This document summarizes key findings from Distil Networks' 2017 Bad Bot Report. Some of the main points include:
- Bad bots accounted for 19.9% of web traffic in 2016 and target sites with login pages, payment processors, web forms, and pricing information.
- Larger sites have a bigger bad bot problem, with bad bot traffic increasing 36.43% year-over-year on large sites.
- The US originates more bad bot traffic than all other countries combined, and data centers are responsible for two-thirds of bad bot traffic.
- Bad bots lie about their identities and increasingly claim to be mobile browsers. Protecting login pages and blocking old browsers/user agents can help mitigate
Distil Networks 2017 Bad Bot Report: 6 High Risk Lessons for Website Defenders
1. IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
David Monahan
Research Director, Enterprise Management Associates
Twitter: @SecurityMonahan
Distil Networks 2017 Bad Bot Report:
6 High Risk Lessons
for Website Defenders
Rami Essaid
CEO, Distil Networks
Twitter: @ramiessaid
4. IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
David Monahan
Research Director of Security and Risk Management
Enterprise Management Associates
dmonahan@emausa.com
@SecurityMonahan
Bad Bot Report:
Six Risky Lessons
for Website Defenders
5. IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Bot- a.k.a. “Internet Bot,” “Internet
Robot,” or “Web Robot”
Automated systems using various programs to perform
relatively simple, repetitive tasks on behalf of their owners
16. IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Distil Networks 2017 Bad Bot Report:
6 High Risk Lessons
for Website Defenders
Rami Essaid
CEO, Distil Networks
Twitter: @ramiessaid
17. 2017 Bad Bot Report Methodology
Study based on anonymized data
Hundreds of billions of bot requests
Thousands of domains
Plus 17 global data centers
23. Size Matters: The Bigger The Site, The Bigger the Bad Bot Problem
Largest sites most
attractive to bad bots
Bad bot traffic on large
sites up 36.43% YOY
Small and tiny sites have
more bots than humans
*Websites grouped by Alexa rank
24. More Bad Bots Than Good on Large and Medium Sites
Small and tiny sites
have more good
bots than bad bots
37.5% more bad
bots than good on
large sites
25. Uncle Sam’s Bot Army
More bad bots come from the US than
the rest of the world...combined
The US originates 5 times more bad bot
traffic than The Netherlands (2nd Place)
26. Countries with the Highest “Bad Bot GDP”
Dominica has 3,348 bad bots per
internet user
Seychelles ranked third, which is
also the alleged home of the owner
of BitTorrent site Pirate Bay
US only 5th on bad bot GDP list
with 446
27. Bad Bots Lie About Their Identity
75.9% of bad bots claim they are
Chrome, Internet Explorer,
Firefox, or Safari
38.61% of bad bots claim they
are Chrome
More bad bots claim to be Safari
Mobile than Safari OSX for the
first time
8% of bad bots claim to be good
bots like search engine crawlers
28. More Bad Bots Claim to Be Mobile
The amount of bad bots claiming to be
mobile browsers jumped 42.78% in 2016
29. Mobile: The Undefended Frontier
9.4% of bad bot traffic
originates from mobile ISPs
T-Mobile and AT&T Wireless
top US based Mobile ISPs for
bad bot traffic
China Mobile third on the list
30. Data Centers are the Biggest Threat
Two out of three bad bots come from a data center
Amazon AWS is responsible for 4x the amount of bad
bot traffic as second place (OVH SAS)
37. Account Based Fraud
OWASP AUTOMATED THREATS:
CARDING, CARD CRACKING, CASHING OUT
Account exploitation bot sophistication
38. Account Takeover Attacks: Why?
Financial fraud
Targets are accounts at financial or
e-commerce services that store
users’ banking details. The attackers
perform unauthorized withdrawal
from bank accounts or fraudulent
transactions using the credit/debit
cards on file.
This includes virtual currency such
as bitcoin, in-game currency, and
rewards programs. This is all worth
real money.
Spam
Spam can appear in any service
feature that accepts user-
generated content, including
discussion forums, direct
messages, and reviews/ratings,
degrading platform integrity and
brand reputation.
Phishing
Attackers can assume a
compromised user’s identity and
launch phishing attacks on
others in his/her social circle to
steal their credentials, personal
information, or sensitive data.
40. Application Denial of Service
OWASP AUTOMATED THREAT: DENIAL OF
SERVICE
Denial of service bot
sophistication
41. What’s the Difference Between Application Denial of Service and DDoS?
Application Denial of Service
Attacks the application directly
Hard to spot because it won’t show up
as an anomaly on your firewall and may
not impact load balancer
DDoS
Attacks the ISP hosting your application
Easier to spot because it floods
upstream infrastructure to point where
packets never arrive at the web server
42. All Your Web Analytics Are Wrong
OWASP AUTOMATED THREAT: SKEWING
Sophistication level of bots
that skew analytics
43. Skewed Conversion Tracking
“The number of conversions were
greatly deflated because of bad bot
traffic. Now that we’re filtering bad
bot traffic out, we’re able to see
what the real data is and make
decisions based on real visitors.”
Marty Boos
CIO, StubHub
45. Geofence Your Website from Offending Countries
*Measuring customer block requests by geographical region
China and Russia
accounted for 79.9%
of country-specific
block requests
Dominica, Netherlands,
and Seychelles all
generate more than a
thousand bad bots per
internet user
46. Only Allow Browsers on Your Site
25% of bad bots are simple scripts running
in the command line interface
If you block users that aren’t connecting
with browsers, you will prevent simple bad
bots from attacking your site
47. Block Old User Agents and Browsers
9.45% of bad bots claim to be
browser versions that are 5
years old or older
Blocking old browsers and user
agents will stop bad bots from
reaching your site
The top 10 Oldest Self-Reported Browsers by Bad Bots, 2016
48. Mobile is a Growing Bad Bot Attack Vector
Rate-limit mobile traffic
Consider carefully when IP
blocking within mobile because
it blocks too many real users
Try to generate tokens, in a
secure way, to identify and
rate-limit users
49. Having a login, data, pricing information,
payment processing, and/or forms means you
have bad bots
Take action, don’t just ignore the problem
Don’t do it yourself, because you’ll be stuck in an
endless cycle of IP whack-a-mole
Understand the problem, read the OWASP
handbook on automated threats
Don’t Ignore the Problem
50. What to Look for in a Bot Mitigation Solution
Blocks all automated threats including scraping,
account takeover, spamming, and payment
processor fraud
Uses hi-definition digital fingerprints to ID bad bots,
not just IPs
Enables geofencing from offending nations and ISP
fencing from offending ISPs
Detects scripts, headless browsers, and browser
automation that imitates legitimate users
Applies behavioral analysis using machine learning
Protects APIs
53. QUESTIONS….COMMENTS
?I N F O @ D I S T I L N E T W O R K S . C O M
OR CALL US ON
1.866.423.0606
www.distilnetworks.com
Thank You for Participating!
To learn more about Distil Networks, visit us at:
http://www.distilnetworks.com
Or contact us at: 415-423-0831