Under Attack?
Search
Menu

Detecting and mitigating highly distributed sophisticated bot attacks

By Karthik RajuNovember 21, 2023

Bot Attack landscape has undergone a significant uptick in both the scale, complexity, and the sophistication of the attack vectors. One of the more common trends that we see now is a surge in what we all refer to as “large-scale distributed bot attacks”. These sophisticated bot attacks are targeted towards applications in different verticals such as e-commerce, financial services, travel booking etc. with the underlying goal to orchestrate an Account Takeover, Denial of Inventory, Scraping and other common attacks that bad bots are typically deployed for.

What are distributed bot attacks?

When we say Distributed bot attacks, what we are referring to is that the bad bots are rotating their source at a rapid scale to go undetected. Distributed bot attacks could be classified into two major types:

  1. Fixed IP but the bots are rotating the identifiers like the User Agent, HTTP Header values etc.
  2. Rotating IPs

The reason the distributed bot attacks are now more prevalent than even before is the attackers can now rely on services that offer cheap and easy access to multitude of IP addresses and in most cases, access to a huge swathe of residential IPs as well. The evolution of automation technology has increased the scale and sophistication of distributed bot attacks dramatically. Attackers can deploy advanced and automated botnet systems to run these attacks first and be able to evade detection as much as they can.

Let us now drill down into each of the above two scenarios in more detail.

The first case of fixed IPs and rotation of identifiers such as User Agent, HTTP Header values, cookies etc. is much more easily automatable and attackers can generate such attacks through some automation scripts. With access to multiple such scraping services, attackers rotate the identity and simulate human-like behaviour by spoofing different user agents, header parameters, device fingerprints etc. Though this is also challenging to detect, since IP remains fixed and other identities are rotated, the behavioural anomaly engine in Radware Bot Manager will be able to detect such rotators accurately.

The second case of rotating IP is a much more challenging. Since the attackers have access to multitude of different IPs and access to residential proxies, typically the number of hits coming from each IP might not be deemed anomalous but when we consider the overall traffic coming from the swathe of IPs, the attack becomes that much more debilitating for the end customer applications. By constantly rotating IP addresses, attackers can evade IP-based rate-limiting measures. Also, traditional Bot protection solution working based on IP reputation alone might not be able to mitigate such attacks because the reputation of these IPs might also end up showing as good as these are coming from residential proxies.

How does Radware Bot Manager mitigate these distributed bot attacks?

It is clearly apparent that relying on just one technique to block such kind of sophisticated bot attacks will not suffice and a holistic approach is needed towards detecting and mitigating these. This is where Radware Bot Manager bot detection engine deals with this in multiple different ways. Some of the key techniques followed are enlisted below:

Behaviour based analysis: Not relying on IP reputation alone, Radware Bot Manager engine analyses user behaviour patterns in terms of URLs traversed, cookies sent, mouse movement and click pattern data etc. to identity anomalous behaviour.

Anomaly detection based on Machine learning: This involves looking at multiple different features, creating a feature vector, feeding to a Machine learning algorithm to flag anomaly automatically is a unique and strong detection capability available in Radware Bot Manager engine.

Protecting against Identity Spoofing: As seen earlier, one of the ways bots tend to try and bypass the bot detection solution is to rotate the identity and thus camouflage themselves. The key here is to prevent such identity spoofing and here is where Radware Bot Manager engine with its unique and secure identity comes into play. This identity is tamper-proof and cannot be spoofed. Any attempt to do so is easily identified by the bot detection engine and the source (with the appropriate identity) alone can be blocked. This helps the bot detection engine to be extremely accurate and not having to rely on IP based signatures to mitigate the bot attacks.

Identifying traffic anomaly automatically: One of the key differentiators from Radware Bot Manager bot detection engine standpoint is to be able to detect traffic anomalies either on the entire site or on specific URLs automatically. The way this is done is that the engine automatically learns the baseline for normal traffic during a specific time interval and the moment, there is a significant anomaly compared to the automatically calculated baseline, the module can generate an alert. In a case of a highly distributed attack from many IPs, the baselining algorithm will figure out that there is a significant anomaly compared to baseline in both the number of unique IPs seen and the overall traffic coming to the site thus indicating a distributed attack.

The outcome of this is to then automatically come up with the right signature pattern that isolates the bot behaviour alone and an automated signature creation happens to mitigate such attacks.

What next?

With the long-standing expertise that Radware Bot Manager has in protecting against multiple different automated threats across different customers and in different verticals, the product can effectively mitigate distributed bot attacks through its comprehensive and multi-layered approach enlisted above. But with the scale, complexity and sophistication of these distributed bot attacks continuing to grow, the product continues to evolve and come up with newer and unique ways to identity the rotators.

More to come on this…, keep watching this space….

For More Information

The shortage of cybersecurity professionals worldwide has left organizations large and small searching for answers to a conundrum that does not appear to be going away any time soon. The threat surface expands at such an alarming rate, it is likely that the supply will never keep up with the demand. And, yes, threat actors understand this all too well. It is why turning to cybersecurity experts like those at Radware is the perfect next step to ensure your organization is protected against today’s threats and ready for those on the horizon. Reach out to them HERE. They would love to hear from you.

Posted in: Application ProtectionTags:

Karthik Raju

Karthik Raju drives the product management efforts for Radware Bot Manager. He over 20 years of high-tech industry experience, including product management functions working with multi-national companies, including Hewlett Packard, Cisco and Dell EMC. Karthik possesses a strong combination of business and technical expertise and a deep understanding of customer challenges that have helped him successfully drive product management across several organizations.

Related Articles

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Contact Us Now

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

CyberPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

CyberPedia
What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
Close

What are you looking for?