ESA provides Smart Mode for all plans and Professional Mode for Enterprise plan to process bot traffic.
Requests blocked by Bots rules are not subject to billing or quota consumption.
Enable Smart Mode
Smart Mode is for entry-level users to manage automated traffic and crawlers. It is available on all plans, but features may vary by plan. Smart Mode sorts traffic into three types. You only need to set actions for each type of bot.
Set up global policies
In the ESA console, choose Websites and click the name of the website you want to manage.
In the left-side navigation pane, choose .
On the Bots page, select Smart Mode, and click Configure for the following items:
Definite Bots are requests from hundreds of known malicious crawlers listed in the Alibaba Cloud intelligence database. The recommended action is Block or use Slider CAPTCHA.
Likely Bots have lower risk compared to Definite Bots, and may contain malicious crawlers and other automated traffic. The recommended action is Monitor. Use Slider CAPTCHA if the website traffic is high.
Verified Bots are requests with crawlers from search engines that help with your website's search engine optimization (SEO). The recommended action is Allow. Block them if you do not want search engines to access your website.
Enable bot detection for static resource requests
If you are on an Enterprise plan, you can configure protection for static resources against malicious bots.
This feature may block legitimate bots that fetch static resources, such as those used by email clients. Review your current infrastructure before enabling it.
Enable JavaScript detection
If you are on an Enterprise plan, you can use lightweight and invisible JavaScript detection to collect browser fingerprints and improve bot detection without impacting user experience.
Set up Professional Mode
In Professional Mode, you can create protection rule sets for specific website requests and set different active times for each rule. Professional Mode also protects mobile applications and allows you to apply rule sets across domains within your account. Follow these steps to configure bot rule sets:
In the ESA console, choose Websites and click the name of the website you want to manage.
In the left-side navigation pane, choose .
On the Bots page, select Professional Mode, and click Create Ruleset.
Enter the Rule Set Name, select Service Type as Browsers, and select SDK Integration as Automatic Integration (Recommended).
Based on the request characteristics you want to filter, configure rule expressions in If requests match....
For example, to apply bot mitigation for requests from Chinese mainland, use the expression
(ip.geoip.country in {"CN"}). For more information, see Available rule matching fields for Bots.
Select the actions:
For search engine bots:
Trusted bot management: Allow trusted search engine bots directly.
Fake crawler blocking: Block all search engine bots. You can combine this with trusted bot management to allow only selected search engine bots.
For known bot libraries:
Bot intelligence library: This Alibaba Cloud library contains IP addresses of malicious bots. Enable Slider CAPTCHA to filter these bots.
IDC blacklist: If your visitors' clients are not from public clouds or data centers, you can block requests from data centers in Data Center Blacklist.
For requests needing identification:
Bot characteristic detection: Identifies non-browser bots by comparing their behavior to typical browser activity.
Bot behavior detection: ESA uses machine learning to analyze traffic, create protection rules, and generate blacklists. Set measures according to your actual blocking needs.
Custom throttling: To limit how often bots can access your website, control the request rate from the same IP or session. Apply protection actions to requests that exceed your set threshold.
In the Effective Time section, click Edit on the right side of the corresponding rule, set the effective time, and click OK.
Click OK to save your settings.