What do people recommend for automated scripted browser/bot defenses these days at the WAF level? On some of our sites we've been getting a lot of people mass submitting forms using customized versions of Chrome that stay compliant with CSRF protections. The Azure WAF we're using is configured to block bots using Microsoft's bot firewall rules and to throttle traffic, but it seems to let the majority through. The traffic has been a mix of 'regular' computers from residential IP blocks, some VPN IPs and some server farms. Invisible reCaptcha doesn't seem to be triggered much, which isn't surprising since the tools they are using are built to handle it automatically. Our clients don't want reCaptcha solving forced on every one coming to the sites.

Cloudflare Turnstile can be embedded into any website without sending traffic through Cloudflare and works without showing visitors a CAPTCHA.

We use Cloudflare. Among other things, you can block AI bots if you want. Using them as proxy is like having an invisible shield.

Thanks! Someone else in our field was using Imperva, but definitely will check out Cloudflare Turnstile.

Yea would need to consider just putting it directly behind Cloudflare in general, will slow down a LOT of the ddos stuff.

Thankfully it didn't appear to be intentional - just the people didn't bother to throttle their bot farm when submitting the forms.

Sounds like you are under a more severe level of attack if your form(s) are being overloaded to that level that the DB server is choking…Cloudflare could be a savior to a lot of that

It was a crazy amount of traffic compared to what we normally get, the database was fine - more just that CF has connection limits. We beefed up the servers and we've been able to handle the traffic load, but we want to discourage them from continuing...

No real need to spend more unless it is valid traffic needs, otherwise block it away! Cloudflare is great even at the free level plan.

If turnstile can help with that it would be great!

That may at an easy level, otherwise consider fully proxying your app/site with the free Cloudflare plan

Ortus uses Cloudflare.

We use imperva here. Not super impressed with it, but it does work. Their bot detection is passable at best and they've had some outages in the past. But they do allow dedicated VPNs between their site and our server cluster so that we don't have to expose our servers to the outside at all (unlike cloudflare).

@quetwo Cloudflare doesnt require you to expose your servers to the outside, you can tunnel as well

Thanks for the clarification Patrick, we definitely are trying to figure out what will fit in best with our current infrastructure.

Looks like the do have that now. I don't think it was an option when we looked for it a few years back.

We setup locked down proxies to on-prem on a regular basis and use their tunneling approach with ztn approach

What happens when Imperva has had an outage? Does the traffic just skip their WAF or does it take down the sites?

Takes down the sites

Ouch! That's a pretty big issue if it happens on a semi regular basis. (Definitely need to look into that aspect and ask them about it too)

I think we've had two outages in the last year. About 3-4 hours each time. One was because an SSL cert wasn't getting updated and the other was something in their infrastructure.

I want to jump in and echo that Cloudflare is probably the best solution. You can get their WAF running in an hour if you wanted to do that. At my last position, we used cloudflare for some domains and Imperva for others. Both did a good job and there were not any outages caused by the WAF that I can recall. The negative experience I had with Imperva was the contract/sales cycle to get it in place. You can completely DIY a cloudflare setup

Thanks everyone for the responses!