I’m analyzing the bot report in my dashboard and have a few questions:
Bot Classification: How does Cloudflare determine the categories “Automated,” “Likely Automated,” “Verified Bot,” and “Likely Human”? What criteria are used?
Actions Taken: Does Cloudflare only analyze bot traffic, or does it also block it automatically? If so, in which specific cases does this occur?
Recommendations: With a high volume of automated traffic, what would be the recommendation to mitigate impacts on the performance and security of my site? Should I consider upgrading to Bot Management?
Many criteria, but for obvious reasons we can’t get into detail about what goes on under the hood.
What we can definitely guarantee is that a bot that is detected as a known good bot, is definitely a good bot from this list and not a fake one: https://radar.cloudflare.com/traffic/verified-bots
For this we use multiple methods of verification to guarantee that a known good bot is actually the bot it claims to be and not someone masking as one.
It can block automatically, go to Configure Super Bot Fight Mode under Security > Bots:
I would start by setting your current bot fight mode settings to challenge likely automated traffic and also enable JS detections on the same page.
Then I would deploy Cloudflare managed ruleset under Security > WAF > Managed rules.
You can also consider creating rate limiting rules under Security > WAF > Rate limiting rules, to serve as a safety net.
