Bots are increasingly making life more difficult for security teams. Attacks against APIs and web apps almost always now involve bots or botnets, and attackers are using them in crafty and clever ways. For security teams, one IP address behaving suspiciously is an easy block; a flood of IP addresses behaving suspiciously is clear nefarious activity as well. But with a botnet army of IP addresses that each look like a unique user, attackers are creating attacks that are not so obvious and much more challenging.
Here are a few bot tactics we at ThreatX are observing that are causing security headaches.
Low and Slow Bot Attacks
“Low and slow” attacks are one of the biggest challenges in stopping botnets. With more traditional bot attacks, whether a DDoS or credential stuffing attack, the attackers just release the floodgate, and the security team suddenly sees a huge increase of IPs trying to reach their servers and either DDoSing or trying to get login credentials. It’s relatively easy to spot this anomalous activity and block it.
But nowadays, we’re seeing a lot more low and slow attacks, where the attackers use a wide range of distributed IPs. Each of these IP addresses is only executing one request, and doing so slowly — maybe once a minute, or maybe even once every five minutes. These look like legitimate requests, but they’re enumerating through accounts in order to steal credentials.
Some of the attacks that we see on a regular basis leverage mobile applications with an API backend. Attackers capture the request from the mobile application to the origin server, then they just replay that, but very slowly across millions of nodes. And it becomes really challenging to detect which requests are good, and which ones are bad. Is this somebody failing to log in legitimately using the mobile application, or is this actually one of the nodes enumerating through some captured credentials from Pastebin?
Bots Avoiding Geoblocking
When using a botnet made up of thousands of distributed IPs, attackers can also end run many traditional security controls. For instance, for organizations only doing business in certain areas or regions, geo-blocking has been a standard security control – you simply block any IP address coming from a location where you are not doing business. However, today, attackers using botnets made up of thousands of IP addresses can work around geoblocking. When they realize that certain countries, continents, or regions are getting blocked, they simply swap out those IPs and move to IPs where the requests are getting through.
It often feels to us like an arms race. The attackers are doing what we’re doing, watching as some nodes get bad or blocked responses, and some end up as valid requests. Once the attackers see what’s getting through, they’ll shift their resources. At the same time, we’re watching them shift resources and trying to anticipate, identify, and block them.
Bots as Gray Noise
Finally, bots are making life more difficult for security teams by acting as gray noise while the attackers go after the real target. Attackers now frequently use botnets to trigger a flurry of alerts that security has to follow up on. While security is distracted with the noise, the attackers are free to carry out the real attack pattern behind the scenes.
For instance, while your SOC team is trying to mitigate a massive DDoS attack, you might miss the one or two requests hitting an already-known endpoint that an attacker discovered during a recon phase. It’s often these attacks carried out while security is distracted that are the ones causing data breaches.
Bot mitigation is an important part of the API security mix; learn more in our recent webcast Malicious Bots in Modern Threats.