Enhancing Security Using AWS WAF Bot Control with OLX

OLX, a global leader in online classifieds that serves millions of people around the world each month, wanted to enhance its hosted customer identity and access management (hCIAM) solution to prevent bot events while maintaining a good user experience. OLX’s hCIAM serves 11 million customers monthly across 13 classifieds platforms in Europe and Asia. The solution is regularly targeted by malicious actors who try to flood systems with bots—disrupting business and preventing customers from logging in.

OLX was already using Amazon Web Services (AWS) across its business and for its hCIAM solution and chose to continue using AWS to enhance security in a cost-effective and scalable way. Using AWS WAF Bot Control to establish visibility and control over common and pervasive bot traffic, OLX successfully mitigates malicious bot events while reducing infrastructure costs.

OLX operates multiple online classifieds platforms in nine European, African, and Asian countries. It helps millions of people each month make important life decisions, like finding a home, job, car, or secondhand goods. The company’s hCIAM validates registration and login for users across multiple markets. As a single service, it must be protected against malicious actions such as distributed denial of service (DDoS), mass account registration, and bot events.

OLX now runs its hCIAM using Amazon Cognito, which is used to implement a secure, frictionless CIAM solution that scales. OLX started addressing bad actors using a third-party vendor, before moving to an in-house solution. However, the company quickly realized that the matter required more attention due to the volume of attacks on the platforms. Malicious actors could prevent legitimate users from registering or logging in by performing various actions using random emails or phone numbers, leading to brand damage and an increase in costs. OLX’s goal was to implement a cost-effective, automated solution to prevent bot traffic while maintaining a good user experience with minimal friction. Additionally, the company wanted a solution that would maintain performance at scale.

OLX was already using AWS WAF—a service that organizations use to protect web applications—internally across other services and parts of the OLX network. When OLX was considering solutions to enhance its hCIAM security, it was a big draw that AWS WAF was already implemented. “Validation happens almost invisibly to us in terms of performance and cost,” says Tomasz Gramza, principal software engineer at OLX. The company then chose AWS WAF Bot Control for its features and implementation.

Before implementing the new solution, OLX assessed its impact on application performance. Initially, some browsers incorrectly blocked the AWS WAF Bot Control software development kit (SDK) as an advertisement. OLX worked together with the AWS WAF team to implement domain masking for the SDK using capabilities in Amazon CloudFront, which securely delivers content with low latency and high transfer speeds. The initial implementation took 2 weeks, and the new hCIAM solution went live in March 2024. Then, OLX fine-tuned some of the rules for AWS WAF so that legitimate users would not be prevented from logging in or registering accounts.

Working alongside the AWS team, the company managed to solve implementation issues. “We were quite early adopters of AWS WAF for intelligent threat mitigation,” says Tomasz Gramza. “The responsiveness of the AWS team was exceptional.”

While testing its security solution in audit mode, OLX experienced two bot attack events. On the first occurrence, the company was able to put AWS WAF Bot Control into block mode and successfully mitigated the attack, saving thousands of dollars on potential short-messaging-service costs from mass account registrations. On a regular day, OLX processes 2 million requests and rejects around 13,000. On the second occurrence, and still while collecting data, the company processed 2.1 million requests and rejected 250,000 false requests. By blocking traffic, OLX frees up its infrastructure for legitimate user requests and saves costs because bots are no longer using up its infrastructure.

OLX’s hCIAM is OAuth 2.0 and OIDC compliant. The web software-as-a-service solution powers its classifieds platforms. Architecturally, the backend service works alongside Amazon Cognito. Requests are largely served by AWS Lambda, a compute service that runs code without servers or clusters. The frontend service is a Next.js single-page application, which encapsulates all login and registration capabilities. The frontend service runs on top of AWS Fargate, which provides serverless compute for containers, and on Amazon Elastic Container Service (Amazon ECS), a fully managed container orchestration service that helps OLX more efficiently deploy, manage, and scale containerized applications. The company also protects its domain using AWS WAF and benefits from the AWS shared responsibility model. On top of those services, OLX uses AWS Shield—which maximizes application availability and responsiveness with managed DDoS protection.

In particular, AWS Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF. “For our security team, AWS Shield Advanced is quite important to defend our systems from different types of malicious acts,” says Tomasz Gramza. Using the automated security solution, the OLX team only needs to inspect traffic and tweak security rules. Thus, the team has more peace of mind and more time to work on other business priorities, such as user features.

OLX successfully strengthened its intelligent threat mitigation capabilities using AWS Shield Advanced features, which operate seamlessly for its users, even during malicious bot activity. “Our solution works in the background, unlike the CAPTCHA puzzles that force users to interact before logging in or registering an account,” says Aquilino Viveiros, staff software engineer at OLX. “It’s non-intrusive, so the user isn’t affected.”

As OLX fine-tunes its security solution, it will continue to seek ways to innovate on AWS. The company’s next steps for AWS WAF include looking into support for transport layer security and protecting more endpoints using intelligent threat mitigation. “Going forward, as AWS WAF continues to evolve, we will continue finding ways to make it harder for bots and malicious actors to succeed,” says Aquilino Viveiros.