-
Notifications
You must be signed in to change notification settings - Fork 9.2k
[Bots] Scraping detections #25744
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
patriciasantaana
wants to merge
6
commits into
production
Choose a base branch
from
patricia19212-scraping-detections
base: production
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+182
−84
Open
[Bots] Scraping detections #25744
Changes from 5 commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
82 changes: 82 additions & 0 deletions
82
...cs/bots/additional-configurations/detection-ids/account-takeover-detections.mdx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,82 @@ | ||
| --- | ||
| pcx_content_type: concept | ||
| title: Account takeover detections | ||
| sidebar: | ||
| order: 3 | ||
| --- | ||
|
|
||
| import { Render, Tabs, TabItem, Steps, DashButton } from "~/components" | ||
|
|
||
| Using the detection IDs below, you can detect and mitigate account takeover attacks. You can monitor the number of login requests for a given software and network combination, as well as the percentage of login errors. When it reaches a suspicious level, you can prevent these attacks by using [custom rules](/waf/custom-rules/), [rate limiting rules](/waf/rate-limiting-rules/), and [Workers](/workers/). | ||
|
|
||
| | <div style="width:100px">Detection ID</div> | Description | | ||
| | ------------------------------------------- | ---------------------------------------- | | ||
| | `201326592` | Observes all login failures to the zone. | | ||
| | `201326593` | Observes all login traffic to the zone. | | ||
| | `201326598` | Sets a dynamic threshold based on the normal traffic that is unique to the zone.<br /><br /> When the ID matches a login failure, Bot Management sets the [bot score](/bots/concepts/bot-score/) to 29 and uses [anomaly detection](/bots/concepts/bot-detection-engines/#anomaly-detection-enterprise) as its score source. | | ||
|
|
||
| ## Challenges for account takeover detections | ||
|
|
||
| Cloudflare's [Managed Challenge](/cloudflare-challenges/challenge-types/challenge-pages/#managed-challenge-recommended) can limit brute-force attacks on your login endpoints. | ||
|
|
||
| To access account takeover detections: | ||
|
|
||
| <Tabs syncKey="dashNewNav"> | ||
| <TabItem label="Old dashboard"> | ||
| <Steps> | ||
| 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. | ||
| 2. Go to **Security** > **WAF**. | ||
| 3. Under **Custom rules**, select **Create rule**. | ||
| 4. Fill out the form using **Bot Detection IDs** along with other necessary information. | ||
| 5. Select **Save as draft** to return to it later, or **Deploy** to deploy the rule. | ||
| </Steps> | ||
| </TabItem> | ||
| <TabItem label="New dashboard" icon="rocket"> | ||
| <Steps> | ||
| 1. In the Cloudflare dashboard, go to the **Security rules** page. | ||
|
|
||
| <DashButton url="/?to=/:account/:zone/security/security-rules" /> | ||
| 2. Select **Create rule** and choose **Custom rule**. | ||
| 3. Fill out the form using **Bot Detection IDs** along with other necessary information. | ||
| 4. Select **Save as draft** to return to it later, or **Deploy** to deploy the rule. | ||
patriciasantaana marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| </Steps> | ||
| </TabItem> | ||
| </Tabs> | ||
|
|
||
| ```js title="Rule example" | ||
|
|
||
| (any(cf.bot_management.detection_ids[*] eq 201326593)) | ||
| ``` | ||
|
|
||
| ## Limit logins with account takeover detections | ||
|
|
||
| Rate limiting rules can limit the number of logins from a particular IP, JA4 fingerprint, or country. | ||
|
|
||
| To use rate limiting rules with account takeover detections: | ||
|
|
||
| <Tabs syncKey="dashNewNav"> | ||
| <TabItem label="Old dashboard"> | ||
| <Steps> | ||
| 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. | ||
| 2. Go to **Security** > **WAF**. | ||
| 3. Under **Rate limiting rules**, select **Create rule**. | ||
| 4. Fill out the form using the **Custom expression builder** and `cf.bot_management_detection_ids` along with other necessary information. | ||
| 5. Select **Save as draft** to return to it later, or **Deploy** to deploy the rule. | ||
patriciasantaana marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| </Steps> | ||
| </TabItem> | ||
| <TabItem label="New dashboard" icon="rocket"> | ||
| <Steps> | ||
| 1. In the Cloudflare dashboard, go to the **Security rules** page. | ||
|
|
||
| <DashButton url="/?to=/:account/:zone/security/security-rules" /> | ||
| 2. Select **Create rule** and choose **Rate limiting rule**. | ||
| 3. Fill out the form using the **Custom expression builder** and `cf.bot_management_detection_ids` along with other necessary information. | ||
| 4. Select **Save as draft** to return to it later, or **Deploy** to deploy the rule. | ||
patriciasantaana marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| </Steps> | ||
| </TabItem> | ||
| </Tabs> | ||
|
|
||
| :::tip[Enhanced with leaked credential detections] | ||
| The rule can be enhanced with Leaked Credential Checks. Refer to the [WAF documentation](/waf/detections/leaked-credentials/) for more information on how to include leaked credentials and account takeover detections in a rate limiting rule. | ||
|
|
||
| ::: | ||
15 changes: 15 additions & 0 deletions
15
...ent/docs/bots/additional-configurations/detection-ids/additional-detections.mdx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| --- | ||
| pcx_content_type: concept | ||
| title: Additional detections | ||
| sidebar: | ||
| order: 4 | ||
| --- | ||
|
|
||
| Cloudflare bot detection includes additional signals to catch different kinds of automated traffic. | ||
|
|
||
| Bot management customers automatically benefit from the residential proxy detection improvement below, which lowers the [bot score](/bots/concepts/bot-score/) for matched requests. Using the detection ID in [custom rules](/waf/custom-rules/) provides even more visibility and control over mitigating residential proxy traffic. | ||
|
|
||
|
|
||
| | <div style="width:100px">Detection ID</div> | Description | | ||
| | ------------------------------------------ | ---------------------------------------- | | ||
| | `50331651` | Observes traffic from residential proxy networks and similar commercial proxies. <br /><br />When the ID matches a request, Bot Management sets the bot score to 29 and uses [anomaly detection](/bots/concepts/bot-detection-engines/#anomaly-detection-enterprise) as its score source. | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
85 changes: 85 additions & 0 deletions
85
...ntent/docs/bots/additional-configurations/detection-ids/scraping-detections.mdx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| --- | ||
| pcx_content_type: concept | ||
| title: Scraping detections | ||
| sidebar: | ||
| order: 3 | ||
| --- | ||
|
|
||
| import { Render, Tabs, TabItem, Steps, DashButton } from "~/components" | ||
|
|
||
| Scraping behavioral detection IDs allow you to better protect your website from volumetric scraping attacks by identifying anomalous behavior. The detection IDs below are specifically designed to catch suspicious scraping activity at the zone-level. | ||
patriciasantaana marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| | <div style="width:100px">Detection ID</div> | Description | | ||
| | ------------------------------------------- | --------------------------------------------------------------------------------------------------- | | ||
| | `50331648` | Observes patterns of requests sent to your zone, dynamically analyzing behavior by ASN. | | ||
| | `50331649` | Observes patterns of requests sent to your zone, dynamically analyzing behavior by JA4 fingerprint. | | ||
|
|
||
| ## Challenges for scraping detections | ||
|
|
||
| Cloudflare's [Managed Challenge](/cloudflare-challenges/challenge-types/challenge-pages/#managed-challenge-recommended) can limit scraping attacks on your website. | ||
|
|
||
| To access scraping detections: | ||
|
|
||
| <Tabs syncKey="dashNewNav"> | ||
| <TabItem label="Old dashboard"> | ||
| <Steps> | ||
| 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. | ||
| 2. Go to **Security** > **WAF**. | ||
| 3. Under **Custom rules**, select **Create rule**. | ||
| 4. Fill out the form using **Bot Detection IDs** along with other necessary information. | ||
| 5. Select **Save as draft** to return to it later, or **Deploy** to deploy the rule. | ||
patriciasantaana marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| </Steps> | ||
| </TabItem> | ||
| <TabItem label="New dashboard" icon="rocket"> | ||
| <Steps> | ||
| 1. In the Cloudflare dashboard, go to the **Security rules** page. | ||
|
|
||
| <DashButton url="/?to=/:account/:zone/security/security-rules" /> | ||
| 2. Select **Create rule** and choose **Custom rule**. | ||
| 3. Fill out the form using **Bot Detection IDs** along with other necessary information. | ||
| 4. Select **Save as draft** to return to it later, or **Deploy** to deploy the rule. | ||
patriciasantaana marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| </Steps> | ||
| </TabItem> | ||
| </Tabs> | ||
|
|
||
| ```js title="Rule example" | ||
|
|
||
| (any(cf.bot_management.detection_ids[*] eq 50331649)) | ||
| ``` | ||
|
|
||
| :::tip[Best practice] | ||
| If you are choosing to challenge as your rule action, check for any API calls on which you do not want to issue a challenge. To exclude requests to such paths, edit the [WAF custom rule](/waf/custom-rules/) to exclude the relevant paths. | ||
| ::: | ||
|
|
||
| ## Limit scraping requests with scraping detections | ||
|
|
||
| Rate limiting rules can limit the number of requests from a particular ASN or JA4 Fingerprint so long as it continues to exhibit suspicious behavior. | ||
|
|
||
| To use rate limiting rules with scraping detections: | ||
|
|
||
| <Tabs syncKey="dashNewNav"> | ||
| <TabItem label="Old dashboard"> | ||
| <Steps> | ||
| 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. | ||
| 2. Go to **Security** > **WAF**. | ||
| 3. Under **Rate limiting rules**, select **Create rule**. | ||
| 4. Fill out the form using the **Custom expression builder** and `cf.bot_management_detection_ids` along with other necessary information. | ||
| 5. Select **Save as draft** to return to it later, or **Deploy** to deploy the rule. | ||
patriciasantaana marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| </Steps> | ||
| </TabItem> | ||
| <TabItem label="New dashboard" icon="rocket"> | ||
| <Steps> | ||
| 1. In the Cloudflare dashboard, go to the **Security rules** page. | ||
|
|
||
| <DashButton url="/?to=/:account/:zone/security/security-rules" /> | ||
| 2. Select **Create rule** and choose **Rate limiting rule**. | ||
| 3. Fill out the form using the **Custom expression builder** and `cf.bot_management_detection_ids` along with other necessary information. | ||
| 4. Select **Save as draft** to return to it later, or **Deploy** to deploy the rule. | ||
patriciasantaana marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| </Steps> | ||
| </TabItem> | ||
| </Tabs> | ||
|
|
||
| :::note | ||
| Detection IDs `50331648` and `50331649` are dynamically recalculated, meaning a single fingerprint would not be permanently rate limited unless it continues to remain suspicious at all times. Rate limiting on these detection IDs allows for more lenient controls, as opposed to immediately challenging or blocking. | ||
|
|
||
| ::: | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.