Hey BotPress Community:
I’m trying to detect and block random bots on the internet that may send messages to my bot creating a never ending loop of messages going back and forth in a ping pong fashion. Also trying to mitigate against a denial service attack type activity where an infiltrator might want to send a large number of messages to my bot in a vicious attack . Are there any best practices to defend bot platforms against such attacks? Is there any solution in Botpress already? I appreciate sharing some thoughts and past experiences about this subject.
Hey BotPress Community:
For my use case I authenticate users early on by sending them a OTP to type back into the chat. This way I can log who I’m talking to. SMS would probably work better than email for this if you’re detecting a bot.
A hidden Capcha could also work but I’ve not implemented one of these in Botpress yet. Or you could send typical Captcha like images in chat and ask a user to answer to prove they are human. Validate against a variable. If you build all this out in a separate app you can simply do an API call skill.
- get picture
- post in-chat answer
- if success => continue
*if fail => retry / end chat
There are limits you can set on taking wrong turns. The welcome bot example includes an example of how you can Increment a variable. So you can evaluate how fast messages are sent & choices are made. And also how many contexts a chat goes into. You’d have to decide what is natural.
I’m also looking into validating existing customers for certain things. So you can can’t go there unless you sign up for a user account (separate system but we do an API call). A bot use a fake account can do that but each requirement makes it more difficult. So your adversary would have to target you specifically. And you can detect fake accounts with things like FraudlabsPro or Maxmind
If you can log IP addresses in Node to the console you can also block revisits from known bots that you’ve blocked in chat before. Then you just block them in the firewall next visit. This is something you’d do on a hosting level once you’ve logged the IP address. This saves you on costs with services like Maxmind.
Denial of service is handled on a hosting level preferably before a request hits your webserver. Handling this in Botpress is not very efficient. Saying no to someone also takes considerable energy even if you stop them at the door
Hope this gives you some ideas.