge/v0/api.js?webSiteKey=:webKey:" />

Alternatively, add the following code (or similar) to your application:

const script = document.createElement("script");
script.src = "https://challenge.ioriver.io/challenge/v0/api.js?webSiteKey=:webKey:";
document.head.prepend(script);

Replace webKey with the Key ID for your service, which you can find in IO River console at the SECURITY > BOT MANAGEMENT page.

Add a call to iorbot.execute to create a token with the bot score, and then add two headers to your API request:

  • The token as X-IOR-ACTION-TOKEN header
  • The action name as X-IOR-ACTION header

For example, if your code activates your API like this:

let resp = await fetch('/api/...', { method: 'POST' });
...

Replace it with:

let token = await window.iorbot.execute(':action:');
let resp = await fetch('/api/...', { method: 'POST',
    headers: {
        'X-IOR-ACTION-TOKEN': token,
        'X-IOR-ACTION': ':action:'
    }
});
...

Creating a custom-rule

Create a custom rule or a rate limiting rule:

  • Go to the SECURITY > WAF page and select the Custom Rules tab, or go to the SECURITY > RATE LIMITING page
  • Click CREATE to open the Create Custom rule dialog
    • Define the conditions when to apply the bot mitigation
      • Conditions that identifies the action, probably based on the URL Path, e.g. URL Path begins with /api/buy/
      • And condition on minimum bot score, probably Action Token Score greater than 0.5, and provide the :action: name name as you defined in your code
    • Select the action BLOCK

Monitoring Bot Mitigation

Activity of the bot challensge can be seen in the Security Analytics page:

  • Add a filter on the Action to show the challenges invocation over time (you can do that from the Action top-table)