Bad bots, whatcha gonna do?

Application security tips and best practices for defending against bot-based security threats

Nathan Bradbury, Senior Manager, Systems Engineering at Barracuda MSP

Automated bot traffic has grown tremendously over the past several years and now makes up the majority of web traffic (human web traffic is just 36 percent of Internet activity). Many of these bots are deployed by search engines and other sites to monitor or gather information. However, a growing number of them are “bad bots” deployed to scrape data from applications, launch account takeover (ATO) or distributed denial of service (DDoS) attacks and other malicious activities.

Preventing, detecting and identifying bot attacks is critical for MSPs that provide security technology and services to their clients. A new Barracuda ebook, The New ABCs of Application Security, provides an in-depth overview of critical security vulnerabilities and solutions, including a lengthy section on bot-based attacks.

Automated Bot Traffic is on the Rise

Barracuda researchers, as noted in the ebook, found that automated traffic accounts for two-thirds of all Internet traffic. An alarming 39 percent of web traffic can be attributed to these “bad bots.” Barracuda survey data also indicates that bot attacks were involved in 44 percent of successful security breaches that exploited application vulnerabilities. These bot attacks are highly sophisticated and difficult to detect and prevent.

Further, according to the ebook: “Today, bots are highly sophisticated and can be almost human in their behavior to bypass most defenses. The standard defenses employed to block them, primarily Google reCAPTCHA, are in no way a problem for them. In fact, the image-based CATPCHAs are easier to solve for bots than they are for humans. There’s an entire ecosystem built around bots—from the people who build these intelligent bots to services that provide ‘high-reputation’ Google accounts to bypass the CAPTCHA, to services that offer residential IP addresses to bypass IP reputation blocks, to escrow services that prevent bot purchasers from being scammed. With an increasing number of people turning to bots to make a quick buck, like the PlayStation 5 scalping in December 2020, bots are becoming mainstream and a big problem.”

With bot-based attacks being so prolific and highly successful, they are becoming a serious challenge for MSPs who are trying to protect client applications, networks, and data. Bot attacks are often used to help camouflage other attacks that require resource-intensive responses. 

Companies may be threatened by bot-spoofing browsers and apps, ad fraud and other malicious varieties. If multiple attacks are used at once, the chances of success go up exponentially. According to the eBook, multi-vector and “slow bot” attacks likely contributed to the most successful breaches over the past 12 months.

Three Common Bot Attacks to watch for

Barracuda survey data from various sectors found that there are three types of bot attacks that have proven to be particularly pernicious and difficult to detect. They include:

DDoS, bots pretending to be a specific software, and bots pretending to be a particular browser. According to Barracuda, bots pretending to be specific software/browsers are among the top five challenges across a range of vertical sectors but are of particular concern for the financial services industry. 

Bot spam. Respondents in the construction/property sector (and the public sector) were most worried about bot spam hitting real estate listings and online discussions of public policy.

Low and slow bots. These bot attacks involve account takeover schemes, DDoS, price scraping, scalping and other fraud. 

Technology that Can Fight Bots

Regardless of which types of bot attacks are the most pressing among your client base, MSPs need solutions that can better detect and then shut down these attacks. According to survey respondents, users are most interested in security solutions that include fraud prevention, spam detection and bot identification.

Among the critical features favored by users:

  • Bot fraud prevention
  • Bot spam detection
  • Bot identification
  • Account takeover detection
  • Web and price scraping protection
  • Client fingerprinting
  • Brute force detection
  • Crowd-sourced bot detection
  • Machine learning-based bot detection

With bot activity increasing, MSPs will need every tool they can access to help their clients stop these attacks. For example, Barracuda Advanced Bot Detection and other solutions leverage machine learning, crowd-sourcing, advanced fingerprinting, analytics and other technologies to detect and block these attacks.

You can learn more about the new Barracuda eBook here.

Nathan Bradbury is Senior Manager of Systems Engineering for Barracuda MSP, a provider of security and data protection solutions for managed services providers.