Advanced Bot Protection

Advanced Bot Protection

Advanced Bot Protection 1

 Contents

Contents
Understanding How Advanced Bot Protection Handles Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Advanced Bot Protection 2

 Advanced Bot Protection

Understanding How Advanced Bot Protection Handles Traffic

A simplified explanation of how Advanced Bot Protection works is presented here.

The basic architecture of a web application and its connection to the outside world is presented below.

Your web application on the right is connected to the outside world via the Imperva CloudWAF.

Traffic flows from the client machines via the CloudWAF. CloudWAF forwards HTTP requests from the client to the web
application, and forwards the returning traffic from the web application back to the client.

Now the Advanced Bot Protection service is enabled for you.

Advanced Bot Protection 3

 Advanced Bot Protection

As you can see, the Advanced Bot Protection service communicates with CloudWAF, only. An HTTP request is received
from the client by CloudWAF, and then the Advanced Bot Protection service inspects the request header in order to
determine the source of the request - human or bot. The Advanced Bot Protection service analyzes the request header
and, based on the result of that analysis, sends an instruction back to CloudWAF. It is CloudWAF that carries out the
instruction regarding the HTTP request. If instructed to block the request, it is CloudWAF that blocks the request. If
instructed to serve a captcha page to the client, it is CloudWAF that serves the captcha page, and so on.

The full process is summarized in the images below.

Advanced Bot Protection 4

 Advanced Bot Protection

1. The client sends an HTTP request to the web application.

2. The Advanced Bot Protection service inspects the request header.
3. The Advanced Bot Protection service analyzes the request, comparing its data to Conditions in your Policy and
sends its instruction to CloudWAF.
4. CloudWAF acts on the instruction from The Advanced Bot Protection service, allowing the request through, or
blocking it, or taking some other action.
5. CloudWAF additionally sends the web application's html page to the client, with its embedded Javascript tag.

Advanced Bot Protection 5

 Advanced Bot Protection

6. The script on the client sends a challenge request.

7. CloudWAF sends that request on to the Advanced Bot Protection service.
8. The Advanced Bot Protection service responds by sending the Javascript to the client.

Advanced Bot Protection 6

 Advanced Bot Protection

9. The client's browser executes the Javascript, which interrogates the client's machine and browser,
fingerprinting it, and sending the fingerprint to the Advanced Bot Protection service.
10. The Advanced Bot Protection service analyzes the fingerprint, comparing its richer data to the Conditions in
your Policy, and sends a token to the client via CloudWAF.
11. CloudWAF acts on the instruction from The Advanced Bot Protection service, allowing the request through, or
blocking it, or taking some other action.
12. The client then stores the token as a cookie.

Notes:

◦ If a bad bot does not support Javascript - and some do not - it will be unable to run the initial
script and that inability is recognized by Advanced Bot Protection.

Sometimes, legitimate users appear like bots that do not support Javascript. For example, if a user
has a very slow connection, or is using a browser extension to block most Javascript files, that
user's traffic will appear like that of a bot that does not support Javascript. In these cases, the
Identify Directive redirects the user to an identification page. A bot is stopped right there. A
legitimate user’s browser processes the Javascript as above and is allowed through. Should a user
run a browser extension that blocks the Javascript file, they will eventually see a message on the

Advanced Bot Protection 7

 Advanced Bot Protection

Identify page informing them of such. Most users that run these browser extensions recognize what
they are doing and then allow the Javascript to continue browsing your site.

◦ If a bad bot does support javascript, Advanced Bot Protection’s browser automation
detection detects and flags that bot.
◦ The fingerprinting in step 9 and any requests after step 12 above can be understood with the
following analogy. A young person entering a club with an age limit has to show ID. Security
checks the person's ID and allows entry based on age. But the security guard also marks the
young person's arm with an indelible ink stamp. The stamp is like a request with a cookie.

Now a malicious user can tamper with the browser payload returned by the challenge response.
This is like a young person forging their ID card. This is mitigated by Advanced Bot Protection's bad
challenge postback Condition.

A malicious user can also tamper with the cookie. This is like a young person faking the stamp. This
is mitigated by Advanced Bot Protection's invalid token Condition.

Genuine user traffic does not match either of the above two Conditions, so your Policies should
block access when either of them is matched.

Note: If you want to use Imperva Advanced Bot Protection, but you do not want it integrated with
Imperva CloudWAF, you can use a different Integration known as a Connector, instead of
CloudWAF. Currently, Advanced Bot Protection can be integrated with the following Connectors:

• Cloudflare
• F5
• Lambda@Edge on AWS Cloudfront
• Nginx
• Fastly

Advanced Bot Protection 8