topic Re: Imperva seeing Dynatrace synthetics as a bad bot in Synthetic Monitoring

Imperva seeing Dynatrace synthetics as a bad bot

bogoja_jovanosk — Mon, 06 Mar 2023 08:46:58 GMT

Our firm is utilizing a security tool called Imperva to protect the website against bad bots and DDoS attacks, but it is scanning our synthetics as bad bots. Has anyone come across this issue and if so what are some solutions that can be proposed?

The security team and Imperva are reluctant to white list the IP ranges of the synthetic ActiveGates.

Also, does anyone know if browser click paths have certain request attributes that Dynatrace adds when executing that we can add to the Imperva exception list?

Re: Imperva seeing Dynatrace synthetics as a bad bot

AntonioSousa — Sun, 05 Mar 2023 09:40:06 GMT

@bogoja_jovanosk,

I have had this issue with another solution that is not Imperva. There are two main reasons why Imperva might be signalling this, in my opinion:

Dynatrace synthetic monitors run from cloud IPs [AWS,Azure, ...]. It is normal for security solutions to signal this, as there are not normally real users accessing from those IPs. Given that these are Dynatrace servers, you can white-list them without any problem. The list of IPs is available in the list of synthetic agents, so you can define a precise list.
The user-agent that Dynatrace uses is not a known user-agent for browsers. You have two ways around this: configure Imperva to signal that an user agent that starts with "DynatraceSynthetic/" is good, as explained in https://www.dynatrace.com/support/help/platform-modules/digital-experience/synthetic-monitoring/http-monitors/configure-http-monitors ; or configure your synthetics to use a known browser User-agent. This is for HTTP monitors, as I believe for browser monitors the Chrome signature is used...

Re: Imperva seeing Dynatrace synthetics as a bad bot

HannahM — Mon, 06 Mar 2023 11:51:39 GMT

Most tools use the User Agent string to define if it's a bot or not.

For Browser Monitors, we add RuxitSynthetic/1.0 to the User Agent string and for HTTP Monitors we add DynatraceSynthetic/{version}, so I would just add a rule for DynatraceSynthetic/ as the version will change every time you update your ActiveGates or we update the Public location versions

Re: Imperva seeing Dynatrace synthetics as a bad bot

bogoja_jovanosk — Thu, 29 Jun 2023 18:30:14 GMT

Hi Antonio,

Thanks for the reply. This issue is coming up again from Imperva.

So to first reply to your points:

Our security team is reluctant to white list IP addresses as there can be a way to go around Dynatrace servers (spoofing) to attack Prudential network.
This is seen as a security risk/entry point of attack as well as someone can create a DDoS attack by spoofing the user agent to bypass the bot protection firewall.

Does Dynatrace work with security vendors like Imperva to make synthetics be seen as a good bot? I see that they have other vendors that can be selected to seen as a good bot like logicmonitor, pingdom, but Dynatrace is not one. I would think Dynatrace as one of the leading industry observability platforms would be part of the Imperva Bot Protection "good bot" category.