AWS for Industries

Kasada beats bots at their own game: How to identify and eliminate bot attacks

Bots. The internet is crawling with them, literally. Bots, short for robots, are software programs that can impersonate human interactions. While bots can be used for helpful activities (think about how chatbots have changed the way we interact with product support) they can have a much more sinister side.

Bots are relentless, and they pose a growing challenge for online companies. As these automated entities evolve in sophistication, detecting their presence (and assessing any damage they’ve caused) becomes paramount. Here, we shed light on the crucial indicators that can help Amazon Web Services (AWS) customers identify bots that are getting through your existing fences. We’ll show you how to defend your website, and business, from their harm.

How do I know if my site is at risk?

First of all, if you have a website and you aren’t taking proactive steps to keep it secure, it’s at risk. As soon as your IP hits the Internet, all bets are off. It will be scanned, open ports catalogued, and attempts to exploit what’s found will commence almost immediately. To make matters worse, the more popular your site is, the more bot attention it will get.

There are a few steps you can take to assess whether bots are affecting your website. If you find any hint of bot activity, we think we have something that can help. So, let’s dive-in. Here are the top five ways you can uncover bot traffic.

1. Easy to find traffic indicators

So, what does a garden-variety bot look like? Are there tell-tail signs of a bot’s activities that you can cull out from logs or other active monitoring you may have for your website? It turns out that there are four fairly obvious patterns you can look for now:

1. Day-Night Traffic Cycles: Genuine human traffic typically exhibits distinctive day-night cycles, reflecting periods of activity and rest. Bots, on the other hand, operate around the clock, leading to a smooth, unbroken traffic pattern.

2. Unrelated Traffic Bursts: Peaks in traffic directed at specific endpoints, not aligned with marketing initiatives like app notifications or email campaigns, can be indicative of bot-driven activities.

3. Cost Surges: Unforeseen spikes in infrastructure costs (unnatural scaling in the middle of the night or during times where activity is typically low). Two-factor authentication (2FA) that affect SMS expenses (often referred to as “toll fraud” or “SMS pumping”) may suggest bot interference.

4. Probing of Unique Directories: Unusual scans targeting directories hosting anti-bot service identifiers, like those in some popular bot managers, could imply attempts to identify the protective measures in use.

2. Tougher to find: hidden traffic indicators

Once you’ve identified the easy indicators, there are a couple that are a bit tougher to determine. Scratching just beneath the surface, you may find these two more-hidden traffic indicators:

1. Increased Security Notifications: A sudden surge in security alerts beyond historical norms signifies potential malicious activities warranting investigation.

2. Unfavorable HTTP Status Ratios: All websites encounter client errors (HTTP 4XX) and successful (2XX) status codes on login endpoints. However, an excessive rise of, for example, more than 10 percent higher than normal, hints at unauthorized access attempts.

3. Digging deeper with generic traffic indicators

The last group of traffic indicators is somewhat generic in classification. While many bots are engineered to randomize some behaviors, others are less sophisticated and can be detected. Lookout for these four:

1. Deviant Request Sequences: Requests that defy the expected user flow, such as direct login requests without preceding page loads, may expose automated actions.

2. Anomalous IP Concentrations: A small number of IP addresses generating a disproportionately large volume of overall traffic is indicative of bot involvement.

3. Inappropriate Endpoints Access: Access requests targeting non-public endpoints, like unreleased product purchase links, signal potential security breaches.

4. Unnatural Regular Request Patterns: User sessions exhibiting overly regular request intervals may betray automated behavior.

4. Signals from user accounts

Fake user account creation and usage can attempt to hide anomalous activity, but if you have sophisticated monitoring capabilities, these signals surface quickly:

1. Burst Account Creation: Uncharacteristic bursts of account creation followed by normalized activity can signal fraudulent account generation.

2. Surge in Unrecognized Email Domains: A sudden increase in the use of previously unseen email domains may indicate the involvement of automated account creation.

5. Ecommerce-specific red flags

The final way to determine bot traffic centers around atypical activity found on ecommerce sites. There are at least three behaviors you should monitor:

1. Unusual Geographic Activity: An uptick in purchases or traffic from uncharacteristic regions is a red flag for bot-driven transactions.

2. Repetitive Shipping Information: A high frequency of requests targeting the same or similar delivery addresses might indicate fraudulent activities.

3. Financial Fraud Warning Signs: An increased occurrence of banking, point of sale (POS) fraud, or chargebacks suggests potential bot-generated fraudulent transactions.

If you didn’t turn up any bot activity, you’re fortunate. However, that’s today. What about tomorrow? Now that you’re armed with what to look for when bots come knocking at your website’s door, what can you do about it? It’s not enough to monitor. You’ve got to defend yourself.

Kasada on AWS

Kasada is an AWS Retail Competency Partner at the forefront of cybersecurity, countering automated bot attacks and online fraud across web, mobile, and API channels, while remaining invisible to legitimate users.

Kasada knows that recognizing the multi-dimensional indicators of bot presence is vital to maintaining the integrity and security of your platforms. But it’s only the start. Coupling vigilance with proactive defenses, Kasada helps companies identify and counteract bot-driven activities more effectively, ensuring a secure and frictionless online experience for brands and their customers.

The unfortunate truth is that many retailers may not realize the magnitude of their bot problems until they engage with Kasada. It’s common for a customer’s existing bot mitigation solution to understate, if not completely miss, the degree to which bots are attacking their platform(s).

How Kasada helped an online retailer

Kasada was approached by an ecommerce retailer over concerns that their website may be experiencing a high number of false negatives from their existing bot solution. Kasada got right to work. In the chart below, Kasada targeted and charted the origin of 200 and 400 status code responses, respectively. What this illustrates confirmed the retailer’s suspicion that the level of false negatives was high. The bots were attacking the customer login in order to gain application access to commit fraud. In the following image you can see the prior solution allows bots to attack the customer login before the fifth of September.

Effect of Kasada on ecommerce retailer false-negatives for 200 and 400 level status codes on customer loginEffect of Kasada on ecommerce retailer false-negatives for 200 and 400 level status codes on customer login

There is a dramatic drop in activity, which occurs in the graph. On the fifth of September, when Kasada was switched on, bot activity takes a nose-dive. However, the bots don’t give up that easily. The bots reacted to the change in three stages:

1. The bot automation is blocked, and requests plummet temporarily.

2. Then, the bots got smart. They retooled, and launched a new attack from tens of thousands of new IPs, ASO’s, and countries.

3. Finally, the bots pivot away from this login target starting on the ninth of September.

Kasada mitigated the bot’s automated attacks, immediately adapting to the new behavior pattern. In the end, Kasada safeguarded the retailer from a potential breach of customer personal data. But that’s not the only effect Kasada had.

Cost savings using Kasada

For retailers, like the one just described, using Kasada can amount to significant cost savings because the tech stack didn’t waste time (and resources) attempting to service fake user traffic.

Sometimes, those tech stack savings can significantly offset the cost of Kasada’s service. Savings can come in many forms. Here are a few examples:

  • Content Delivery Network (CDN) Billing: Bots drive cost for volume-based services like CDNs.
  • Third-part Logging: If you’re using a third-party, such as Splunk or Datadog, additional logging can add up.
  • Payments: Authorization declines, chargebacks, and fraud costs time and money.
  • SMS-Based Services: Costs for superfluous texts can add up.
  • Volume-Priced Services or Tools: Because bots create transactions, those costs can quickly add up.
  • Capacity: Additional compute or storage that bots chew up amount to wasted resources and lost revenue.

This just scratches the surface. Don’t forget about savings on the labor required to chase down fraud and other issues created by bot traffic.

How Kasada Works

So how does Kasada work? How is it different from the other bot mitigation solutions out there?

First-generation bot mitigation solutions are typically slow to respond, easy to evade, and many rely on CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) to differentiate between human and non-human interaction.

Kasada is fundamentally different from first-generation bot mitigation solutions. Since Kasada employs a layered defense platform, it quickly adapts as adversaries change approach and it’s invisible to humans.

Following is a diagram of how Kasada Bot Defense can fit into your existing environment. Kasada sits in between your content delivery network (CDN), like Amazon CloudFront, and your server. Visitor traffic traverses the CDN, enters the Kasada Bot Defense (where Kasada defends against automated threats and fraud), and if allowed, passes seamlessly through to your server.

Kasada Defense CloudHere’s what one of Kasada’s customers had to say about implementing Kasada:

“Kasada was implemented in just minutes, and immediately neutralized our flow of attacks. I’m still amazed by how simple and immediately efficient the solution was. We also really liked the interaction with the Kasada team. They were enthusiastic, highly knowledgeable, and very easy to do business with.” – Regan MacDonald, Group IT Manager at True Alliance

Conclusion

Ultimately, Kasada Bot Defense offers retailers a comprehensive, proactive, and invisible defense against the risk posed by bots. By leveraging innovative technologies and an adaptable approach, Kasada empowers retailers and ecommerce to focus on growth and profitability while leaving the bot worries to the experts.

Don’t just monitor, defend with Kasada Bot Defense and ensure a secure and seamless online experience. Learn more at kasada.io and receive at no charge threat assessment to uncover whether bots are a risk to your organization.

Kasada Bot Defense is also available on the AWS Marketplace.

Check out more AWS Partners or contact an AWS Representative to know how we can help accelerate your business.

AWS Partner Spotlight

Kasada provides website, API, and mobile app protection for enterprises that’s quick to evolve, difficult to evade, and invisible to customers. The Kasada technology and team defend some of the largest brands in the world from automated threats and bot attacks without impacting the end-user experience.

TAGS:
Cody Shive

Cody Shive

Cody Shive is the Global Partner Solutions Architect for Grocery, Drug, and Convenience at AWS, where he works with both cloud and physical store retail partners. Cody has 20+ years in Retail as an independent consultant, a technical lead for IBM/Toshiba Global Commerce Solutions, and as a Retail Transformation architect for NCR. Cody specializes in deep data analytics and keeps himself involved in self-service solutions such as Self-Checkout and Dash Cart technologies. He is passionate about grocery, stemming from his very first job at Albertsons in Florida. Cody is a graduate from the University of North Florida with a degree in Computer and Information Sciences and minor in Business Management.

Chris Deever

Chris Deever

Chris Deever is a cyber security specialist at Kasada with an impressive track record spanning 20+ years in the IT industry. Currently, Chris delivers robust defense strategies against bot attacks aligned to the unique requirements of each customer at Kasada. Prior to Kasada, Chris held the esteemed position of Senior Presales Engineer II/ELITE at Akamai. During his 11 years at Travelocity, Chris was instrumental in managing senior analytics teams and global production operations. Chris holds a bachelor’s in management information systems from The University of Texas.