API Abuse Prevention ¶
The API Abuse Prevention module of the Wallarm platform delivers detection and mitigation of bots performing API abuse like credential stuffing, fake account creation, content scraping and other malicious actions targeted at your APIs.
Automated threats blocked by API Abuse Prevention¶
The API Abuse Prevention module detects the following bot types by default:
During the API abuse profile setup, you can configure the API Abuse Prevention module to protect from all types of bots or limit protection only for specific threats.
How API Abuse Prevention works?¶
The API Abuse Prevention module uses the complex bot detection model that involves ML-based methods as well as statistical and mathematical anomaly search methods and cases of direct abuse. The module self-learns the normal traffic profile and identifies dramatically different behavior as anomalies.
API Abuse Prevention uses multiple detectors to identify the malicious bots. The module provides statistics on what detectors were involved in marking the ones.
The following detectors may be involved:
Request interval analyzing the time intervals between consecutive requests to find lacks the randomness which is the sign of bot behavior.
Request uniqueness analyzing the number of unique endpoints visited during a session. If a client consistently visits a low percentage of unique endpoints, such as 10% or less, it is likely that it is a bot rather than a human user.
Request rate analyzing the number of requests made in a specific time interval. If an API client consistently makes a high percentage of requests over a certain threshold, it is likely that it is a bot rather than a human user.
Bad user-agent analyzing the
User-Agentheaders included in requests. This detector checks for specific signatures, including those belonging to crawlers, scrapers, and security checkers.
Outdated browser analyzing the browser and platform used in requests. If a client is using an outdated or unsupported browser or platform, it is likely that it is a bot rather than a human user.
Suspicious behavior score analyzing usual and unusual business logic API requests taken during a session.
Business logic score analyzing usage of the critical or sensitive API endpoints within the context of your application behavior.
Wide scope analyzing breadth of IP activity to behaviorally identify crawler-like bots.
As a result of detectors' work, every detected bot obtain confidence percentage: how sure we are that this is a bot. In each bot type, detectors have different relative importance / number of votes. Thus, the confidence percentage is the votes gained out of all possible votes in this bot type (provided by detectors that worked).
If one or several detectors point to bot attack signs, the module denylists or graylists the source of the anomaly traffic for 1 hour. Wallarm counts bot IPs that were deny- and graylisted within 30 days and displays how many percents these amounts increased or decreased compared to the previous 30 day period.
The solution deeply observes traffic anomalies before attributing them as malicious bot actions and blocking their origins. Since metric collection and analysis take some time, the module does not block malicious bots in real-time once the first malicious request originated but significantly reduces abnormal activity on average.
Activating API Abuse Prevention¶
The API Abuse Prevention module in the disabled state is delivered with all forms of the Wallarm node 4.2 and above including the CDN node.
To activate API Abuse Prevention:
Make sure that your traffic is filtered by the Wallarm node 4.2 or later.
In Wallarm Console → API Abuse Prevention, create or enable at least one API Abuse profile.
Access to API Abuse Prevention settings
Only administrators of your company Wallarm account can access the API Abuse Prevention section. Contact your administrator if you do not have this access.
You can configure how strictly the signs of a malicious bot are monitored and thus control the number of false positive detections. This is set with the Tolerance parameter within API Abuse profiles.
There are three available levels:
Low tolerance to bots means LESS bots access your applications, but this may block some legitimate requests due to false positives.
Normal tolerance uses optimal rules to avoid many false positives and prevent most malicious bot requests from reaching APIs.
High tolerance to bots means MORE bots access your applications, but then no legitimate requests will be dropped.
Reaction to malicious bots¶
You can configure API Abuse Prevention to react to malicious bots in one of the following ways:
Add to denylist: Wallarm will denylist bots' IPs for the selected time (default value is
Add for a day- 24 hours) and block all traffic these IPs produce.
Add to graylist: Wallarm will graylist bots' IPs for the selected time (default value is
Add for a day- 24 hours) and block only requests originating from these IPs and containing the signs of the following attacks:
Only monitor: Wallarm will display the detected bot activity in the Events section but will add the bot's IP neither to deny- nor to graylist.
From such events details, you can quickly block the bot with the Add source IP to denylist button. The IP is added to the denylist forever, but in the IP Lists section you can delete it or change the time of staying in the list.
Exploring malicious bots and their attacks¶
You can explore the bots' activity in the Wallarm Console UI as follows:
Explore malicious bots in the IP lists section
View API abuse performed by bots in the Events section
An exception list is a list of IP addresses, subnets, locations and source types that are known to be associated with legitimate bots or crawlers, and are therefore exempt from being blocked or restricted by the API Abuse Prevention module.
You can add IP addresses to the exception list in advance or if they have already been mistakenly flagged as being associated with malicious bot activity. Learn how to work with exception list →