Time to tighten web application security against automated DDoS and credential stuffing attacks by bad user agents.

In mid-November, cybersecurity researchers put up a test web application, and in just a few days, detected millions of attacks coming from thousands of distinct IP addresses.

Cybercriminals are constantly scanning the internet for any vulnerabilities they can exploit. Once they deem a website suitable, they can launch bots to run distributed Denial of Service (DDoS) attacks and even make fraudulent purchases online.

Known as ‘bad bot’ personas, such automated malicious software can be identified based on their pattern of behavior. However, they can be mistaken as those harmless bots (user agents) that crawl sites for search ranking purposes. Bad bots will often spoof such ‘good’ bots to avoid detection by cybersecurity software. Researchers used the following methods to sniff them out:

  1. Injecting honeytraps like hidden URLs and JS challenges. Bots follow links and respond to JS challenges quite differently from how humans do.
  2. Using rDNS (reverse DNS lookup) to verify a bot comes from the claimed source.
  3. Checking to see if the client is trying to access URLs used by common app fingerprinting attacks.
  4. If these methods do not catch it, researchers do further analysis with machine learning.

Holiday season bot fraud

Researchers from Barracuda have sounded the alarm to holiday e-shoppers readying for the festive gift giving. They latest experiment showed that bad bots do not just wait until the middle of the night to attack, but activity peaks in the late morning and does not fall off until closer to evening time in the countries where the cybercriminals (also known as ‘bot herders’) work.

Said the firm’s Engineer Manager, Mark Lukie: “It’s clear that cybercriminals are powering up for the Christmas rush, so with holiday shopping season now in full swing across the region, it’s crucial that e-commerce teams take the appropriate steps to safeguard their applications against bad bots.”  

To protect against these attacks, cyber defenders need to ensure that web application firewalls (WAF) are properly configured, or use WAF-as-a-Service solutions. Application security solutions include anti-bot protection to effectively detect advanced automated attacks. The firm also recommends turning on credential stuffing protection to prevent account takeover attacks.