The days when you could be certain there was a human presence on the other end of a cyberattack are behind us. Bot-generated attacks targeted at web infrastructure have of late grown increasingly prevalent, and increasingly more sophisticated. The different attack vectors and risk profiles are similarly expanding.
In short, bots are getting better at ruining your day, and they’re becoming much more difficult to detect and mitigate. Is there anything you can do? How can you guard your assets from attackers that employ these tools against you?
What Bad Bots Do
By far, the most common type of bot in operation today is the comment spammer – you’re no doubt familiar with them if you’ve spent even a marginal amount of time online. These bots are only the tip of the iceberg, however – as with human hackers, different bots have different objectives. One bot may be designed to execute an SQL injection, while another might be made to brute-force a password in an effort to break into a site, and a third might try to clickjack and defraud a site’s visitors.
Similarly, bot-generated attacks also take many different forms – some are static, while others are dynamic over time. An especially complex bot may utilize both types of attack. It may, for example, start off with a static HTTP or HTTPS DDoS flood, which is used to mask something more fluid and insidious, tampering with a site’s content delivery network so dynamic requests are forwarded to a different origin.
Now, it’s worth mentioning that for most of you, this information is likely already known. Bots aren’t exactly new or revolutionary, after all. Advanced bots are, though – and they’re becoming more common by the day.
Advanced Bots: No Easy Feat To Detect
Script-based bots are easy to detect and block. The trouble is that cyber-criminals are aware of this, which has led to the developments of more advanced models. Based on headless browser technology such as PhantomJS, these bots obfuscate detection through a variety of methods:
- Passing challenges: CAPTCHA remains one of the best means of detecting bots – which is why some hackers have developed pattern recognition algorithms, while others simply rely upon third-party, low-cost human labor.
- Serving dynamic IP addresses: By maintaining a low rate of activity per IP, bots can evade IP-based detection systems.
Tools of the Trade
What can you do to address these bots, then? How can you take them down if CAPTCHA, IP-based detection, and abnormal behavior recognition all fall short? It’s actually simpler than you’d think.
There now exist technologies capable of capturing distinctive device fingerprints, identifying browsers or automated web client tools through information such as operating system specification, TCP/IP configuration, browser-based activities, and underlying hardware attributes. By correlating all these points of information together, it’s possible to more easily ferret out advanced bots; a bot’s device fingerprint does not change, even if it’s IP address does.
It’s worth mentioning at this point that you need to be mindful of where an advanced bot can do the most damage. It’s important that you assess threats, and deploy fingerprinting technology where it makes the most sense – such as a point of risk in an application, or as a global implementation across domain resources. And it’s also important that your fingerprinting solution be able to differentiate the “good” bots (such as Googlebot) from the “bad.”
Moving forward, bots will inevitably grow more advanced – but so will the technologies designed to detect and mitigate them. It’s important that you stay abreast of the developments and evolutions present in both camps. Ignore them, and you might find yourself the target of a nasty attack sooner than you might expect.
Bots aren’t the only thing your enterprise needs to deal with. To learn more about the modern threat landscape, download the Radware Global Application & Network Security Report.