Additional Information on Enhanced HTTP (Layer 7) Mitigation
Enhanced mitigation is an additional filtering which takes place after signature (common attacks), semantic (invalid traffic) and rate limiting (high frequency) attack filtering. These filters are designed to recognise non human traffic in a dynamic and flexible manner. By generating filters in a dynamic manner they are able to complex attacks and attacks that have never been seen before.
Unfortunately due to the dynamic nature of these filters, they may suffer from a false detection rate of up to 5% (worst case). As such we recommend enabling them as needed for additional protection. Or configuring activation to occur only when traffic significantly exceeds normal requests per second rates.
Activation Methods
Activation refers to when the Enhanced filters will be used. If they are not used, the traffic will not be filtered by this layer.
Never Activate (Passive Only)
No traffic will be filtered by these filters.
High Load Activation
Filters will be activated when the global traffic rate to the "port" (site) being configured exceeds the threshold defined. This threshold is defined in terms of requests per second, excluding any attackers currently banned. We recommend setting this 2-3 times your normal peak request rate, but still less than your maximum capacity.
Always Activate
Filters will always be active and checking for bot users.
Detection Methods
If mitigation is not activated by rate then detection will be performed using a combination of 19 modules for detecting anomalous behavior, including 2 machine learning modules.
Paranoia Mode
Paranoia activation is a mode of operation for the Enhanced Mitigation system. When activated, the system will be more sensitive to potential threats and will be more likely to take action against a client. This mode is recommended for use only if you are willing to accept the following trade-offs:
- Decreased cache hit rate (cookies will be certain responses)
- Increased backend server bandwidth usage (certain responses can not be served compressed)
- The first requests made by clients are made to HTML pages and AJAX/XHR/Fetch/Resource requests are not continuously made without page reloads.
- The clients you wish to be accepting are standard non-headless browsers with full Javascript support, not API clients or bots (for this reason API mode disables Paranoia mode)
We recommend using Paranoia mode only when you are experiencing a significant attack and are willing to accept the trade-offs. A slightly higher false detection rate for older web browsers, and clients with Javascript disabled is to be expected when using Paranoia mode.
Verification Method
Once a Detection occurs, the user will be requested to verify their humanity. Bots will fail these tests and be banned for repeat failures.
Automated Verification
Attempt to perform verification via an automated method. If the user has an older browser, browser without Javascript support, older computer, or is browsing on a mobile device manual verification will be performed instead.
Manual Verification (CAPTCHA)
Require the user to CAPTCHA to access the site. This needs only be performed once per user.
API Mode
API mode is a mode of mitigation operation specifically for Program to Program communication e.g an Application Program Interface (API). In this mode the sensitivity of mitigation is reduced and mitigation modules not suitable for API only web services are disabled. As mitigation sensitivity and severity is reduced in this mode you should ensure that you have rate limiting suitably configured on our end and that your API service is appropriately optimized.
In the event a mitigation action is taken against a client in API mode and that client has requested (via the HTTP Accept header) a JSON response the mitigation system will respond with the following response.
> GET / HTTP/1.1
> Host: [...]
> User-Agent: curl/7.47.0
> Accept: application/json
< HTTP/1.1 403 Forbidden
< [...]
<
{"error":"Mitigation Rejection","_schema_revision":1,"_source":"x4b-sense"}
The Process
A high level overview of the process, does not include all possible mitigation stages.
