Bot & Scanner Blocking

Overview

A vast number of automated scanning tools and bots continuously probe web-accessible services for vulnerabilities. These tools - used by both legitimate security researchers and malicious actors - systematically test for common vulnerabilities such as SQL injection, cross-site scripting, directory traversal, default credentials, known CVEs in specific software versions, and more. When a service is exposed through Horizon, it becomes reachable from the public internet (subject to the configured access policy) and is inevitably discovered and probed by these automated scanners. The bot and scanner blocking feature provides a toggle-based mechanism to automatically detect and block requests from known vulnerability scanning tools, preventing them from reaching the backend service. This feature operates by analyzing the User-Agent HTTP header included with each client request and comparing it against a database of signatures associated with well-known scanning tools.

Blocked Tools and Signatures

When bot and scanner blocking is enabled, Horizon detects and blocks requests from a range of well-known vulnerability scanning and reconnaissance tools. These include sqlmap, one of the most widely used automated SQL injection detection and exploitation tools; Nikto, an open-source web server and web application vulnerability scanner that tests for thousands of known issues; Nmap, the industry-standard network discovery and security auditing tool that includes extensive service detection and vulnerability scanning capabilities; WPScan, a WordPress-specific vulnerability scanner that probes for known plugin, theme, and core vulnerabilities; and numerous other common reconnaissance, enumeration, and exploitation tools that identify themselves through their User-Agent strings. The list of blocked signatures is curated to target tools that are overwhelmingly used for probing and attacking, rather than legitimate application access.

How to Enable

To enable bot and scanner blocking on a circuit, open the circuit's settings panel and navigate to the Bot & Scanner Blocking section. Toggle the Block Bots & Scanners switch to the On position. The setting takes effect immediately - subsequent requests from recognized scanning tools are blocked at the proxy and logged with the block reason included in the request logs. To disable the feature, toggle the switch back to Off.

Behavior

When a request is identified as originating from a known scanner, it is blocked at the Horizon proxy before it reaches the backend service. The blocked request appears in the request logs as a blocked action, with a reason indicating scanner detection, providing full visibility into scanning attempts targeting the circuit. Legitimate browser traffic (Chrome, Firefox, Safari, Edge, etc.), standard API clients, mobile applications, and other normal HTTP consumers are not affected by this feature - it specifically targets the User-Agent signatures of known scanning and exploitation tools. This detection method relies on the User-Agent header being honestly reported. Sophisticated attackers can spoof their User-Agent string to impersonate a legitimate browser, bypassing this detection. Accordingly, bot and scanner blocking should be considered one layer in a defense-in-depth strategy, working alongside IP filtering, country blocking, and access policies.

TIP

Enable bot and scanner blocking on every circuit that is accessible from the internet, including those with restricted access policies. This feature adds a valuable layer of protection against automated reconnaissance with zero impact on legitimate users. Blocked requests appear in the request logs, providing visibility into scanning activity targeting the associated services.