Facing a daily barrage of attacks by bad bots, today’s web application defenses are starting to show their age. The challenge is huge. A user session could be a customer looking to buy a product, or a good bot such as a search engine or application monitoring tool. But with bad bots now estimated to make up more than 25% of all Internet traffic, it could also be a content scraper, a denial of inventory bot, or an attempt at account takeover, identity theft or carding fraud.
What counts when defending applications from bots is the ability to tell good from bad and human from machine in real-time. For most sites, the first line of defense remains some version of the web CAPTCHA, backed up with IP address filtering, rate limiting logins, and data center blacklisting. However, while CAPTCHAs provide good security most of the time, they are a long way from being a foolproof defense against today’s sophisticated bot attacks. With the rampant usage of CAPTCHA-solver and CAPTCHA-avoidance tools, bot masters have found efficient ways to circumvent CAPTCHAs altogether while executing attacks.
Another issue is that CAPTCHAS can often lead to a bad user experience, causing customer frustration, and churn. The industry badly needs a more secure and robust mechanism not simply to stop automated attacks, but to do so without alienating customers with tiresome security checks.
CAPTCHA-less mitigation – Radware’s answer to CAPTCHA-solving bot attacks
The Radware Bot Manager now includes a new set of crypto mitigation algorithms. Inspired by blockchain methodologies, the new algorithms create CPU-intensive, browser-based challenges that gradually increase in difficulty. The advantage? The mitigation is immune to third-party tampering while providing a frictionless, CAPTCHA-free user experience.
Why Crypto mitigation?
The important benefits provided by Radware’s new crypto mitigation algorithms include:
Defense against the ‘grace period’ loophole
Once a CAPTCHA is solved, the user has an immunity period – or ‘grace period’ – until the next CAPTCHA challenge is sent (assuming that the source is still perceived to be suspicious). Since this grace duration is static, bot masters often exploit this period to carry out malicious activities. This security loophole is closed by Radware’s crypto mitigation algorithms.
To bolster application security, Radware’s new approach to mitigation is continuous. It works with near zero grace periods to keep malicious bot machines occupied with crypto challenges and exhaust their resources. This makes it extremely difficult for bot masters to continue an attack.
Automated counterstrikes against sophisticated bots
The crypto mitigation algorithms can also be regarded as a behavior-enforcing mechanism that detects anomalies against a baseline of normative behavior. When an anomaly is detected, the mitigation challenges the bot with CPU-intensive, browser-based challenges that gradually increase in difficulty, forcing the attacker’s CPU to work harder every time it is challenged. This takes a toll on the attackers’ resources, curbing their ability to run further attacks on applications — effectively creating a cyber counterstrike. It also transfers the cost of the attack to the bad actors, again, encouraging them to discontinue their attacks.
The new crypto mitigation algorithms add to the Radware Bot Manager’s wide range of mitigation options, including Allow, CAPTCHA Challenge, Block, Feed Fake Data, Throttle, Drop, Session Termination, Redirect Loop, Log Only, or a Custom Response. For multi-layered protection, the new mitigation option can also be used in combination, protecting certain web application sessions while other sessions are protected using alternative solutions.
A better user experience
The need to solve the progressively difficult browser challenges encourages bots to move on to less-protected targets that are easier to attack. However, for legitimate users, the CPU usage is insignificant, because its initial difficulty level is low.
Radware’s new crypto mitigation algorithms provide visitors with a better user experience as they are not challenged by CAPTCHAs during their journey. Its CAPTCHA-less flow prevents genuine users from being thrown into CAPTCHA loops, while at the same time stopping sophisticated bots from harming the website or application.
Disruption to automated bot attacks
It is no secret that bad actors scale up their attacks and carry out programmed and automated attacks such as web scraping, account take over, and credential stuffing. Often, bad actors conduct a pre-vulnerability scan of the targeted application to find potential weaknesses. However, because the new mitigation takes place at the browser level and is unseen by visitors, it can’t be easily evaded by bad actors who don’t know how they will be challenged. Importantly, this defense can’t be bypassed using human CAPTCHA farms or smart AI-based CAPTCHA solvers.
A new generation of bot defense
The menace of bad bots is nothing new. The challenge is that traditional defenses such as CAPTCHAs are becoming ineffective in dealing with the increasingly sophisticated bots targeting their web applications. Bad bots are now sophisticated enough to mimic human behavior, keystrokes, and mouse movements, evading detection. This should be the cue for organizations to transition beyond one-size-fits-all systems. It’s time to deploy dedicated bot management technology that combines new machine learning models with blockchain inspired challenges – and finally close the security gaps that are letting bad bots in.
Estimate the financial costs that bad bots are costing your business with Radware’s Bad Bot Business Impact Calculator.