Bot Defense

This guide provides instructions on how to quickly protect an application page from automated traffic (bad bots) using Bot Defense with the iApp Connector. The instructions explain the steps and input fields that are required to configure a basic test system. For more complex iApp Connector configurations, see the iApp Connector documentation.

overview
Figure: Steps to Deploy Bot Defense

Note: If you host your application pages on a content delivery network (CDN), see https://docs.cloud.f5.com/docs/how-to/advanced-security/bot-defense#connectors for configuration instructions for supported CDNs.

Plan Your Bot Defense Deployment

Complete the following tasks to plan your Bot Defense deployment.

Step 1: Meet the prerequisites.

To enable and configure Bot Defense, you must have the following accounts and permissions:

  • A valid XC Console account. For information, see Create a Distributed Cloud Console Account.
  • An Organization plan. To see plan information, from the XC Console Home page, click Billing.
  • To manage protected applications, you must have a ves-io-developer-role or higher in system and application namespaces.
  • To access the Bot Defense Monitor page, you must have a ves-io-monitor-role or higher.

Step 2: Choose an application page to protect.

Make the following decisions to help you protect your first application page.

  • Decide what application page you want to protect with Bot Defense. For your initial system testing, F5 recommends that you protect a web-based entry page, such as a login page that users typically reach when they first visit your website. You must know the host name and path for the application page you choose.
  • Decide which HTTP methods you want to monitor. You can monitor requests for GET, POST and PUT methods.

Next Steps

Enable Bot Defense in the XC Console. For information, see Enable Bot Defense.

Enable Bot Defense

To use Bot Defense, you must first enable it in the XC Console.

To enable XC Bot Defense:

  1. On the XC Console Home page, click Billing.
  2. Click Manage > Billing Plan and scroll to the Organization Plan.
  3. Under the Organization Plan, click Bot Defense. If Bot Defense is not already enabled, the Bot Defense landing page appears.

    Note: If Bot Defense is already enabled, the Bot Defense Monitor page appears.

  4. From the Bot Defense landing page, click Request Service.

Next Steps

Use an iApp template to configure Bot Defense. For information, see Configure Bot Defense.

Configure Bot Defense

To configure Bot Defense, complete the following tasks:

  1. Create a protected application in the XC Console and then download the latest version of the iApp Connector template.
  2. Import the iApp template into BIG-IP.
  3. Complete required initial configuration of the iApp template.
  4. Complete configuration of the iApp template.

Step 1: Create a protected application and download the iApp Connector template

  1. Log on to the XC Console. From the Dashboard page, select Bot Defense.
  2. Verify that you are in the correct namespace. For information about namespaces, see https://flatrender.tora.reviews/docs/ves-concepts/core-concepts#namespaces.
  3. Select Add Application.
    add application
    Figure: Add Application
  4. Add a Name and Description for the protected application.
  5. Select the region: US, EU, Asia.
  6. From the Connector Type drop-down list, select F5 BIG-IP iApp.
  7. Select Save and Exit.
  8. From the Action column in the list of protected applications, click the Action Menu next to the application you just added and click Download Template. Save the template in a location you can access later.
    download
    Figure: Download iApp Template

Step 2: Upload the iApp Template to BIG-IP

The following procedure explains how to import the iApp Connector Template into BIG-IP and create a new application.

  1. Log on to the BIG-IP instance where you want to add your application.
  2. In BIG-IP, click iApps > Templates > Import.
    iapp import
    Figure: Import iApp Template
  3. Click Choose File and navigate to the location where you saved the template you downloaded above.
  4. Select the template you want to import and click Open.
  5. Click Upload and then click OK to confirm.

Step 3: Perform the Required Initial Configuration of a New Application

When you use the Bot Defense iApp template to create a new application in BIG-IP, you must perform the following required initial configuration steps before you configure any additional settings.

  1. In BIG-IP, click iApps > Application Services > Applications and then click Create.

  2. Enter a Name for the new application. The name cannot contain any spaces or special characters.

  3. From the Template drop down, select f5.ibd.cs.

  4. In the One-Time Install/Upgrade Setup section, select No, I will click the FINISHED button now and then review the information in the Important section.

    Important: Do not make any other configuration changes before you click Finished. You can make only configuration changes after you click Finished.

    finished
    Figure: Finished drop-down menu
  5. Scroll to the bottom of the page and click Finished.

    finished button
    Figure: Finished button

Step 4: Configure the iApp Template

  1. In the BIG-IP that hosts your new application, click iApps > Application Services > Applications.

  2. From the list of applications, click the name of your new application.

  3. Click Reconfigure.

    reconfigure
    Figure: Reconfigure

  4. In the JavaScript Injection Configuration section, enter the path or URL where clients can access the F5 Client JavaScript tags to insert in your application.

    Enter a simple path that starts with / or a complete URL, such as https://example.com/customer1.js.

    Note: By default, Bot Defense automatically injects JavaScript tags in all pages.

    javascript injection configuration
    Figure: JavaScript Injection Configuration
  5. In the F5 XC Bot Defense Protected Endpoints Configuration section, specify an application page from your web application to protect.

    a. The Mitigation Handler field is informational only. Do not make changes to this field.

    b. In the Host field, enter the host domain of your web application. For example, enter identity.<your domain>.com.

    c. In the Path field, enter the path to the page you want to protect. For example, enter /login/.

    d. Choose the HTTP Methods that you want to monitor for this web application. Select Yes for at least one of the following methods:

    • ANY: Select Yes to protect the path with any type of method. Select No to limit protection to only certain methods.
    • GET (XHR): Select Yes to protect the path when it has a GET (XHR) method.
    • POST: Select Yes to protect the path when it has a POST method.
    • PUT: Select Yes to protect the path when it has a PUT method.

    Important: For best performance, F5 recommends that you monitor specific HTTP methods and that you set the ANY option to No.

    e. In the Action drop-down menu, select Continue. This setting allows requests to continue to the origin. You can select Block or Redirect mitigation actions after you confirm that Bot Defense is properly configured.

    endpoint config
    Figure: Endpoint Configuration

  6. In the Application Virtual Servers section, select the application virtual servers that you want to assign to your iApp. Your iApp does not run if it is not assigned to at least one virtual server.

    You must know the following about selecting a virtual server:

    • The virtual server you select must have an HTTP profile attached to it.

    • The virtual server you select must have a default pool attached to it.

    • F5 recommends that each protected server have a Client SSL profile and SNAT profile, but these are not required.

    Note: You create virtual servers in BIG-IP. For information, see your BIG-IP documentation.

    iapp virtual server
    Figure: Application Virtual Server Configuration

    Note: Do not add the same virtual server to more than one iApp application.

  7. To save your configuration, click Finished.

Next Steps

When you finish configuring Bot Defense, test your deployment to make sure it is working as intended. For information, see Test your Bot Defense deployment.

Test your Bot Defense deployment

Perform the following tasks to help ensure that Bot Defense is properly configured and evaluating traffic correctly.

  • Open the application page you chose to protect. Use the developer tools in your browser or view the page source to inspect the page and confirm that Bot Defense has inserted the Bot Defense JavaScript tags with the query string parameters, ?matcher, ?cache, ?async.
    js injection
    Figure: JavaScript Injection
  • Review the Bot Defense dashboard to see the types of traffic identified by Bot Defense. From the Bot Defense Home page, click Overview > Monitor.
    • In the Protected Apps Overview widget, check that your protected application is listed and that the amount of traffic seems appropriate.

    • In the Traffic Overview widget, check that the level of human, good bot, malicious bot and other activity seems appropriate.

      widgets
      Figure: JavaScript Injection
    • Check if the traffic marked as malicious has a diurnal pattern which increases during the day and drops at night. This might indicate human traffic.

    • Look at the distribution of IP addresses and the countries they are from. Decide if this distribution looks like it comes from your normal user base.

    • Look at the User Agent field and decide if there are suspicious user agents present. You can also use this technique to identify wanted automation (good bots), such as test tools or SEO bots.

Next Steps

When you are ready to block or redirect automated traffic, see Configure Mitigation Actions

Configure Mitigation Actions

When you are sure that Bot Defense is configured properly, you can optionally configure mitigation actions so that automated traffic is either blocked or redirected.

  1. In the BIG-IP that hosts your application, click iApps > Application Services > Applications.
  2. From the list of applications, click the application you want to configure.
  3. Select the Reconfigure tab.
  4. In the section, F5 XC Bot Defense Protected Endpoints Configuration, from the Action drop-down menu, select one of the following options:
    • Redirect. The Bot is sent to a different page. You provide the URL where the Bot is redirected in the Define Mitigation Actions section.
    • Block. The Bot is presented with a message that it has been blocked. You provide the Response Code and Body of the response message in the Define Mitigation Actions section.
  5. When you finish making configuration changes, double-check your configuration settings and click Finished.

Next Steps

Now that you have protected a single webpage, checked to make sure the system is functioning properly and configured mitigations for the page, try adding additional protected endpoints.

For additional information about more advanced configuration steps, see the iApp Connector documentation.