Citrix recently released the new version 13 firmware for the ADC. One of the most intriguing new features in this release is the Bot Management capability. A Bot can be a device or a piece of software than can execute commands, reply to messages, or perform routine tasks. As we know, Bots can be used for good or evil. Google and other search engine crawlers are examples of good bots. There can also be chat room bots. But the malicious bots are on the rise. Spam bots can scrape your website for email address to add to spam lists. Some bots scrape your entire site in an effort to duplicate it for malicious use. DoS bots can send automated requests to make the web site unresponsive. Botnets consist of many bots working together under the control usually of one hacker. With this new feature, Citrix is adding a security capability so the ADC can recognize what is a good or bad bot and take some action against the bad.
You can find the new feature under the Security tab in the menu of the GUI.
You can enable the feature by right clicking the item and choosing Enable Feature. To enable it from the command line, enter
enable ns feature Bot
The next step you are going to want to do is to clone the existing default signature file. Currently, the ADC does not support auto update functionality. We all hope this will change in the near future.
You can clone the signature by selecting Signatures under Bot Management in the menu
Then select the default signatures and select “Clone”
Then, you can give the signatures some useful name and select ”Create”
I could not find an equivalent CLI command for cloning. The other option you have for signature files is to import them. Under the Signatures menu, select “Import” and you can import the signature from a url, a file, or text.
You can import the Bot Management Signature files from the command line using this syntax
import bot signature [<src>] <name> [-comment <string>] [-overwrite]
An example would be
import bot signature http://www.example.com/signature.json signaturefile -comment commentsforbot –overwrite
Once you have signatures, the next step would be to add a bot profile. Under Bot Management you will find Profiles. Select “Add” Give the profile a name and select you signature file. Optionally, you can designate an Error URL and add comments. Select Create when finished.
You can also use the command line to create the profile by using the “add bot profile” command similar to this
add bot profile <name> [-signature <string>] [-errorURL <string>] [-comment <string>]
An example command could be
add bot profile profile1 –signature signaturefile –errorURL www.badbot.com –comment commentsforBot
Then we must add a Bot Policy. Select Policies unde the Bot Management menu. Select Bot Policies and select “Add” Give the policy a name. The expression can narrow down where it is applied, or you can use the “true” argument as well. Select a Bot Profile, an undefined action, and if desired, a Log Action. I created my own Log Action.
The command line format would be
add bot policy <name> -rule <expression> -profileName <string> [-undefAction <string>] [-comment <string>] [-logAction <string>]
An example would look like this
add bot policy pol1 –rule "HTTP.REQ.HEADER(\"header\").CONTAINS(\"custom\")" - profileName profile1 -undefAction drop –comment commentforbotpolicy –logAction log1
Then you need to bind the policy for it to take effect. Global binding would be preferable as it would protect all web sites protected by the Citrix ADC. From the Bot Policies menu, select the policy and click “Policy Manager”
From there you can select the Bind Point like “Override Global”
From the CLI this can be accomplished using
bind bot global -policyName <string> -priority <positive_integer> [-gotoPriorityExpression <expression>][-type ( REQ_OVERRIDE | REQ_DEFAULT )] [-invoke (-labelType ( vserver | policylabel ) -labelName <string>) ]
An example command would be
bind bot global –policyName pol1 –priority 100 –gotoPriorityExpression NEXT -type REQ_OVERRIDE
The Bot Signature Settings can be modified by editing the Bot Management Profile. The Signature Settings menu can then be found on the right side.
From the CLI you would follow this syntax
set bot settings [-defaultProfile <string>] [-javaScriptName <string>] [-sessionTimeout] positive_integer>] [-sessionCookieName <string>] [-dfpRequestLimit <positive_integer>]
An example command for this would be
set bot settings –defaultProfile profile1 –javaScriptName json.js –sessionTimeout 1000 –sessionCookieName session
A full documentation of this can be found in the Citrix Docs. My example CLI commands were shameless copied from here. You can find the firmware download here.
nice article, however, one point is missing: How do you test it and make sure it does the job.
using curl command line, it does not block anything included in the bad bots.