メインコンテンツへスキップ

Before you start

You must enable Bot Detection and configure a CAPTCHA provider.
Auth0’s Bot Detection monitoring feature is an early warning system for botnet detection and attacks. Below is guidance for identifying bots trying to log into your tenant.

Find log events of interest

When considering a response, first sift through the log messages from the potential attack. For advanced analysis, enable log streaming and connect it to the external tool of your choice. The following log event types are relevant when investigating an uptick in bot activity.

Attack response

While setting the level to High immediately mitigates the attack, a comprehensive strategy balances your business’s risk tolerance and technical capabilities with the experience your users will have when they sign in. When responding, consider two main factors:
  • User friction: evaluate the impact of mitigation measures (e.g. CAPTCHA frequency) on user experience.
  • Technical capacity: assess your ability to implement IP blocking, WAF rules, and enforcement.
Auth0 recommends a layered security approach that combines multiple mitigation techniques for optimal protection.

Mitigation strategies

For optimal protection from attacks, consider the following strategies:
  • Activate CAPTCHA for one or more flows and increase CAPTCHA frequency as needed, but remember that CAPTCHA is a deterrent, not a solution.
  • Change your CAPTCHA provider if attackers bypass your current CAPTCHA or consider migrating to Auth0’s Auth Challenge or another supported provider.
  • If you suspect a signup fraud campaign, temporarily prevent new user signups to your application from public, unauthenticated endpoints.
  • Change your web application firewall rules with an edge provider or use tenant access control lists to block abusive IPs, autonomous system numbers, geographic locations, TLS clients, or HTTP header elements like user-agent strings, and consider employing a reverse proxy.
  • Tighten Brute Force and Suspicious IP thresholds to reduce allowed connection limits and mitigate brute-force attacks. For more information about brute force attacks, read the Brute Force playbook.
  • Disable unused endpoints by modifying your Cross-Origin Authentication settings. If you suspect breached password attacks, read the Breached Password playbook.
  • Enforce step-up MFA for compromised accounts, up to and including requiring MFA for potentially compromised accounts.
  • Migrate to stronger MFA options to mitigate SMS pumping or toll fraud attacks by replacing SMS or voice-based MFA with OTP or Webauthn.