DEV Community

Carrie
Carrie

Posted on

Bot Defense Case Study: Real-World Traffic Comparison with SafeLine WAF

#botprotection #safelinewaf #cybersecurity #websecurity

Protecting web applications from malicious bots is one thing; proving it works in production is another. In this case study, we demonstrate how SafeLine WAF defended a real application from bot attacks, showing before-and-after traffic patterns and highlighting actionable insights for developers.

Why Bot Defense Matters

Bots today can:

  • Scrape sensitive data
  • Perform credential stuffing
  • Spam APIs and forms
  • Overload servers, causing downtime

Simple rate limiting or IP blocks are often insufficient, as modern bots rotate IPs, mimic human behavior, and bypass naive filters.

Test Environment

  • Server: 4-core / 8GB RAM VPS
  • Web app: Single-page app + API endpoints
  • WAF: SafeLine Pro, self-hosted
  • Traffic: Internal bot simulation + real attack traffic

SafeLine WAF allows configuration of Bot Protect, custom rules, and challenge pages (JS/CAPTCHA).

# Enable Bot Protect
docker exec -it safeline-cli set-feature bot-protect true

# Check blocked requests
tail -f /data/safeline/logs/nginx/safeline/access.log | grep "bot"
Enter fullscreen mode Exit fullscreen mode

Attack Scenario: Credential Stuffing

Before SafeLine:

  • ~1,200 login requests/min from suspicious IPs
  • Server CPU spiked
  • Legitimate users experienced slow responses

Access log snippet:

POST /api/login HTTP/1.1 200 512 "Dart/3.7"
POST /api/login HTTP/1.1 401 48 "Mozilla/5.0"
POST /api/login HTTP/1.1 401 52 "Dart/3.7"
Enter fullscreen mode Exit fullscreen mode

Pattern: repeated login attempts from the same IPs.

Implementing Bot Defense

  1. Enable Bot Protect and anti-bot challenge (JS/CAPTCHA)
  2. Whitelist legitimate domains
  3. Apply custom rate-limits on sensitive endpoints (/api/login) 
# Rate-limit example: 5 reqs/sec for /api/login
docker exec -it safeline-cli set-rule /api/login rate-limit 5
Enter fullscreen mode Exit fullscreen mode

After SafeLine Deployment

Blocked bot requests:

POST /api/login HTTP/1.1 403 64 "Dart/3.7"
POST /api/login HTTP/1.1 403 64 "Dart/3.7"
Enter fullscreen mode Exit fullscreen mode

Improvements:

  • Legitimate users unaffected
  • CPU usage normalized
  • Logs provide visibility into attack sources

Traffic comparison:

  • Before WAF: 80% bot traffic during peak attack
  • After WAF: 3% bot traffic

Lessons Learned

  1. Bot patterns are predictable with proper log monitoring
  2. Self-hosted WAF allows granular control per endpoint
  3. JS/CAPTCHA challenges outperform simple IP blocks
  4. Regular log review is crucial for tuning rules

Developer Takeaways

  • SafeLine WAF is effective for bot-heavy apps
  • Real traffic comparison shows measurable impact
  • Easy integration with CI/CD pipelines
  • Logs and dashboards make anomaly detection straightforward

Conclusion

Bot attacks are inevitable, but you can stop them in real-time without affecting legitimate users. SafeLine WAF provides visibility, control, and protection against modern threats.

Consider self-hosted WAF deployment for critical endpoints of your web apps.

SafeLine Website: https://ly.safepoint.cloud/ShZAy9x
Live Demo: https://demo.waf.chaitin.com:9443/statistics
Discord: https://discord.gg/dy3JT7dkmY
Doc: https://docs.waf.chaitin.com/en/home
Github: https://github.com/chaitin/SafeLine

Top comments (0)