Imperva Cyber Community

 View Only

Five Bot Threats and Mitigation Strategies Explained

By Brooks Cunningham posted 03-26-2020 15:40

Discover how Imperva’s holistic approach to bot defense detects and mitigates malicious bot behavior.

The larger an enterprise’s web presence is, the greater a surface area it provides to cyberattackers. Today’s hackers use highly automated systems to probe for vulnerabilities, carry out cyberattacks, and scrape data from public-facing web pages.

Enterprises are leading the overall growth of web application and user interconnectivity. The enterprise networking market is growing at a rate of 30.8% per year. At the same time, Gartner expects 5.8 billion enterprise and automotive IoT endpoints will be in use by the end of this year.

This growth coincides with the rapid diversification and increasing sophistication of malicious bots. Automated systems are becoming alarmingly common parts of the hacker’s toolkit, putting pressure on organizations to step up their bot mitigation tactics.

Most Common Bot Threats and Mitigation Strategies

Mitigating bots requires a fundamentally different strategy than many other security disciplines. Since bots impersonate legitimate users, much of what makes a mitigation strategy effective relies on the ability to categorize bots by threat level, functionality, and mitigation potential.

One of the most important things to remember about bots is that they are necessarily connected to a human user. Our partners at Distil have seen cyberattackers configure bots on-the-fly in order to adapt to perceived security weaknesses – even trying to activate bots around the weekly office schedule, hoping to slide an attack in while employees are clocking out for the weekend.

Five of the most common bots that Imperva defends its customers against include:

Vulnerability Scanning Bots

Hackers need to pinpoint vulnerabilities in order to compromise business systems. In many cases, that means setting up a selection of automated users to interact with systems in a wide variety of ways and then reporting the system’s behavior back to the hacker. This is called vulnerability scanning.

A cybercriminal can set dozens, hundreds, or billions of bots to probe for weaknesses in a target’s security infrastructure. ShellShock is one such example. It exploits a bug in the Unix Bash shell, which many Internet-facing services and web servers use to process requests.

Imperva continually updates its blacklist of vulnerability scanning bots, using a combination of device fingerprinting, machine learning, and behavioral analysis to identify bots and monitor or block them.

Botnets Serving Distributed Denial of Service Attacks 

Distributed denial of service attacks send an overwhelming amount of traffic to a particular application, forcing it to shut down for legitimate users. 

By default, Imperva’s DDoS mitigation rules come into effect when an application receives more than 1000 requests per second, but users can change this number from 10 to 5000 requests per second in Advanced DDoS Settings. This is useful for preparing for large marketing campaigns or peak usage periods.

Once DDoS mitigation is in effect, Imperva can challenge incoming traffic and filter out users that cannot complete the challenges. Some examples include:

  • Cookie Support. Imperva challenges suspicious users to support cookies in the way legitimate users would. This process filters out bots that cannot support cookies without impacting the user experience for legitimate users.
  • Javascript Support. Imperva challenges suspicious bots to support Javascript. Again, this process happens in the background, without impacting the user experience.
  • CAPTCHA. Imperva may ask suspicious users to complete a CAPTCHA that requires human interaction in order to pass. This test does impact the user experience, since the user has to complete the CAPTCHA to utilize the web application, but Imperva’s bot mitigation solution specifically targets suspicious traffic. Legitimized users will not have to solve a CAPTCHA.

Credential Cracking Bots

Some bots try to identify valid login credentials by constantly trying new combinations of usernames and passwords to authenticate a process or application. These can be dangerous if the cybercriminal behind them has access to any username or password data, especially since compromised passwords are responsible for 81% of data breaches.

One of the best ways to counter credential cracking bots is through custom rules that isolate and target bad bot activity while minimizing the impact of false positives. Web application owners can set rules that prevent bots from accessing a certain registration form, limit the rate of requests to a website, or restrict access based on user IP address. Traffic routing and redirection can also mitigate brute force attacks on exposed registration forms and logins.

Spam Bots

Any questionable or unsolicited automated traffic that fails to generate value can be defined as spam. Spam bots might add information to public content or advertise content to legitimate users. Whatever the case is, nobody likes it when a spam bot wastes their time.

Even though spam bots do not represent a severe threat on their own, it is not often clear whether any particular bot is indeed only a spam bot. It might also be probing for vulnerabilities or performing other unwanted behaviors. Filtering out spam content is one of Imperva’s default functionalities.

Web Scrapers

Some bots collect information for use elsewhere. This can take a variety of forms and serve a variety of purposes. For instance, an e-commerce vendor might target industry competitors to scrape their prices and offer the same products for sale at a $0.01 discount compared to the lowest price – just enough to get first-rank placement in an e-commerce search engine.

Imperva’s anti-scraper solutions include customized rules and CAPTCHA verifications. These ensure that legitimate users are not affected, while automated users are filtered out.

What About Security Certificates?

Many Imperva and Distil customers come to us asking how certificates help to address malicious bot behavior. Security certificates are part of public key infrastructure (PKI), which describes the creation and management of digital security certificates issued by certificate authorities.

As an infrastructural technology, PKI plays a role ensuring that the bot mitigation strategies above actually work as described. It remains one of the fundamental cornerstones of effective web security. 

Imperva and Distil are capable of providing users with certificates to establish HTTPS traffic. We also allow users to use their own certificates. Customers who provide their own certificates have to handle certificate generation, renewal, and management.

Related Community Blogs: 
Advanced Bot Mitigation: How Imperva Protects Websites, Mobile Apps, and APIs