What is a Bot and why you should care

© 2019 Akamai | Confidential1
Trust No One City Tour
What is a bot and why you
should care
Xavier Daspre
Sr. Cloud Security Architect - EMEA

AGENDA
• Understanding the bot problem
• Bots families
• Nice business
• Wrap up

What is a bot ?

THE “BOT PROBLEM”
Understanding the bots…
Your site traffic What you think your traffic looks
like
What your traffic actually looks
like

Those who eat

How to scrap digital content
Protect content

Scrap and consume

Transactional Endpoints- Two Classes of Bots
1. Scraping Bots
2. Transactional Bots
Example1 : Price Scraping (Good or Bad)
Example2 : Content Scraping (Good or Bad)
Example3 : Google Web Crawler (Good)

Transactional Endpoints- Two Types
1. Scraping Bots
2. Transactional Bots
Example 1 : Login Attack :: Credential Abuse (Bad)
Example 2 : Fake Account Signup (Bad)
Example 3 : Concert Ticket Grabbers (Bad)

Those who attack

Grow revenue opportunities with fast, personalized
web experiences and manage complexity from peak
demand, mobile devices and data collection.
Sign In
CS
User name
Password

CS
User nameXavie
PasswordLet’s talk credential stuff
Sign InSign In
in
r
g

Sign In
CS
Xavier
Let’s talk credential stuffing

Sign In
CS
Xavier
Let’s talk credential
Sign In
stuffing

Sign In
ABC
User name
Password

ABC
User nameXavier
PasswordLet’s talk credential
Sign InSign In
stuffing

Sign In
AFF
User name
Password

AFF
User nameXavier
Sign InSign In
stuffing

My-Carrier 12:00 PM 21%
Edit
Hello!
Sign in to access your money.
Sign In
User name
Password

Edit
Hello!
Sign in to access your money.
Sign In
User nameXavier
Sign In
stuffing

Xavier D paid Joe Smith
for the lulz
Like Comment $-1,999.00
1m
Xavier D paid AdultFriendFinder
for XoXoXo
1m
Xavier D paid Need Mulaah
for alcohol and drugs
1m
Xavier D paid YouGotPwned
for 10QSucka
1m
Xavier D
@Xavier_D
Member since Yesterday
Account balance: $6,500.00
Edit
$4,501.00$3,501.00$2,001.00$2.00
2m
3m
4m
2m
3m
2m

Xavier D paid YouGotPwned
for 10QSucka
1m
Xavier D paid Need Mulaah
for alcohol and drugs
2m
Xavier D paid AdultFriendFinder
for XoXoXo
3m
Xavier D paid Joe Smith
for the lulz
4m
Xavier D paid YouGotPwned, Need Mulaah,
AdultFriendFinder, and Joe Smith
Like Comment WTF?
$-6,498.00
Xavier D
@Xavier_D
Account balance: $2.00
Edit

Xavier D paid YouGotPwned, Need Mulaah,
AdultFriendFinder, and Joe Smith
Like Comment WTF?
$-6,498.00
Xavier D
@Xavier_D
Account balance: $2.00
Edit
WTF?

Credential Abuse to ATO

Darknet insight : Sales !

Darknet insight : Sell the valued accounts

Money lost to fraud per
compromised account
25%
29%
22%
14%
10%
Less
than
$100
$100
to
$500
$501
to
$1,000
$1,001
to
$5,000
More
than
$5,000
Ponemon—The Cost of Credential Stuffing, Oct 2017
BUSINESS IMPACT
Understanding the cost of credential stuffing
Number of accounts
targeted per attack
19%
35%
28%
11%
7%
1 to
100
101 to
500
501 to
1,000
1,001
to
5,000
More
than
5,000
Number of credential
stuffing attacks per month
0%
41%
38%
12%
9%
None 1 to 5 6 to 10 11 to
20
More
than
21

Industry IPs Participating Login Requests % of Total Requests
Gaming 7,712,894 1,358,045,044 61.30%
Hotels & Resorts 122,026 232,309,946 10.49%
Cards & Payments 477,507 148,304,255 6.69%
Department Stores 326,151 104,748,065 4.73%
Commerce Portal 66,321 60,199,822 2.72%
Banking 349,474 55,356,808 2.50%
Airline 86,346 41,004,594 1.85%
Cosmetics 82,808 38,197,524 1.72%
Consumer Software (B2C) 224,707 28,202,339 1.27%
Social Media 127,396 26,557,605 1.20%
Enterprise Software (B2B) 21,290 25,383,158 1.15%
Consumer Electronics 50,984 25,264,381 1.14%
Apparel & Footwear 66,414 19,692,260 0.89%
Online Travel Agents 102,555 8,935,366 0.40%
Federal 3,403 7,454,257 0.34%
INDUSTRY BREAKDOWN
A 1-week view into Akamai customers

• Majority of IPs performing credential
stuffing make less than 1 request
per minute
• Average is 28 requests per hour
• Maximum request rate observed
from a single IP during the sampled
period - 625,000 requests per hour
(173 login requests per seconds)
Rate Controls are only effective against the rare bots that fall outside typical human request rate thresholds
ATTACK CHARACTERISTICS
What an attack looks like

CONSEQUENCES
Wide-ranging impacts of credential stuffing
5%
17%
41%
43%
50%
63%
67%
Other
Damaged brand equity from news
stories or social media
Lost business due to customers
switching to competitors
Compromised accounts leading to
fraud-related financial losses
Lower customer satisfaction
Cost to remediate compromised
accounts
Application downtime from large
spikes in login traffic

RESPONSIBILITY
Dispersed throughout the organization
5%
2%
3%
3%
9%
13%
16%
20%
21%
28%
3%
40%
Other
Compliance / audit
CEO / COO
Head of legal
Data center / IT…
Web hosting service…
Head of risk…
CISO / CSO
Fraud prevention /…
CIO / CTO
Line of business /…
No one function has…

IP Rate
Limiting
Network
Header
Analysis
Browser
Property
Analysis
BM Premier exploits ”what makes us human”.
Neuro-muscular interaction is much harder for
machine scripts to replicate.
Traditional Methods : Less Effective
against Credential Abuse.
How Akamai approaches the challenge

Conclusion

Achieving desired outcomes
AKAMAI DIFFERENCE
Ability to manage bot traffic on the Akamai
CDN before it reaches your website,
offloading your origin infrastructure
The latest technologies that can detect the
most sophisticated bots today even as they
evolve to avoid detection
Real-time intelligence from visibility into bot
traffic interacting with many of the largest web
presences around the world
Ability to manage wide array of both good and
bad bots and customize response based on
your business and IT goals
Granular visibility / reporting allows you to
analyze your bot traffic and implement your
bot strategy without being a black box
Security experts who can help implement
and tune your bot management strategy and
respond to security events

© 2019 Akamai | Confidential3737 | Akamai Nordics City Tour | © 2019 Akamai | Confidential
Thanks for your attention
Questions ?!

What is a Bot and why you should care

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie What is a Bot and why you should care

Ähnlich wie What is a Bot and why you should care (20)

Mehr von Elisabeth Bitsch-Christensen

Mehr von Elisabeth Bitsch-Christensen (15)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

What is a Bot and why you should care