🧠 Xerxes — Bot Traffic Reality Controller

Version: 0.1.1-dev (Locked Build)
Platform: PHP + Apache (Shared Hosting Compatible)

Portable Shared Hosting Safe Apache First PHP Control Layer

This document explains what Xerxes is, what it does, how it works, how to install and test it, and where it is meant to evolve next.

What Xerxes Is

Xerxes is a traffic control system for bots and automated agents.

It does not simply block bots. Instead, it detects bot-like behavior, classifies incoming requests, decides how each request should be handled, and controls what the requester is allowed to see.

Xerxes is not a firewall.
It is a system that determines what each visitor is allowed to perceive.

Core Concept

Traditional systems follow this pattern:

Bot → Block

Xerxes follows this pattern:

Bot → Observe → Classify → Decide → Respond

Blocking is easy. Controlling perception is powerful.

Perception Control Layer

Xerxes is designed not just to block, but to control what automated systems experience.

Request → Classified → Routed → Controlled Response

Serve alternate content to bots
Provide null or decoy data
Redirect high-risk actors
Shape crawler perception intentionally

This transforms Xerxes from a defensive system into an active intelligence layer.

System Architecture

Internet → WAF → Xerxes → Response

WAF / Hosting Firewall

Blocks obvious abuse, rate limits floods, and protects server resources.

Xerxes

Analyzes requests, classifies user agents, logs activity, and determines behavior.

Apache / .htaccess

Executes rules quickly and efficiently before PHP has to do heavy work.

Key Features in v0.1.1-dev

Bot Detection Engine with user-agent analysis, classification scoring, and pattern matching.
Live Request Handling through detect.php for real-time classification and optional logging.
Rate Limiting at the PHP Layer to protect allowed traffic that makes it past the WAF.
Control Panel with token-protected access and no WordPress dependency.
SQLite Storage so the system remains portable and self-contained.
Payload System Foundation for future controlled responses and deception routing.

Dashboard Preview (Next Evolution)

This represents the upcoming visual intelligence layer. Current build prepares the data pipeline.

Average Threat Score

3.2 (Simulated)

Top Signals

Missing Accept Header
High Request Frequency
Known Bot UA Pattern

Traffic Composition

Human: 62%
Suspicious: 21%
Automated: 17%

Directory Structure

/xerxes/
│
├── index.php              → Control panel (login protected)
├── detect.php             → Live detection endpoint
├── payload_router.php     → Payload handling (future expansion)
│
├── /includes/
│   ├── db.php
│   ├── analytics.php
│
├── /data/
│   ├── xerxes.sqlite
│   ├── parse_state.json
│
├── /payloads/
│   ├── botpot.json
│   ├── empty-feed.xml
│   ├── null.html
│
├── config.php             → Core configuration (sensitive)

Installation

Upload the /xerxes/ directory into your site root, such as /public_html/xerxes/.
Add one simple Xerxes-safe block to the top of the main site .htaccess.
Set proper file permissions.
Access the control panel and change the default token.

Main .htaccess Block

RewriteEngine On

# Xerxes safe zone
RewriteCond %{REQUEST_URI} ^/xerxes/ [NC]
RewriteRule ^ - [L]

Permissions

chmod 755 xerxes/
chmod 644 *.php
chmod 755 data/

Access

http://yourdomain.com/xerxes/

Authentication

The control panel uses a token stored in config.php. This token must be changed before the system is exposed publicly.

'auth' => [
    'token' => 'change-me-now-xerxes-dev-token',
    'session_key' => 'xerxes_auth',
],

Security Notes

Protect sensitive files. Even if PHP is configured correctly, deny direct access explicitly.

<FilesMatch "^(config\.php|.*\.sqlite)$">
    Require all denied
</FilesMatch>

Do not expose config.php.
Do not expose SQLite database files.
Do not expose internal include files if avoidable.

Testing

Basic Detection Test

curl -A "Mozilla/5.0" http://yourdomain.com/xerxes/detect.php

Bot Simulation

curl -A "Googlebot/2.1 (+http://www.google.com/bot.html)" http://yourdomain.com/xerxes/detect.php

Safe Load Test

for i in {1..50}; do
  curl -s -A "TestBot$i" http://yourdomain.com/xerxes/detect.php &
  ((i % 10 == 0)) && wait
done
wait

Use browser-like UAs when testing through environments with aggressive WAF rules. Curl with default UA may be blocked before Xerxes ever sees the request.

Known Behavior

WAF Interaction

The WAF may block default curl and obvious bot-like traffic before Xerxes runs. This is expected in hardened environments.

Rate Limiting

Xerxes includes its own internal micro-throttling for traffic that is allowed through.

Current Bot Experience

At the moment, bots that reach /xerxes/ generally see the login wall unless routed elsewhere intentionally.

Current Limitations

No advanced long-term behavioral scoring yet.
No adaptive response engine yet.
Payload routing exists as a foundation, not a fully evolved deception layer.
The user interface is intentionally minimal.
Visualization and dashboard analytics remain limited in this locked dev build.

Configuration

Core runtime values are stored in config.php.

'runtime' => [
    'enabled' => true,
    'log_live_hits' => true,
    'rate_limit' => true,
    'rate_window' => 1,
    'rate_hits' => 5,
    'force_full_detection' => false,
    'debug' => false,
]

These settings allow live request logging, basic internal rate limiting, and future expansion into deeper behavior analysis.

Behavior Scoring Engine

Xerxes now introduces a scoring system that evaluates each request based on behavioral indicators instead of relying solely on static signatures.

Score Range:
0   → Likely Human
1–3 → Suspicious
4–6 → Automated / Scripted
7+  → Aggressive / Bot / Scanner

Signals Considered

User-Agent anomalies
Request frequency
Header consistency
Known bot signatures
Behavioral repetition

Purpose

Reduce false positives
Enable adaptive responses
Prepare for deception routing
Provide future automation hooks

Design Philosophy

Principle	Meaning
Separation of Responsibility	WAF blocks obvious threats, Xerxes makes intelligent decisions, Apache executes efficiently.
Portability	No external services, no WordPress dependency, and minimal installation requirements.
Control Over Blocking	Xerxes is meant to decide what bots see, not merely keep them out.

Recommended Workflow

Install Xerxes in /xerxes/.
Add the minimal main .htaccess block.
Test with a browser-like UA and with controlled bot UAs.
Observe behavior before adding complexity.
Expand rules gradually.
Keep the main .htaccess clean and avoid scattered edits.

Future Evolution

Phase 2 — Intelligence Layer

Behavioral scoring, request frequency analysis, fingerprinting, and header anomaly detection.

Phase 3 — Perception Control

Dynamic payload assignment, bot-specific responses, fake APIs, and shaped realities.

Phase 4 — Adaptive System

Memory of interactions, staged deception, evolving responses, and long-term tracking.

Phase 5 — Analytics Dashboard

Live visualizations, traffic breakdowns, trend analysis, and operator intelligence.

Phase 6 — Autonomous Decision Engine

Self-adjusting rules, pattern learning, and tuned automated responses.

Final State of This Locked Build

Working bot detection system
Stable installation model
Layered protection architecture
Portable deployment approach
Clean foundation for future expansion

Xerxes is not designed to stop bots.
It is designed to let them in,
study them,
and decide what version of reality they experience.

Change Log (Evolution Tracking)

v0.1.3-dev (Deception Layer Expansion)

Introduced multi-format payload deception system (JSON, XML, HTML)
Replaced null/empty responses with structured crawl labyrinths
Implemented recursive link architectures to increase crawler workload
Designed infinite traversal paths via pagination, node graphs, and query loops
Aligned payloads with realistic formats (Atom XML, structured HTML, API-style JSON)
Shifted strategy from passive null responses to active crawler engagement
Improved perception control layer effectiveness without requiring PHP routing
Established static payload reliability independent of runtime execution

v0.1.2-dev

Behavior scoring engine introduced
Improved detection classification flow
Dashboard groundwork prepared
Enhanced request analysis structure

v0.1.1-dev (Locked)

Stable detection pipeline
Rate limiting baseline
Portable SQLite structure
Initial payload routing foundation