Bot Detection Playbook
Before you start
You must enable Bot Detection and configure a CAPTCHA provider.
Find log events of interest
When considering a response, first sift through the log messages from the potential attack. For advanced analysis, enable log streaming and connect it to the external tool of your choice. The following log event types are relevant when investigating an uptick in bot activity.| Log Event Type | Description |
|---|---|
pla | Generated before login and monitor bot detection, even if bot detection is only in monitoring mode and not using CAPTCHAs to identify bots. |
fu | Failed user login events due to invalid username, which can indicate attempted username enumeration or account takeover attempts. |
fp | Failed user login events due to invalid password, which can indicate attempted credential stuffing attacks. |
pwd_leak | Attempted login events with a leaked password, which can indicate attempted credential stuffing attacks. |
limit_wc | IP block events for >10 failed login attempts to a single account, which indicates the IP address is likely to belong to a bot. |
limit_sul | User block events for >20 login attempts per minute from the same IP address, which indicates likely bot activity. |
limit_mu | IP block events for >100 failed login attempts or >50 signup attempts from the same IP address, which indicates likely bot activity. |
fcoa | Failed cross-origin authentication events, which indicates attackers using automation to perform account takeovers. |
scoa | Successful cross-origin authentication events, which indicates attackers using automation to perform account takeovers when originating from a small number of IP addresses across multiple users. |
Attack response
While setting the level to High immediately mitigates the attack, a comprehensive strategy balances your business’s risk tolerance and technical capabilities with the experience your users will have when they sign in. When responding, consider two main factors:- User friction: evaluate the impact of mitigation measures (e.g. CAPTCHA frequency) on user experience.
- Technical capacity: assess your ability to implement IP blocking, WAF rules, and enforcement.
Mitigation strategies
For optimal protection from attacks, consider the following strategies:- Activate CAPTCHA for one or more flows and increase CAPTCHA frequency as needed, but remember that CAPTCHA is a deterrent, not a solution.
- Change your CAPTCHA provider if attackers bypass your current CAPTCHA or consider migrating to Auth0’s Auth Challenge or another supported provider.
- If you suspect a signup fraud campaign, temporarily prevent new user signups to your application from public, unauthenticated endpoints.
- Change your web application firewall rules with an edge provider or use tenant access control lists to block abusive IPs, autonomous system numbers, geographic locations, TLS clients, or HTTP header elements like
user-agentstrings, and consider employing a reverse proxy. - Tighten Brute Force and Suspicious IP thresholds to reduce allowed connection limits and mitigate brute-force attacks. For more information about brute force attacks, read the Brute Force playbook.
- Disable unused endpoints by modifying your Cross-Origin Authentication settings. If you suspect breached password attacks, read the Breached Password playbook.
- Enforce step-up MFA for compromised accounts, up to and including requiring MFA for potentially compromised accounts.
- Migrate to stronger MFA options to mitigate SMS pumping or toll fraud attacks by replacing SMS or voice-based MFA with OTP or Webauthn.