Imperva Cyber Community

Hi,

Let's say we have two people behind the same public IP address. Both users access the same application.

• The first user uses automation, which triggers the web scraping condition and gets blocked according to the ABP policy.
• The second user uses a regular browser and interacts with the application normally.

After some time, the second user is also flagged for web scraping.
Even after rebooting the ISP router, the same issue occurs.

The question is: Is this behavior normal?
And does the detection have a relationship with the IP reputation based on the previous behavior of that public IP address?

Hello Driss, 

Thank you for your post.

The ABP managed conditions "Web Scraping Low/Medium/High Confidence" are based on behavioral models called Apollo models, which trigger if signs of scraping are detected, such as high volume requests to the same URL, or from the same IP.  They do not take Cloud WAF's IP reputation into account.

In cases where multiple users share the same IP (e.g., corporate NATs, VPNs or proxies), the likelihood of the models being triggered increases. In this case, these conditions might cause false positives and would need to be reviewed. The SAS team can assist you in reviewing the traffic and provide recommendations on whether these models should be Active, depending on the specific use case.