This topic discusses Incapsula's mitigation capabilities for automated threats.
Automated threats are characterized by unwanted, automated actions that have a detrimental effect on a web application, often through the misuse of legitimate functionality, rather than by attempting to exploit unmitigated vulnerabilities. These threats are further discussed here: https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications .
Automated threats are often carried out by the malicious use of bots. A bot is generally defined as an application that performs an automated task, typically a simple, repetitive task performed at a much higher rate than people performing these tasks manually could achieve.
Bots can be categorized as follows:
- Good bots are used for productive purposes, such as for gathering data for search engines (googlebot), for commercial purposes (finding you the best deal), or for chatbots (customer service).
- Bad bots are used for malicious purposes, such as to automate attacks such as denial-of-service attacks, to buy up seats for shows or concerts, or to sabotage gaming sites.
Who are you?
To mitigate automated threats, we first ask the question, "Who are you?". Incapsula's bot protection solution is based on identifying the threat according to our system of client classification.
Incapsula’s unique classification technology can tell whether your website visitors are humans or bots. Our client database holds an extensive list of botclassifications and can identify the specific type of bot visiting your website.
Based on the classification, we can categorize the bot as good, bad, or unidentified. Unidentified bots are ones for which we don't have a classification and are not listed in our client database. By default, we treat an unidentified bot as suspicious because it is an unknown, but it may be harmless. For the list of the clients and client type categories that Incapsula addresses, see Client Classification.
Once we have categorized the bot, we are ready to decide whether to challenge suspicious visitors and verify their authenticity, alert you of suspicious activity, or block requests that pose a threat to your website.
As a customer, you can easily configure bot mitigation options in the Management Console:
- define an access control policy
- customize the list of good/bad bots
- define exceptions
- block specific sources (countries, URLs, IPs)
For more details, see Web Protection - Security Settings.
What are you trying to do?
Incapsula also provides protection against automated threats that are characterized not by the tool used but by intent or actions, such as service abuse.
To mitigate these threats, we ask the question, "What are you trying to do?".
For example, requests from a browser can be legitimate or malicious. Consider a brute force attack, in which a large number of consecutive "guesses" are generated in order to obtain some desired data, such as login credentials. So even if we determine that the client/source of the request is seemingly legitimate, the goal of the action is not. To protect against such an account takeover attack, in which there is an attempt to gain unauthorized access to and control of an account, you can create customized rules (IncapRules) for your web applications.
|Threat||What does it do?||Incapsula mitigation|
|Vulnerability scanning||Inspects applications looking for weaknesses and possible vulnerabilities to exploit.||
Block bad bots (enabled by default).
For example ShellShock vulnerability scanner or Qualys scanner.
|Distributed denial of service (DDoS) attacks||Target an application in order to make it unavailable to legitimate users or purposes.||
Stop DDoS attacks (enabled by default)
Identify valid login credentials by trying different values for usernames and/or passwords, such as brute force attacks used against authentication processes of an application.
Configure custom rules:
Malicious, questionable, undesirable, or unsolicited information added to public or private content, databases, or user messages.
|Scraping||Collect application content and/or other data for use elsewhere.||
Configure custom rules: