The Bots Are Coming The Bots Are Coming Scott Taylor Director, Solutions Engineering
Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.
Agenda: 1. What are bots? 2. A look at the growing bot threat landscape 3. What to look for in next-generation bot mitigation solutions 4. Case study for bot mitigation 5. Summary
What is a Bot?
Definition Bot is an abbreviation for robot, also referred to as web or internet robot A bot is a piece of software that automates repetitive tasks There are good bots (travel search) and bad bots (DDoS) A collection of malicious bots is known as a botnet and is directed by a command and control center (CC)
Not All Bots Are Bad There Are Good Bots, too! Imitator used to assume a false identity. Often used in DDoS attacks Scraper used for unauthorized data extraction (Ex: Scrape ticketing information) Spammer Polluters that inject spam links into forums, discussions, and comment sections (Ex: Try to influence voter opinions during elections) And many more Scanner Bots, Mapper Bots, Stuffer Bots, Click Bots, Spy Bots, Download Bots, etc. Crawlers/Spiders used for authorized data extraction (Pinterest, Alexa) Searchers used to collect authorized information for search engines (Googlebot & Bingbot) Fetchers used to feed content to web application and mobile devices (Facebook Mobile App, Twitter) Monitors used to monitor website availability and uptime (New Relic bot & Pingdom Bot)
What Can Bad Bots Do? Create havoc, steal data, take down sites, extort money, cost companies billions Scrape sites Launch pre-attack scans Post comment spam Exploit application vulnerabilities Execute code injection attacks Launch password guessing hacks Repetitively make and cancel purchases Cause commercial losses Impact your customers' experience Steal information Commit fraud by credential stuffing Cause denial of service attacks Hold and/or consume inventory Cause application and API outages Increase bandwidth costs Increase CPU costs
Why You Should Care About Bots: The facts speak for themselves. 77% of data breaches were targeted by botnet activity Verizon 2017 Data Breach Investigation Report 52% In 2016 Bot traffic surpassed human Ponemon Institute Survey 2017 traffic by 97% of sites were victim to web scraping bots LiveMint, The Rise of Bad Bots, April 2017
Attackers Understand How to Build Powerful Botnets Attackers Desire: Access to new devices (i.e., bots) Access to devices with lots of bandwidth Access to devices with fast CPUs Easy methods to take over devices Ability to maintain command and control (C&C) communications to/from these devices By 2021 the bot attack vector created by IoT devices will increase by almost 250% IoT Endpoints 2017,Gartner
The Botnet Problem Is Growing Significantly Just search on the news
Attack on dyn.com Nov 1 st, 2018
Oct 31 st, 2018 Nov 1 st, 2018
Oct 31 st, 2018 Nov 1 st, 2018
Botnet is simulating a real user agent
SO What Should You Look For In A Bot Mitigation Solution?
Cloud-Based or On-Premises Bot Mitigation Solutions Or deploy as a hybrid solution Cloud-based Globally Distributed Network resilient, scalability Purpose-built for the cloud to secure servers/applications Typically lower cost and faster to implement Costs, maintenance, complexity managed by provider Malicious traffic never hits infrastructure (cloud or on-prem) Often bundled with a WAF, DDoS, API, antimalware, etc.. Pros On-premises (Appliance) Highly customizable Suited for applications with explicit policy needs Often bundled with other security solutions such as: firewall, IDS/IPS, SIEM Totally under your control Mature technology Dependent on cloud provider for new challenges or rules May not be as customizable as on-premises Focused on protecting layer 7 Web application servers Requires security expertise managing security appliances Higher associated costs (hardware refresh cycles) Lack of tuning results in false positives Managing rules across regions is complicated Costs, maintenance, complexity managed by the company Cons
Next-Generation Bot Management What To Look For.. Good Bot Whitelisting Captcha Challenge IP Rate Limiting/Bot Traffic Shaping JavaScript Challenge Human Interaction Challenge Device Fingerprinting
Next-Generation Bot Management What To Look For.. Good Bot Whitelisting Provides ability to recognize and remember good bots and allow them access Captcha Challenge IP Rate Limiting/Bot Traffic Shaping JavaScript Challenge Human Interaction Challenge Device Fingerprinting
Next-Generation Bot Management What To Look For.. Good Bot Whitelisting Provides ability to recognize and remember good bots and allow them access Captcha Challenge Is a challenge intended to differentiate between computers and human IP Rate Limiting/Bot Traffic Shaping JavaScript Challenge Human Interaction Challenge Device Fingerprinting
Next-Generation Bot Management What To Look For.. Good Bot Whitelisting Provides ability to recognize and remember good bots and allow them access Captcha Challenge Is a challenge intended to differentiate between computers and human IP Rate Limiting/Bot Traffic Shaping Detect and delay traffic created by suspicious bots, and prioritize authorized traffic JavaScript Challenge Human Interaction Challenge Device Fingerprinting
Next-Generation Bot Management What To Look For.. Good Bot Whitelisting Provides ability to recognize and remember good bots and allow them access Captcha Challenge Is a challenge intended to differentiate between computers and human IP Rate Limiting/Bot Traffic Shaping Detect and delay traffic created by suspicious bots, and prioritize authorized traffic JavaScript Challenge Type of web challenge sent to determine attacker from legitimate client Human Interaction Challenge Device Fingerprinting
Next-Generation Bot Management What To Look For.. Good Bot Whitelisting Provides ability to recognize and remember good bots and allow them access Captcha Challenge Is a challenge intended to differentiate between computers and human IP Rate Limiting/Bot Traffic Shaping Detect and delay traffic created by suspicious bots, and prioritize authorized traffic JavaScript Challenge Type of Web challenge sent to determine attacker from legitimate client Human Interaction Challenge Identifies normal usage patterns based on legitimate user/visitor behavior Device Fingerprinting
Next-Generation Bot Management What To Look For.. Good Bot Whitelisting Provides ability to recognize and remember good bots and allow them access Captcha Challenge Is a challenge intended to differentiate between computers and human IP Rate Limiting/Bot Traffic Shaping Detect and delay traffic created by suspicious bots, and prioritize authorized traffic JavaScript Challenge Type of Web challenge sent to determine attacker from legitimate client Human Interaction Challenge Identifies normal usage patterns based on legitimate user/visitor behavior Device Fingerprinting Ability to collect unique information about a client or device for identification (prevents too many requests coming from similar users)
Multinational Rental Agency Challenge: They need to allow good bots to harvest data from application web servers, but limit good bot bandwidth to allow human traffic Solution: Was two-fold: Use various challenges and blacklisting to block bad bots Use rate limiting on the good bots to control bandwidth they are able to consume
Major Low-Cost Airline Challenge: Automated systems, Bots, were creating reservations for popular routes, reserving seats and holding the reservation before payment keeping legitimate customers form booking tickets. Solution: Deployed Oracle Dyn Bot Management to see originating IP addresses and user application interaction that would clearly indicate a Bot making a reservation vs. a human. Eliminated costly bot problem within hours of implementation
Where To Start: Stay up to date on the latest security news Have a plan to protect your site and your data privacy Talk to bot management vendors
Summary: 1. There are good bots and bad bots, you cannot just block them all 2. Next-generation bot mitigation, purpose-built for today s digital business 3. The botnet problem is growing exponentially 4. Next-generation bot mitigation solutions, more than just CAPTCHA 5. Have a plan