AWS WAF Bot Control rule group
VendorName: AWS, Name: AWSManagedRulesBotControlRuleSet
The Bot Control managed rule group provides rules to block and manage requests from bots. Bots can consume excess resources, skew business metrics, cause downtime, and perform malicious activities. This rule group is part of the intelligent threat mitigation protections in AWS WAF. For information, see AWS WAF intelligent threat mitigation.
You are charged additional fees when you use this managed rule group. For more information, see AWS WAF Pricing
To keep your costs down and to be sure you're managing your bot traffic as you want, use this rule group in accordance with the guidance at Best practices for intelligent threat mitigation and AWS WAF Bot Control.
The Bot Control rule group doesn't provide versioning or SNS update notifications.
Protection levels
The Bot Control managed rule group provides two levels of protection that you can choose from:
-
Common – Detects a variety of self-identifying bots, such as web scraping frameworks, search engines, and automated browsers. Bot Control protections at this level identify common bots using traditional bot detection techniques, such as static request data analysis. The rules label traffic from these bots and block the ones that they cannot verify.
-
Targeted – Includes the common-level protections and adds detection for advanced bots that do not self identify. Targeted protections use advanced detection techniques such as browser interrogation, fingerprinting, and behavior heuristics to identify bad bot traffic. The protections target these bots using a combination of rate limiting and CAPTCHA and background browser challenges. The rules that provide targeted protection have names that begin with
TGT_.
Token labels
This rule group uses AWS WAF token management to inspect and label web requests according to the status of their AWS WAF tokens. AWS WAF uses tokens for client session tracking and verification.
AWS WAF applies one of the following labels when it inspects a web request's token and challenge timestamp. AWS WAF doesn't add labeling about the status of the CAPTCHA timestamp.
-
awswaf:managed:token:accepted– The request token is present and has an unexpired challenge timestamp. -
awswaf:managed:token:rejected– The request token is present but is either corrupt or has an expired challenge timestamp. -
awswaf:managed:token:absent– The request doesn't have a token.
For more information, see AWS WAF web request tokens.
Bot Control labels
The Bot Control managed rule group generates labels with the namespace prefix
awswaf:managed:aws:bot-control: followed by the custom
namespace. The rule group might add more than one label to a request.
Each label reflects the Bot Control rule findings:
-
awswaf:managed:aws:bot-control:bot:category:– The category of bot, as defined by AWS WAF, for example,<category>bot:category:search_engineandbot:category:content_fetcher. -
awswaf:managed:aws:bot-control:bot:name:– The bot name, if one is available, for example, the custom namespaces<name>bot:name:slurp,bot:name:googlebot, andbot:name:pocket_parser. -
awswaf:managed:aws:bot-control:bot:verified– Used to indicate a verified bot. This is used for common desirable bots, and can be useful when combined with category labels likebot:category:search_engineor name labels likebot:name:googlebot.Note Bot Control uses the IP address from the web request origin. You can’t configure it to use the AWS WAF forwarded IP configuration, to inspect a different IP address source. If you have verified bots that route through a proxy or load balancer, you can add a rule that runs before the Bot Control rule group to help with this. Configure your new rule to use the forwarded IP address and explicitly allow the requests from the verified bots. For information about using forwarded IP addresses, see Forwarded IP address.
-
awswaf:managed:aws:bot-control:signal:– Used for attributes of the request that are indicative of bots that are not more commonly used or verified.<signal-details> -
awswaf:managed:aws:bot-control:targeted:– Used by the Bot Control targeted protections.<additional-details>
You can retrieve the labels through the API by calling DescribeManagedRuleGroup.
The labels are listed in the AvailableLabels property in the response.
The Bot Control managed rule group applies labels to a set of verifiable bots that are commonly
allowed. The rule group doesn't block these verified bots and doesn't apply
any signal: labels. If you want, you can block them, or a
subset of them by writing a custom rule that uses the labels applied by the
Bot Control managed rule group. For more information about this and examples, see
AWS WAF Bot Control.
Rule listing
The following table lists the Bot Control rules.
| Rule name | Description |
|---|---|
CategoryAdvertising |
Inspects for bots that are used for advertising purposes. Rule action, applied only to unverified bots: Block Label:
For verified bots, the rule group takes no action, but it adds
the rule labeling plus the label
|
CategoryArchiver |
Inspects for bots that are used for archiving purposes. Rule action, applied only to unverified bots: Block Label:
For verified bots, the rule group takes no action, but it adds
the rule labeling plus the label
|
CategoryContentFetcher |
Inspects for bots that are fetching content on behalf of a user. Rule action, applied only to unverified bots: Block Label:
For verified bots, the rule group takes no action, but it adds
the rule labeling plus the label
|
CategoryEmailClient |
Inspects for email clients. Rule action, applied only to unverified bots: Block Label:
For verified bots, the rule group takes no action, but it adds
the rule labeling plus the label
|
CategoryHttpLibrary |
Inspects for HTTP libraries that are used by bots. Rule action, applied only to unverified bots: Block Label:
For verified bots, the rule group takes no action, but it adds
the rule labeling plus the label
|
CategoryLinkChecker |
Inspects for bots that check for broken links. Rule action, applied only to unverified bots: Block Label:
For verified bots, the rule group takes no action, but it adds
the rule labeling plus the label
|
CategoryMiscellaneous |
Inspects for miscellaneous bots. Rule action, applied only to unverified bots: Block Label:
For verified bots, the rule group takes no action, but it adds
the rule labeling plus the label
|
CategoryMonitoring |
Inspects for bots that are used for monitoring purposes. Rule action, applied only to unverified bots: Block Label:
For verified bots, the rule group takes no action, but it adds
the rule labeling plus the label
|
CategoryScrapingFramework |
Inspects for web scraping frameworks. Rule action, applied only to unverified bots: Block Label: For verified bots, the rule group takes no action, but it adds
the rule labeling plus the label
|
CategorySearchEngine |
Inspects for search engine bots. Rule action, applied only to unverified bots: Block Label:
For verified bots, the rule group takes no action, but it adds
the rule labeling plus the label
|
CategorySecurity |
Inspects for security-related bots. Rule action, applied only to unverified bots: Block Label:
For verified bots, the rule group takes no action, but it adds
the rule labeling plus the label
|
CategorySeo |
Inspects for bots that are used for search engine optimization. Rule action, applied only to unverified bots: Block Label:
For verified bots, the rule group takes no action, but it adds
the rule labeling plus the label
|
CategorySocialMedia |
Inspects for bots that are used by social media platforms to provide content summaries. Rule action, applied only to unverified bots: Block Label:
For verified bots, the rule group takes no action, but it adds
the rule labeling plus the label
|
SignalAutomatedBrowser |
Inspects for indications of an automated web browser. Rule action: Block |
SignalKnownBotDataCenter |
Inspects for data centers that are typically used by bots. Rule action: Block |
SignalNonBrowserUserAgent |
Inspects for user agent strings that don't seem to be from a web browser. Rule action: Block |
TGT_VolumetricIpTokenAbsent |
Inspects for 5 or more requests from a client that don't include a valid challenge token. For information about tokens, see AWS WAF web request tokens. The threshold that this rule applies can vary slightly due to latency. Rule action, applied only to clients that are not verified bots: Challenge Label:
For verified bots, the rule group takes no action, but it adds
the rule labeling plus the label
This rule is different from the token labeling:
|
TGT_VolumetricSession |
Inspects for an abnormally high number of requests from a client session. The evaluation is based on a comparison to standard volumetric baselines that AWS WAF maintains using historic traffic patterns. This inspection only applies when the web request has a token. Tokens are added to requests by the application integration SDKs and by the rule actions CAPTCHA and Challenge. For more information, see AWS WAF web request tokens. Rule action, applied only to clients that are not verified bots: CAPTCHA Label:
The rule group applies the following labels to medium
volume and lower volume requests that are above a
minimum threshold. For these levels, the rule takes no
action, regardless of whether the client is verified:
For verified bots, the rule group takes no action, but it adds
the rule labeling plus the label
|
TGT_SignalAutomatedBrowser |
Inspects for browser automation frameworks. This inspection only applies when the web request has a token. Tokens are added to requests by the application integration SDKs and by the rule actions CAPTCHA and Challenge. For more information, see AWS WAF web request tokens. Rule action, applied only to clients that are not verified bots: CAPTCHA Label:
For verified bots, the rule group takes no action, but it adds
the rule labeling plus the label
|
TGT_SignalBrowserInconsistency |
Inspects for inconsistent browser interrogation data. This inspection only applies when the web request has a token. Tokens are added to requests by the application integration SDKs and by the rule actions CAPTCHA and Challenge. For more information, see AWS WAF web request tokens. Rule action, applied only to clients that are not verified bots: CAPTCHA Label: For verified bots, the rule group takes no action, but it adds
the rule labeling plus the label
|
