The Latest Radware News
Product and Solution Information, Press Releases, Announcements

On the surface, bot detection seems simple: You want to accurately detect bad bots with a low rate of false positives (to avoid blocking legitimate human users and good bots) and a low rate of false negatives (to ensure that you’re detecting ALL bad bots). Go below the surface though, and the challenges of detection become much more complex.

There’s a good reason why analyst firm Forrester has cited attack detection as one of the major selection considerations for bot management solutions. The quality of detection determines the quality of the solution. And as attacking bots become ever more sophisticated, detection becomes ever more challenging.

First, Detection

To illustrate these points, consider the example of a bot attack aimed at cracking passwords. A bot management solution could apply several methodologies to detect the attack by:

1. Identifying the average activity rates and abnormal rates of unsuccessful login attempts. Unfortunately, this approach is not sufficiently accurate and, more importantly, does not identify the attack source. Thus, any mitigation will be ineffective or will have a significant customer experience impact.
2. Looking at each source IP address and correlating activity over time to allow detection of active IPs generating unsuccessful login attempts. However, if the attack source is dynamically rotating its IP addresses, this methodology will be blind to the attack.
3. Correlating the activity over time for each source by device fingerprint. But again, if the attack source is dynamically modifying its device fingerprint, the methodology will miss the mark.

A more sophisticated detection will correlate activity over time across IPs, device fingerprints, mobile device attributes and sensors, as well as other attributes, to provide comprehensive analysis for accurate attack source detection.

Then, Mitigation

Here’s an overview of the basic functionality you need to mitigate — or manage — bots:

1. A session is a single context from a single user or client accessing your app. A bot manager must add a cookie in the web environment or a token in the API environment in order to monitor and analyze session context.
2. A bot manager must correlate all the behaviors of all sources across all sessions for the purpose of attack detection. Those behaviors should include volume, nature, frequency of transactions and navigation flow.
3. A bot manager should be able to uniquely identify sources. Consider the simple example of an attacker trying to crack a particular user’s password. Suppose it tries three times to log in with a dictionary password before switching to another IP. In such a scenario, IP-based identification of the attack source is ineffective, and you’re blind to the attack.

To correlate across those multiple attack attempts, you need a device fingerprint to gather IP-agnostic information. Even if the same attack source uses a dictionary of the 1,000 most common passwords and keeps switching IP addresses, you need the ability to identify the behavior and the context over multiple sessions. To do so requires you to embed device fingerprint JavaScript into the secured application or into the application responses. In other words, there is a need to modify the response if JavaScript is not embedded into the application.

Finally, while device fingerprinting is effective in a web environment, a mobile device that may not execute JavaScript requires a different approach. In that case, you need a collection of mobile device sensor data for source identification. By integrating the application with a mobile software development kit (SDK), you can enable access to mobile device sensor data.