How-to
UA Rotation Detector
Detect bots cycling through many fake user-agent strings to evade detection.
What it detects
Catches bots cycling through many different user-agent strings. A legitimate user population from one ISP presents 3–6 UA families (Chrome, Safari, Firefox, Edge, maybe a mobile browser). 15+ distinct families from a single ASN is the bot-rotation signature.
How it works
Every minute, the detector counts distinct UA families per ASN. The rollup aggregator classifies user agents into broad families (Chrome, Safari, Firefox, Edge, bot, http-client, other) so the detector measures family diversity, not raw UA string diversity.
Default thresholds
| Parameter | Default | Description |
|---|---|---|
window_minutes | 10 | Evaluation window |
distinct_ua_threshold | 15 | Minimum distinct UA families to trip |
min_requests | 5,000 | Volume floor |
Severity
- Warning: distinct UAs exceed threshold
- Critical: distinct UAs exceed 2× the threshold
Limitations
The current UA classification is coarse (7 buckets). A sophisticated bot rotating between Chrome 120, Chrome 121, Chrome 122, etc. would all land in the "Chrome" family and not trip the detector. The v1.5 operation fingerprint detector catches these via behavioural correlation instead.