DocsICP FilingConsole
官方文档
首页

Bot management

更新时间:
复制 MD 格式
产品详情
我的收藏

Bot Management defends against automated threats such as data scraping, business fraud, credential stuffing, spam registration, malicious flash sales, and SMS API abuse. Configure targeted protection policies to prevent data leakage, reduce server load and lower bandwidth costs.

Important

The new version of bot management is being gradually released and is enabled by default for new users. This topic applies only to the new version of bot management.

  • How to identify your version: Log on to the WAF console. In the navigation pane on the left, choose Protection Config > Bot Management. You can determine your version based on the page style.

  • Previous version: A small number of users still use the previous version. If the Bot Management option on your interface does not have a New tag, see the Bot management (legacy) document.

  • Previous version: image

  • New version: image

Features

Bot Management includes these core features:

  • Traffic Analytics: View risk data for APIs in Traffic Analytics without enabling Bot Management, including traffic trends and at-risk client details. After you Enable the official version, access detailed data to identify anomalous traffic and configure granular protection policies.

  • Web Protection/App Protection: Use default Bot Management policies for quick basic protection in web or app scenarios. For optimal results, continuously analyze rule hit patterns and adjust protection actions.

  • Advanced Custom Rules: Create custom access control rules, rate limiting rules, and rule categories to block requests matching specific conditions. Advanced rules support match conditions such as Client ID, JA3/JA4 fingerprints, and web/app SDK data, with conditional deduplication for statistics.

Prerequisites

  • You have completed Web service provisioning on the Onboarding page.

  • You have activated a WAF 3.0 instance with Pay-as-you-go edition, or Subscription Premium, Enterprise, or Ultimate edition. Basic edition does not support Bot Management.

Enable Bot Management

  1. Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.

  2. In the navigation pane on the left, choose Protection Config > Bot Management.

Request a trial

Premium, Enterprise, and Ultimate edition WAF instances include a 7-day free trial of Bot Management. After the trial expires, all policy configurations are cleared. To retain your configurations, enable the official version before the trial ends.

  1. Go to the Web Protection, App Protection, or Advanced Custom Rules page, and click Request a Free 7-Day POC.

  2. In the 7-day Free Trial dialog box, click OK.

Important

  • Premium, Enterprise, and Ultimate edition instances are eligible for one Bot Management trial per Alibaba Cloud account.

  • The trial lasts 7 days. After expiration, all bot policy configurations are automatically deleted. Enable the official version before the trial ends to retain your configurations.

Enable the official version

Subscription

  1. Go to the Web Protection, App Protection, or Advanced Custom Rules page, and click Purchase Now.

  2. On the Purchase Now panel, enable Bot Management - Web Protection or Bot Management - App Protection, and complete the payment.

Pay-as-you-go

  1. Go to the Web Protection, App Protection, or Advanced Custom Rules page.

  2. In the dialog box that appears, select the objects you want to protect, and then click Enable Now.

    Note

    After you click Enable Now, the system creates protection templates for the selected objects, which incurs additional fees. For pricing details, see Billing details. If you no longer need Bot Management, delete all Bot Management protection templates.

Get started

  1. View bot management traffic analysis: Review traffic analysis data to identify at-risk assets and anomalous traffic sources.

  2. Protect web applications with bot management/Use bot management to protect app services: Configure protection rules by business type: Web Protection for web and H5 pages, App Protection for iOS or Android apps.

  3. Configure advanced custom rules: Configure rules based on Client ID, JA3/JA4 fingerprints, and other dimensions for granular bot traffic control.

Protection Sequence Diagrams

These diagrams show how the JavaScript Validation and Token-based Authentication protection modes handle requests.

JavaScript Validation sequence diagram

  1. A client request matches a JS Challenge rule.

  2. WAF returns an HTML page containing the JS challenge algorithm.

  3. The browser loads the JS challenge page, generates encrypted parameters, adds them to the cookie, and resends the request.

  4. WAF verifies the parameters:

    • If correct, WAF forwards the request to the origin server and returns the response.

    • If the cookie is missing or incorrect, WAF treats the request as bot traffic and returns the JS challenge page.

Token-based Authentication sequence diagram

  1. A client request matches a Dynamic Token rule.

  2. WAF returns an HTML page with a dynamic token.

  3. The browser loads the dynamic token HTML page, generates encrypted parameters, adds them to the request URL parameters, and resends the request.

  4. WAF verifies the parameters:

    • If correct, WAF forwards the request to the origin server and returns the response.

    • If the parameters are missing or incorrect, WAF treats the request as bot traffic and returns the dynamic token page.

Previous:Policy configurationNext:View bot management traffic analysis