Bad bots make up 30% of internet traffic and they’re after APIs
In June 2022, hackers launched an attack against Australia’s largest Chinese-language platform, Media Today. The attackers made over 20 million attempts to reset user passwords in the platform’s registration system. However, these attackers weren’t humans but bots – complex, automated programs that swarm around the internet carrying out instructions.
If you’re a benign bot, you could be harvesting data for search engines. If you’re a bad bot, you’re more likely to be targeting digital systems, web applications and application programming interfaces (APIs), intent on data theft, fraud, denial of service, and more. At speeds and volumes that human attackers couldn’t match.
Our latest data shows that in the first six months of 2023, bots accounted for just under half (48%) of all internet traffic – with bad bots making up the majority of this, 30% overall.
Bad bot attacks are evolving to become more sophisticated. They are getting better at mimicking human behaviour and bypassing traditional security controls. And, having done so, they are being used for more advanced attacks against organisations.
This includes vulnerability scanning to find and exploit bugs, as well as brute force and credential stuffing/password spraying attacks to compromise and take over email accounts – particularly those they can reach through vulnerable APIs. The bots come armed with millions of potential permutations of usernames and passwords and will bombard targets relentlessly, as can be seen from the Media Today incident.
APIs are a growing target for bot attacks because they are relatively under-protected and used extensively for automated processes and communications. Further, the growing use of APIs has made it easier for bots to access and manipulate data at scale.
The attackers target applications that use APIs to access email accounts. For example, a marketing mailshot application that sends and tracks bulk- or personalised- emails to potential or existing customers.
APIs are designed to connect and share data with other applications – and it can be easy to underestimate just how exposed that data is. The combination of under-secured application interfaces, weak authentication and access policies, exposure to the outside world and a lack of bot-specific security measures – such as limiting the volume and speed of inbound traffic - leaves these APIs and the data they hold immensely vulnerable to a breach.
Beating the bad bots
Organisations can become overwhelmed by the sheer number of solutions that appear to be required to stop bots in their tracks. The good news is that many security vendors are developing consolidated solutions known as Web Application and API Protection (WAAP) and Web Application Firewall (WAF) services that provide a robust defence against bad bots, in whatever guise they come knocking and whatever their target.
A web application firewall (WAF) with designated anti-bot protection monitors and filters the incoming and outgoing traffic between a web application and the internet. A WAF can protect APIs from bot attacks in several ways:
- IP reputation: A WAF can block or log requests from known malicious IP addresses that are associated with botnets, the proxies that bots use to launch attacks, or anonymous routing networks.
- Rate limiting: A WAF can limit the number of requests that a program or client can make to an API within a certain time. This can prevent bots from overwhelming the target API with excessive requests or performing a brute-force attack against it.
- Signature detection: A WAF can detect and block requests that match predefined patterns of malicious behaviour, such as SQL injection or cross-site scripting. This can stop bots from being able to exploit any bugs in the API or inject malicious code.
- Behavioural analysis: A WAF can analyse the behaviour of a program and identify anomalies or deviations from expected ‘normal’ patterns, such as request frequency, size, headers, parameters, or cookies. This can help the firewall to distinguish between human and bot traffic and detect any bots trying to mimic human behaviour.
Alongside this, it is important to reinforce the security fundamentals: implementing strong passwords and multi-factor authentication, keeping your software up to date, conducting regular security audits and security awareness training.
Bots are getting cleverer, and as a result, more advanced attacks, such as account takeover and attacks against APIs, are increasing.
It is important to have multiple layers of detection and defence in place because the threat landscape evolves quickly. For example, faced with rate limits, attackers might decide to launch attacks with low-and-slow bot traffic. Or they might opt for MFA-bombing, also known as MFA fatigue, to bypass multi-factor authentication barriers. A resilient, defence-in-depth security solution means that attacks can be blocked at different points and in different places long before they have the chance to do serious damage.
For further details of evolving application threats and the latest in integrated application protection, take a look at our information pages.