Client Reputation


Malicious bots usually initiate requests through proxy pools, botnets, or specific devices. EdgeOne's client reputation analysis uses Tencent's nearly 20 years of network security experience and big data intelligence accumulation to determine the real-time state of IP, adopt scoring mechanisms, quantify risk values, and precisely identify access from malicious dynamic IPs. It accurately identifies high-risk clients, updates the latest threat intelligence every 24 hours, and provides threat confidence reports for different IP addresses. According to the different types of attack clients, it provides 5 risk classifications and confidence levels. You can help control multiple categories (network attack sources, exploited network proxy devices, vulnerability scanning tools, brute force cracking behaviors, etc.) of high-risk client access by customizing the protection strategy for each threat confidence level, reducing business risks and effectively intercepting such malicious behaviors.

Example Scenario

In the Web security analysis module, you observe that under the site api.example.com, the login interface /api/login has high-frequency access, and there are a large number of failed access requests in a short period of time. However, due to the large number of access IPs, mainly from broadband operator networks, a single IP request is only 1-2 times. Judging from the access features, it is suspected that dial-up IPs are used for brute force cracking login attempts. To strengthen the security policy, we suggest intercepting higher confidence network proxy clients and setting medium confidence clients to observe.


1. Log in to the EdgeOne console and click Site List in the left sidebar. In the site list, click the target site to enter the site details page.
2. In the site details page, click Security Protection > Bot Management to enter the Bot Management details page.
3. In the client reputation analysis card, click Set to enter the configuration page.
4. Client reputation is divided into network attacks, network proxies, scanners, account takeover attacks, and malicious bots. You can customize the corresponding action for different types of clients based on the client reputation credibility level.
In the current scenario, dial-up IPs are typical network proxy type clients. When observing that the site receives a high frequency of dispersed IP access, you can intercept higher confidence network proxy clients and set medium confidence clients to observe.

5. Click OK to complete the configuration.

Related References

Risk Classification

Client reputation analysis is based on real-time threat intelligence libraries and can effectively identify clients with the following 5 types of malicious behavior history:
Network attack: Clients with recent attack behavior (such as DDoS, high-frequency malicious requests, site attacks, etc.). For example, attacks initiated by the Mirai botnet can be classified into this category.
Network proxy: Clients that have recently opened suspicious proxy ports and have been used as network proxies, including dial-up IP proxy pools and IoT proxy networks used to initiate malicious requests.
Scanner: Clients with recent scanner behavior targeting known vulnerabilities. For example, vulnerability scanning tools for Web applications.
Account takeover attack: Clients with recent malicious login cracking and account takeover attack behavior. For example, attackers who use brute force to crack user login credentials.
Malicious bot: Clients with recent malicious bot, hotlinking, and brute force cracking behaviors. For example, illegal bots that collect website content.

Credibility Level

For each category of client reputation rules, each credibility level corresponds to a client address list. The credibility level reflects the frequency and consistency of the client address's recent malicious behavior in that category:
Higher credibility: The client address has recently engaged in stable, high-frequency malicious behavior in that category. It is recommended to intercept such clients.
Medium credibility: The client address has recently engaged in significant frequency malicious behavior in that category. It is recommended to configure such clients for JavaScript challenge or observation.
General credibility: The client address has recently engaged in stable malicious behavior in that category. It is recommended to manage such clients.