Send Docs Feedback

Taking action on bots

You can take action for suspected bots, such as by blocking or allowing requests conforming to a detected bot category.

You can take the following actions for IP addresses you see through the Apigee Sense portal.

Action Description
Allow Allow requests in the selected category to proceed.
Block Block requests in the selected category.
Flag Flag requests in the selected category so that you can take action on them.

Identifying bots to take action on

In the Apigee Sense portal, you can filter and group suspected bots by their origin and by the reason they are suspected to be bots. Once you've isolated the group you want, you can take action on bot IPs in that group, such as to block them.

You can filter bots by the following partitions:

Partition Description
Single bot reason The reason a request is suspected to be a bot. See more about reasons below.
Bot reason group A set of reasons associated with a single set of one or more IP addresses. For example, analysis might have identified four IP addresses whose requests matched the criteria for three bot reasons.
Country The country from which the bot request originated.
ISP The ISP from which the bot request originated.
255.255.*.*/16  
255.255.255.*/24  

Bot reasons

When analyzing API requests for bot activity, Apigee Sense uses a set of criteria to determine whether a request represents a bot. If requests from the IP meet those criteria, Apigee Sense associates the IP with one or more corresponding reason categories.

The following table describes possible bot reasons and the criteria that define them. In the portal, you can filter suspected bots by these reasons.

Bot Reason Behavior Captured Configuration Criterion Configuration Value
Brute Guessor Larger proportion of response errors during previous 24 hours Minimum number of calls from IP 100
Number of sessions threshold 100
Number of user agents threshold 10
Content Quota Exceeder Additional requests after 403 error due to content quota exceeded 403 error per hour threshold 300
Content Robber Few OAuth sessions with large volume of traffic in a 5-minute window Minimum number of calls from IP 1000
Percent of total API traffic from IP threshold 0.5
Unique sessions less than threshold 4
Content Scraper Large number of URIs called in a 5-minute window Minimum number of calls from IP 100
Unique basepath less than threshold 100
Unique path suffix less than threshold 100
Percent of total API traffic from IP threshold 0.5
Distinct OS Multiple operating system families used in a 5-minute window Minimum number of calls from IP 100
Percent of total API traffic from IP threshold 0.5
Unique OS family greater than threshold 3
Distinct User Agent Family Multiple user agent families used in a 5-minute window Minimum number of calls from IP 100
Percent of total API traffic from IP threshold 0.5
Unique user agent family greater than threshold 3
Flooder High proportion of traffic from IP in a 5-minute window Minimum number of calls from IP 100
Percent of total API traffic from IP threshold 5
Guessor Large number of response errors in a 5-minute window Minimum number of calls from IP 100
Percent of total API traffic from IP threshold 0.5
Percent of API traffic with errors from IP threshold 10
Login Attempter - 24 hours Large number of tries to Login proxy in a 24-hour window Number of post calls to Login proxy threshold 50
Login Attempter - 5 Min Large number of tries to Login proxy in a 5-minute window Number of post calls to Login proxy threshold 20
Login Guessor High volume of traffic to few URIs in 5-minute window Minimum number of calls from IP 100
Unique basepath greater than threshold 4
Unique path suffix greater than threshold 4
Percent of total API traffic from IP threshold 0.5
OAuth Collector High number of OAuth sessions with small number user agents during previous 24 hours Minimum number of calls from IP 100
Percent of errors threshold 90
OAuth Harvestor High number of OAuth sessions with significant traffic in a 5-minute window Minimum number of calls from IP 10
Percent of total API traffic from IP threshold 0.5
Unique sessions greater than threshold 100
Robot Abuser Larger number of 403 rejection errors in past 24 hours 403 error per day threshold 500
Short Session High number of short OAuth sessions Minimum number of calls from IP 10
Percent of sessions on length 2 threshold 0.8
Number of sessions of length 2 threshold 10
Percent of total API traffic from IP threshold 0.5
Static Content Scraper High proportion of response payload size from IP in a 5-minute window Minimum number of calls from IP 10
Percent of total API traffic from IP threshold 0.5
Percent of total API response size from IP threshold 5
Minimum number of calls from IP 10485760
Storm Few high spikes in traffic in a 5-minute window Minimum number of calls from IP 100
Percent of total API traffic from IP threshold 0.5
Variance in inter arrival time of calls threshold 0.1
Tornado Consistent spikes in traffic in a 5-minute window Mean in inter arrival time of calls threshold 0.01
Minimum number of calls from IP 100
Percent of total API traffic from IP threshold 0.5

 

Help or comments?