Why Humans Alone Can’t Stop Today’s Bots
Bot management is a never-ending game of cat and mouse
Traditionally, botnets were used to launch Layer 3 and Layer 4 DDoS attacks. They would exploit vulnerabilities on connected servers and other machines to multiply the effects of their attacks and bring networks to their knees.
Today, bots are more sophisticated—and more malicious. They’re going after applications and data, and they’re using machine learning to avoid detection. To protect against these new threats, the bot management industry is adopting much more sophisticated techniques, such as artificial intelligence.
The Evolution of Bot Management
First- and second-generation bot management products came about to protect mostly against Layer 7 DDoS attacks—those that target the application layer—by reducing or blocking dumb bot traffic to websites and applications. The tactics these products used included:
- IP rate limiting, which prevents too many requests coming from the same IP address.
- CAPTCHA puzzles that must be solved before access to the website is granted.
- JavaScript challenges, which verify that a request is legitimately coming from a web browser with a JavaScript engine.
More recently, however, we’ve been seeing bots launching more targeted Layer 7 attacks that replicate human behavior. These bots hide inside legitimate website traffic and they’re designed to disrupt or steal information from web servers.
These are not fast and furious like DDoS attacks. They are what we call “low and slow” attacks, which rely on maybe a few hundred requests rather than a few hundred thousand. These attacks typically do not need a lot of resources; a single host is often enough. And in some cases, hackers use a wide range of host IPs, which makes these attacks even more difficult to detect and mitigate.
First- and second-generation bot management technologies won’t protect against these types of attacks. There’s not enough traffic for IP rate limiting to be effective. And these bots usually fully simulate a web browser, so the JavaScript challenge won’t work, either.
In response, the current third-generation bot management products on the market incorporate several behavior-based analytics that attempt to determine whether a bot or a human is taking a particular action. Effective bot management challenges start to look at the intent and behavior of a user going to a website or application, rather than the pure volume of traffic.
Rise of the Machines
Many third-generation bot management products have only been on the market for months, but the bots are already getting ahead of them again. There are now some bots that can fully mimic human interactions and pass behavior-based challenges, because they use artificial intelligence (AI) techniques to gain in-depth knowledge about human behavior. These bots may have extremely malicious intent, such as stealing information or making fraudulent purchases.
The best way to eliminate these bots is to take a page out of the hackers’ playbook and use similar machine learning techniques—bot versus bot, machine versus machine. Only machines are sophisticated enough and have the processing power required to group website requests by their behavioral patterns and identify which patterns belong to humans and which belong to bots. Sometimes these bots’ patterns are so complex and intricate that the hackers who created them don’t even realize they exist. Bot management technologies that use AI and machine learning, however, can help identify patterns in malicious activity.
These technologies are now in use by some enterprises and organizations in which web application security and data protection are of critical importance. It’s very clear that the entire bot management industry will be going in this direction, because the hackers are going in this direction as well.
Bots will surely evolve again as adoption of these new techniques grow, and the industry will have to respond. It’s a never-ending game of cat and mouse.
