API Abuse Prevention Setup ¶

This article describes how to enable and configure the API Abuse Prevention module to detect and mitigate malicious bots and to avoid blocking legitimate activities.

Enabling¶

The API Abuse Prevention module in the disabled state is delivered with all forms of the Wallarm node 4.2 and above including the CDN node.

To enable API Abuse Prevention:

Make sure that your traffic is filtered by the Wallarm node 4.2 or later.
Make sure your subscription plan includes API Abuse Prevention. To change the subscription plan, please send a request to sales@wallarm.com.
In Wallarm Console → API Abuse Prevention, create or enable at least one API Abuse profile.

Access to API Abuse Prevention settings

Only administrators of your company Wallarm account can access the API Abuse Prevention section. Contact your administrator if you do not have this access.

Creating profiles¶

API abuse profiles are used to configure how Wallarm's API Abuse Prevention detects and mitigates malicious bots. Each profile defines which applications should be protected from what type of bots, what should be the level of tolerance to that bots and what should be the reaction to their activities.

To create an API abuse profile:

In Wallarm Console → API Abuse Prevention, click Create profile.
Select applications to protect.
Select tolerance level.
If necessary, in the Protect from section, limit the types of bots to protect from.
Select the appropriate reaction to malicious bots.
If reaction is to add to deny- or graylist, set the time during which the IP will be in the list. Default value is Add for a day.
Set name and optionally description.

Once the API abuse profile is configured, the module will start the traffic analysis and blocking supported automated threats.

Exceptions for source IPs¶

To mark some IPs as associated with legitimate bots or crawlers to avoid blocking them by API Abuse Prevention, use the Exception list.

You add IP address or range to the exception list and specify target application: this causes that any requests from these addresses to the target application will not lead to marking these addresses as malicious bots and they will not be added to deny- or graylist by API Abuse Prevention.

There are two ways of adding IP addresses to the exception list:

From the API Abuse Prevention section → Exception list tab via Add exception. Here, besides IPs and subnets, you can add locations and source types that should be ignored by API Abuse Prevention.
From the Attacks section: use api_abuse search key or select API Abuse from the Type filter, then expand the required event and click Add to exception list.

When the IP address is added to the exception list, the address is automatically removed from deny- or graylist, but only if it was added there by API Abuse Prevention itself (has a Bot reason).

Blocking other attack types from IP

If an IP from the exception list produces other attack types, like brute force or input validation attacks and others, Wallarm blocks such requests.

By default, the IP is added to the exception list forever. You can change this and set time when the address should be removed from the exception list. You can also remove address from exceptions immediately at any moment.

The Exception list tab provides the historical data - you can view items that were presented in the list within the selected period of time in past.

Exceptions for target URLs and specific requests¶

In addition to marking good bots' IPs via exception list, you can disable bot protection both for URLs that the requests target and for the particular request types, for example, for the requests containing specific headers.

To do that, Wallarm provides the Set API Abuse Prevention mode rule (supported by nodes version 4.8 and above).

Creating and applying the rule

To disable bot protection for specific URL or request type:

Proceed to Wallarm Console → Rules → Add rule.
In If request is, describe the requests and/or URLs to apply the rule to.

To specify the URL, if you use the API Discovery module and have your endpoints discovered, you can also quickly create the rule for the endpoint using its menu.
In Then, choose Set API Abuse Prevention mode and set:
- Default - for the described scope (specific URL or request), the protection from bots will work in a usual way defined by common API Abuse Prevention profiles.
- Do not check for bot activity - for the described URL and/or request type, the check for bot activity will not be performed.
Optionally, in the comment, specify the reason of creating the rule for this URL/request type.

Note that you can temporarily disable the exception for the URL and/or request type without deleting the rule: to do that, select the Default mode. You can go back to Do not check for bot activity at any moment later.

Rule examples

Marking legitimate bot by its request headers

Suppose your application is integrated with the Klaviyo marketing automation tool having multiple IPs that send requests. So we set not to check for automated (bot) activities in GET requests from the Klaviyo/1.0 user agent for specific URIs:

Disabling protection from bots for testing endpoint

Let's say you have the endpoint that belongs to your application. The application should be protected from bot activities but the testing endpoint should be an exception. Also, you have your API inventory discovered the API Discovery module.

In this case it is easier to create rule from the API Discovery list of endpoints. Go there, find your endpoint and initiate rule creation from its page:

Disabling and deleting profiles¶

Disabled profiles are the ones that the API Abuse Prevention module does not use during traffic analysis but that are still displayed in the profile list. You can re-enable disabled profiles at any moment. If there are no enabled profiles, the module does not block malicious bots.

Deleted profiles are the ones that cannot be restored and that the API Abuse Prevention module does not use during traffic analysis.

You can find Disable and Delete options in the profile menu.