Challenges of Stopping Bot-Based API Attacks

PUBLISHED ON October 5, 2022
LAST UPDATED Oct 05, 2022

Bots are increasingly making life more difficult for security teams. Attacks against APIs and web apps almost always now involve bots or botnets, and attackers are using them in crafty and clever ways. For security teams, one IP address behaving suspiciously is an easy block; a flood of IP addresses behaving suspiciously is clear nefarious activity as well. But with a botnet army of IP addresses that each look like a unique user, attackers are creating attacks that are not so obvious and much more challenging.  

Here are a few bot tactics we at ThreatX are observing that are causing security headaches. 

Low and Slow Bot Attacks

“Low and slow” attacks are one of the biggest challenges in stopping botnets. With more traditional bot attacks, whether a DDoS or credential stuffing attack, the attackers just release the floodgate, and the security team suddenly sees a huge increase of IPs trying to reach their servers and either DDoSing or trying to get login credentials. It’s relatively easy to spot this anomalous activity and block it.  

But nowadays, we’re seeing a lot more low and slow attacks, where the attackers use a wide range of distributed IPs. Each of these IP addresses is only executing one request, and doing so slowly — maybe once a minute, or maybe even once every five minutes. These look like legitimate requests, but they’re enumerating through accounts in order to steal credentials. 

Some of the attacks that we see on a regular basis leverage mobile applications with an API backend. Attackers capture the request from the mobile application to the origin server, then they just replay that, but very slowly across millions of nodes. And it becomes really challenging to detect which requests are good, and which ones are bad. Is this somebody failing to log in legitimately using the mobile application, or is this actually one of the nodes enumerating through some captured credentials from Pastebin? 

Bots Avoiding Geoblocking 

When using a botnet made up of thousands of distributed IPs, attackers can also end run many traditional security controls. For instance, for organizations only doing business in certain areas or regions, geo-blocking has been a standard security control – you simply block any IP address coming from a location where you are not doing business. However, today, attackers using botnets made up of thousands of IP addresses can work around geoblocking. When they realize that certain countries, continents, or regions are getting blocked, they simply swap out those IPs and move to IPs where the requests are getting through. 

It often feels to us like an arms race. The attackers are doing what we’re doing, watching as some nodes get bad or blocked responses, and some end up as valid requests. Once the attackers see what’s getting through, they’ll shift their resources. At the same time, we’re watching them shift resources and trying to anticipate, identify, and block them.  

Bots as Gray Noise 

Finally, bots are making life more difficult for security teams by acting as gray noise while the attackers go after the real target. Attackers now frequently use botnets to trigger a flurry of alerts that security has to follow up on. While security is distracted with the noise, the attackers are free to carry out the real attack pattern behind the scenes. 

For instance, while your SOC team is trying to mitigate a massive DDoS attack, you might miss the one or two requests hitting an already-known endpoint that an attacker discovered during a recon phase. It’s often these attacks carried out while security is distracted that are the ones causing data breaches.  

Bot mitigation is an important part of the API security mix; learn more in our recent webcast Malicious Bots in Modern Threats


About the Author

Neil Weitzel

Neil is the Manager of the ThreatX Security Operations Center and is located in Boston, MA. He has 15 years of experience working in various roles, from user support to leading security programs. Neil has profound experience in security architecture and cybersecurity best practices, which helps him provide valuable insight to security teams. Before ThreatX, Neil worked with organizations such as Cognizant as an Application Security Architect, Cigital (now Synopsys) as their Practice Director of Vulnerability Assessments, and EIQ Networks (now Cygilant) as their Director of Security Research. Neil also served as a Cybersecurity Instructor and delivered numerous Security and Defensive Programming courses to various clients such as NASA and PayPal. He is an active member of the security community and has delivered lectures at DEF CON, OWASP and local security meetups. Neil also acts as an adjunct lecturer on Software Engineering at his alma mater, Indiana University.