It is becoming a necessity to have a bot mitigation strategy in place to protect websites and applications, but many WAF vendors don’t provide sufficient capabilities.
Cybersecurity professionals agree, and industry statistics show, that there has been a massive rise in malicious bot traffic throughout the internet. Bots have become a large and significant threat, and bot mitigation technologies must be deployed to manage it.
The ability for WAF vendors to manage bot traffic is crucial, because attackers are exponentially increasing the breadth of their campaigns by employing bots to do the work for them. Bots never tire and are more than happy to work 24×7 for whoever controls them. In addition, bot traffic has superseded human traffic on the internet and now accounts for a significant portion of the traffic coming to organization’s websites and applications.
From a purely technical perspective concerning traffic inspection and request handling performed by today’s WAF vendors, it makes little if any sense to apply rules, policies, and signatures to unwanted traffic generated by malicious bots. If the source of the traffic is not human, and traffic is not being generated by known good bots, there is no reason to further inspect this unwanted traffic.
Instead, what must be done is to first challenge all unknown visitors using various techniques. If the visitor fails these challenges, simply block their traffic. In this case, the traffic is dropped and no further traffic inspection or request handling needs to be performed. This will reduce the consumed resources on an organization’s WAF, in addition to their websites and applications located downstream.
Bot management falls under the concept of a good defense-in-depth strategy. First, eliminate what is known bad, then only invoke traffic inspection and request handling to traffic that is from human sources. This will narrow an attacker’s ability to use malicious bots to their advantage when attacking an organization’s websites and applications.
Comprehensive bot management capabilities will become one of the de facto standards by which one measures the completeness of WAF vendors and their web application security offerings. When developing your selection criteria for web application security, fully scrutinize WAF vendors and their ability to manage bot traffic.
Oracle Dyn Web Application Security tightly integrates bot protection with a WAF, plus DDoS, malware, and API protection. A complete set of bot management tools designed to identify benign and malicious bots is included. Few cloud-based WAF vendors on the market can say the same.