Additional Information on Enhanced HTTP (Layer 7) Mitigation

Enhanced mitigation is an additional filtering which takes place after signature (common attacks), semantic (invalid traffic) and rate limiting (high frequency) attack filtering. These filters are designed to recognise non human traffic in a dynamic and flexible manner. By generating filters in a dynamic manner they are able to complex attacks and attacks that have never been seen before.

Unfortunately due to the dynamic nature of these filters, they may suffer from a false detection rate of up to 5% (worst case). As such we recommend enabling them as needed for additional protection. Or configuring activation to occur only when traffic significantly exceeds normal requests per second rates.

Activation Methods

Activation refers to when the Enhanced filters will be used. If they are not used, the traffic will not be filtered by this layer.

Never Activate (Passive Only)

No traffic will be filtered by these filters.

High Load Activation

Filters will be activated when the global traffic rate to the "port" (site) being configured exceeds the threshold defined. This threshold is defined in terms of requests per second, excluding any attackers currently banned. We recommend setting this 2-3 times your normal peak request rate, but still less than your maximum capacity.

Always Activate

Filters will always be active and checking for bot users.

Detection Methods

Detection will be performed using a combination of 17 modules for detecting anomalous behavior, including 2 machine learning modules.

Verification Method

Once a Detection occurs, the user will be requested to verify their humanity. Bots will fail these tests and be banned for repeat failures.

Automated Verification

Attempt to perform verification via an automated method. If the user has an older browser, browser without Javascript support, older computer, or is browsing on a mobile device manual verification will be performed instead.

Manual Verification (CAPTCHA)

Require the user to CAPTCHA to access the site. This needs only be performed once per user.

API Mode

API mode is a mode of mitigation operation specifically for Program to Program communication e.g an Application Program Interface (API). In this mode the sensitivity of mitigation is reduced and mitigation modules not suitable for API only web services are disabled. As mitigation sensitivity and severity is reduced in this mode you should ensure that you have rate limiting suitably configured on our end and that your API service is appropriately optimized.

In the event a mitigation action is taken against a client in API mode and that client has requested (via the HTTP Accept header) a JSON response the mitigation system will respond with the following response.

> GET / HTTP/1.1
> Host: [...]
> User-Agent: curl/7.47.0
> Accept: application/json

< HTTP/1.1 403 Forbidden
< [...]
{"error":"Mitigation Rejection","_schema_revision":1,"_source":"x4b-sense"}

The Process

A high level overview of the process, does not include all possible mitigation stages.

Layer 7 Mitigation Process