Internet Performance Delivered right to your inbox

The Secrets to Defeating Malicious Bots

Malicious bots are an increasingly dangerous threat to companies of all sizes, but many businesses don’t even realize they have a serious bot problem.

Bots are deployed to carry out DDoS attacks, steal sensitive data, and damage reputations, said Scott Taylor, director of solutions engineering at Oracle Dyn. But simply blocking all bots isn’t effective, because there are both good bots and bad bots. Managing bot traffic correctly requires a proactive approach and a diverse set of solutions that allow the good bots in while rejecting the bad ones.

Scott Taylor Oracle Dyn
Scott Taylor

Taylor spoke about the topic of bot management at the Data Connectors conference Aug. 23 in New York. In this interview, Taylor talks about some of the different types of bots that businesses need to guard against, and what it takes to launch an effective bot prevention and mitigation strategy.

What are some examples of bad bots businesses need to be concerned about?

One thing to keep in mind is that a bad bot for you might be a good bot for somebody else. An example would be price-scraping or content-scraping bots.

A price-scraping bot can be used by your competitors to examine your website and identify how much you’re charging for product X. The competitor can then use that information to come in at a price point that is about the same or lower. Amazon, Walmart, and others have tons of bots they use to identify competitors’ pricing information.

A content-scraping bot is similar in that it can scrape specific types of information from websites. Think of something like Angie’s List, for example. A competitor could theoretically use a content-scraping bot to pull contact information for contractors listed on Angie’s List, then approach those same contractors and offer them an opportunity to list with them for a lower fee.

What are some other bad bots?

Hackers also use bots to steal information about unsuspecting victims. Malicious hackers want to build a profile of who you are, and they can use bots to pull information about you from different websites.

For example, one site might have my birth date, another has my health insurance information, etc. They can use this information to begin to build your persona. Then, when they want to go for bigger-ticket items, like a person’s 401K, they’ll have plenty of information to help them answer password challenge questions and gain access to valuable assets.

Additionally, there are spammer bots. These are used, for example, to automatically stuff the comments section on websites and blogs with bad reviews of your restaurant or business. That can certainly be detrimental if left unchecked.

What are botnets and why are they becoming a greater threat?

A botnet basically is a command-and-control mechanism that uses different internet-connected devices and different scripts to run commands and potentially to launch attacks. A lot of the DDoS attacks and other malicious internet activity we see comes from botnets. A person or business can own an IoT device that is part of a botnet and not even know it. And hackers don’t even need to buy all of the equipment to create a botnet themselves. They can just go ahead and pay for bots as a service, or botnets as a service, on the dark web.

What are some of the key features that businesses should look for in bot mitigation?

You need to have something set up that’s similar to an art gallery or a casino. They have a very layered approach when it comes to security. You need a bot mitigation solution that also takes a layered approach.

For example, we have access control, IP rate limiting, threat intelligence, and many different bot challenges, from Captcha and JavaScript challenges to human interaction and device fingerprinting. We’ve essentially laid out a whole bunch of tripwires. So, even if a bad bot bypasses our access control, they’re still likely to trigger something else down the line. For example, if a bot figures out a way around our access control, then tries to rapidly create a bunch of requests, our IP rate-limiting capabilities will stop it right there. The beauty of it is that when a bot does fail one of those challenges, we’re going to alert you to it. Then you can use the information we provide to turn around and start coming up with a different strategy as far as countermeasures are concerned.

Share Now

Mark Brunelli
Whois: Mark Brunelli

Mark Brunelli is a Content Specialist at Oracle Dyn. He writes about DNS, cloud infrastructure, networking, and edge security. He previously covered data management and IT security for TechTarget and several other online publications.