Bot Detection Playbook

Before you start

You must enable Bot Detection and configure a CAPTCHA provider.

Auth0's Bot Detection monitoring feature is an early warning system for botnet detection and attacks. Below is guidance for identifying bots trying to log into your tenant.

Find log events of interest

When considering a response, first sift through the log messages from the potential attack. For advanced analysis, enable log streaming and connect it to the external tool of your choice.

The following log event types are relevant when investigating an uptick in bot activity.

Log Event Type Description
pla Generated before login and monitor bot detection, even if bot detection is only in monitoring mode and not using CAPTCHAs to identify bots.
fu Failed user login events due to invalid username, which can indicate attempted username enumeration or account takeover attempts.
fp Failed user login events due to invalid password, which can indicate attempted credential stuffing attacks.
pwd_leak Attempted login events with a leaked password, which can indicate attempted credential stuffing attacks.
limit_wc IP block events for >10 failed login attempts to a single account, which indicates the IP address is likely to belong to a bot.
limit_sul User block events for >20 login attempts per minute from the same IP address, which indicates likely bot activity.
limit_mu IP block events for >100 failed login attempts or >50 signup attempts from the same IP address, which indicates likely bot activity.
fcoa Failed cross-origin authentication events, which indicates attackers using automation to perform account takeovers.
scoa Successful cross-origin authentication events, which indicates attackers using automation to perform account takeovers when originating from a small number of IP addresses across multiple users.

Attack response

While setting the Bot Detection level to High immediately mitigates the attack, a comprehensive strategy balances your business's risk tolerance and technical capabilities with the experience your users will have when they sign in. When responding, consider two main factors:

  • User friction: evaluate the impact of mitigation measures (e.g. CAPTCHA frequency) on user experience.

  • Technical capacity: assess your ability to implement IP blocking, WAF rules, and MFA enforcement.

Auth0 recommends a layered security approach that combines multiple mitigation techniques for optimal protection. 

Mitigation strategies

For optimal protection from attacks, consider the following strategies:

  • Activate CAPTCHA for one or more flows and increase CAPTCHA frequency as needed, but remember that CAPTCHA is a deterrent, not a solution.

  • Change your CAPTCHA provider if attackers bypass your current CAPTCHA or consider migrating to Auth0's Auth Challenge or another supported provider.

  • If you suspect a signup fraud campaign, temporarily prevent new user signups to your application from public, unauthenticated endpoints.

  • Change your web application firewall rules with an edge provider or use tenant access control lists to block abusive IPs, autonomous system numbers, geographic locations, TLS clients, or HTTP header elements like user-agent strings, and consider employing a reverse proxy.

  • Tighten Brute Force and Suspicious IP thresholds to reduce allowed connection limits and mitigate brute-force attacks. For more information about brute force attacks, read the Brute Force playbook.

  • Disable unused endpoints by modifying your Cross-Origin Authentication settings. If you suspect breached password attacks, read the Breached Password playbook.

  • Enforce step-up MFA for compromised accounts, up to and including requiring MFA for potentially compromised accounts.

  • Migrate to stronger MFA options to mitigate SMS pumping or toll fraud attacks by replacing SMS or voice-based MFA with OTP or Webauthn.