Enable Bot Management if your business is affected by automation tools such as scripts or emulators. These tools can cause website data scraping, business fraud, dictionary attacks, spam registration, malicious scalping, promotion abuse, and abuse of text message APIs. Bot Management helps you create targeted bot mitigation policies based on traffic analysis data. This protects your core data assets, mitigates risks in marketing campaigns, and reduces server bandwidth costs and load.
A new version of Bot Management is being rolled out. This topic describes the new version. For information about the previous version, see Bot management (Previous version). You can identify the version in the WAF console by checking the style of in the navigation pane on the left:
Previous version of Bot Management:
New version of Bot Management:
Function Introduction
Bot Management provides the following features to help you quickly detect bot traffic, defend against scraping threats, and prevent your business data from being scraped.
Traffic Analytics: You can view risk data for your APIs in the traffic analysis section without enabling Bot Management. This data includes traffic trends and information about high-risk clients, which helps you quickly identify and locate potentially vulnerable APIs. After you purchase the official version of Bot Management, you can view more detailed data. This helps O&M engineers detect unusual traffic and configure more fine-grained mitigation policies. For more information, see View Bot Management traffic analysis.
Web Protection/App Protection: Provides fine-grained protection for web and app scenarios. You can use the default mitigation policy of the Bot Management module to protect your services. For the best protection, continuously analyze rule hits and adjust the corresponding protection actions. For more information, see Use Bot Management to protect web services and Use Bot Management to protect app services.
Advanced Custom Rules: You can create custom access control rules, frequency control rules, and rule categorizations to defend against requests that match specific criteria. Advanced custom rules support a wider range of match conditions, such as Client ID, JA3/JA4 fingerprints, and information collected by the web or app software development kit (SDK). These rules also support conditional deduplication for statistics. For more information, see Advanced custom rules.
Prerequisites
Web services are added to WAF on the Onboarding page. For more information, see Website configuration overview.
To create a scenario-based mitigation template for app protection, you must integrate the SDK into the target app. For more information, see SDK integration guide.
Enable Bot Management
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
Enable Bot Management.
Request a free trial
On the Web Protection, App Protection, or Advanced Custom Rules page, click Apply for 7-day Free PoC. In the 7-day Free Trial dialog box, click OK.
ImportantYou can request a free trial of Bot Management for WAF Pro, Enterprise, and Ultimate editions.
Each UID is eligible for one 7-day free proof of concept (POC). After 7 days, your bot policy configurations are automatically deleted. If you want to retain the data from the trial period and continue using Bot Management, purchase the official version before the trial ends.
Purchase the official version of Bot Management
On the Web Protection, App Protection, or Advanced Custom Rules page, click Purchase Now.
On the Purchase Now panel, select Bot Management - Web Application Protection or Bot Management - App Protection, and complete the payment.
Bot Management time series charts
JavaScript Challenge time series chart
The client initiates a request that hits a rule that has the JavaScript Challenge action.
WAF returns an HTML page that contains the JavaScript Challenge generation algorithm.
The browser loads the JavaScript Challenge HTML page, generates encrypted parameters, adds them to a cookie, and resends the request.
WAF receives the response and verifies the parameters:
If the parameters are correct, the request is considered to be from a normal user. The request is forwarded to the origin server, and the actual response is returned.
If the client does not include the cookie inserted by the JavaScript Challenge or the cookie value is incorrect, the request is considered to be from a script. WAF returns the JavaScript Challenge page again.
Dynamic token time series chart
The client initiates a request that hits a rule that has the dynamic token action.
WAF returns an HTML page with a dynamic token to the client.
The browser loads the dynamic token HTML page, generates encrypted parameters, adds them to the request URL, and resends the request.
WAF receives the response and verifies the parameters:
If the parameters are correct, the request is considered to be from a normal user. The request is forwarded to the origin server, and the actual response is returned.
If the client does not include the parameters or the parameters are incorrect, the request is considered to be from a script. WAF returns the dynamic token page again.