Hostile Bot Detection / LWCSI
For detecting hostile bots, Link11 WAAP uses a multi-layered mechanism, collectively known as "bot challenges". Its results are shown to admins in the "challenges" metric in L11WAAP's analytics; for a discussion of how challenges impact traffic statistics, see here and here.
Bot challenges mitigate threats based on the requestor's identity and environment. When L11WAAP receives the first request from a previously unknown traffic source (below described as the "user"), this is the typical process that is followed.
L11WAAP challenges the user's browsing environment. L11WAAP uses a variety of proprietary, multi-faceted techniques to verify that this requestor is a human using a browser, instead of a bot using a headless browser or emulator. (For more detailed information, see Environmental detection and browser verification.)
If the challenge is not passed, the request is suspected to be a bot, and another challenge is issued. This process continues until a challenge is passed, or a threshold is reached (e.g., via a Dynamic Rule) to ban the requestor.
If the challenge is passed, the browser's session is authenticated, and the browser receives cookies from L11WAAP.
The browser then automatically resubmits the original request, but this time, the cookies are included. The user is granted access to the requested URL, resources, etc.
Subsequent requests will also include the cookies, and thus, they are not challenged.
This process happens quickly (in a few milliseconds), and is invisible to the user.
Much of the challenge process is based on a variety of methods, collectively known as Link11 WAAP Client Side Inspection (LWCSI). It detects bots via a multi-layered approach, described on the following pages:
Lastly, in addition to the LWCSI mechanisms described above, L11WAAP also includes Interactive Challenges.
Last updated
Was this helpful?