Send Docs Feedback

Taking action on suspicious activity

You can take action to intercept suspicious requests, such as by blocking requests, or by flagging them for special handling within your API proxies. You can take the following actions for IP addresses you see through the Apigee Sense portal.

Action 説明
Allow Allow requests in the selected category to proceed.
Block Block requests in the selected category.
Flag Flag requests in the selected category so that you can take action on them within API proxy code.

Identifying requests and clients to take action on

In the Apigee Sense console, you can filter and group suspicious clients by their origin and by the reason they are suspicious. Once you've isolated the group you want, you can take action on IPs in that group, such as to block them.

You can filter suspicious clients by the following partitions:

Partition 説明
Single bot reason The reason a request is suspicious. See more about reasons below.
Bot reason group A set of reasons associated with a single set of one or more IP addresses. For example, analysis might have identified four IP addresses whose requests matched the criteria for three reasons.
Country The country from which the request originated.
ISP The ISP from which the request originated.
255.255.*.*/16  
255.255.255.*/24  

Bot reasons

When analyzing API requests, Apigee Sense uses a set of criteria to identify suspicious requests. If requests from the IP meet those criteria, Apigee Sense associates the IP with one or more corresponding reason categories.

The following table describes possible reasons that requests are identified as suspicious, along with the criteria that define those reasons. In the portal, you can filter clients making suspicious requests by these reasons.

Bot Reason Behavior Captured Configuration Criterion Configuration Value
Brute Guessor Larger proportion of response errors during previous 24 hours Minimum number of calls from IP 100
Number of sessions threshold 100
Number of user agents threshold 10
Content Quota Exceeder Additional requests after 403 error due to content quota exceeded 403 error per hour threshold 300
Content Robber Few OAuth sessions with large volume of traffic in a 5-minute window Minimum number of calls from IP 1000
Percent of total API traffic from IP threshold 0.5
Unique sessions less than threshold 4
Content Scraper Large number of URIs called in a 5-minute window Minimum number of calls from IP 100
Unique basepath less than threshold 100
Unique path suffix less than threshold 100
Percent of total API traffic from IP threshold 0.5
Distinct OS Multiple operating system families used in a 5-minute window Minimum number of calls from IP 100
Percent of total API traffic from IP threshold 0.5
Unique OS family greater than threshold 3
Distinct User Agent Family Multiple user agent families used in a 5-minute window Minimum number of calls from IP 100
Percent of total API traffic from IP threshold 0.5
Unique user agent family greater than threshold 3
Flooder High proportion of traffic from IP in a 5-minute window Minimum number of calls from IP 100
Percent of total API traffic from IP threshold 5
Guessor Large number of response errors in a 5-minute window Minimum number of calls from IP 100
Percent of total API traffic from IP threshold 0.5
Percent of API traffic with errors from IP threshold 10
Login Attempter - 24 hours Large number of tries to Login proxy in a 24-hour window Number of post calls to Login proxy threshold 50
Login Attempter - 5 Min Large number of tries to Login proxy in a 5-minute window Number of post calls to Login proxy threshold 20
Login Guessor High volume of traffic to few URIs in 5-minute window Minimum number of calls from IP 100
Unique basepath greater than threshold 4
Unique path suffix greater than threshold 4
Percent of total API traffic from IP threshold 0.5
OAuth Collector High number of OAuth sessions with small number user agents during previous 24 hours Minimum number of calls from IP 100
Percent of errors threshold 90
OAuth Harvestor High number of OAuth sessions with significant traffic in a 5-minute window Minimum number of calls from IP 10
Percent of total API traffic from IP threshold 0.5
Unique sessions greater than threshold 100
Robot Abuser Larger number of 403 rejection errors in past 24 hours 403 error per day threshold 500
Short Session High number of short OAuth sessions Minimum number of calls from IP 10
Percent of sessions on length 2 threshold 0.8
Number of sessions of length 2 threshold 10
Percent of total API traffic from IP threshold 0.5
Static Content Scraper High proportion of response payload size from IP in a 5-minute window Minimum number of calls from IP 10
Percent of total API traffic from IP threshold 0.5
Percent of total API response size from IP threshold 5
Minimum number of calls from IP 10485760
Storm Few high spikes in traffic in a 5-minute window Minimum number of calls from IP 100
Percent of total API traffic from IP threshold 0.5
Variance in inter arrival time of calls threshold 0.1
Tornado Consistent spikes in traffic in a 5-minute window Mean in inter arrival time of calls threshold 0.01
Minimum number of calls from IP 100
Percent of total API traffic from IP threshold 0.5

 

Help or comments?