DataDome

Bot Attacks Are Bypassing Your WAF

Table of contents
Account Takeover
Kira Lempereur, Sr. Technical Writer
3 Jan, 2023
|
min

2023 was the year of AI going mainstream—for humans with ChatGPT, and for bad bots and fraudsters. But there’s no need to worry if you have a WAF in place, right? Unfortunately, not quite. As bots continue to increase in numbers and sophistication (including their ability to mimic human behavior using AI), rules-based security tools like WAFs are antiquated and ineffective against most types of bot attacks.

A WAF, or web application firewall, is a security tool designed to detect and filter malicious traffic using a set of binary rules. Although yesterday’s bots and known threats may be bound by the rules designated in your WAF, attackers now have easy access to sophisticated bots that can shape-shift to slither past static rules-based security tools. For e-commerce sites and other online businesses, protection against dynamically evolving bots requires constant vigilance and instantly scalable security.

Read on to understand why and how WAFs are no longer a match for bots, including:

How WAFs Work

Designed to protect web applications from attacks trying to exploit common software vulnerabilities, WAFs analyze incoming traffic (both GET and POST-based HTTP requests) and apply a set of predefined rules (or “policies”) to filter out suspicious traffic with familiar attack signatures.

WAFs are often deployed through a reverse proxy or load balancer and can be cloud-based, host-based, or network-based. They are typically IP-centric.

WAFs can be useful for blocking known threats and attacks from user agents classified as undesirable. Common attacks (like the ones in the OWASP Top 10) mitigated by WAFs include:

  • Cross-Site Scripting (XSS): Attackers inject and execute malicious scripts in another user’s browser.
  • Structured Query Language (SQL) Injection: Attackers access and potentially change sensitive data located in SQL databases.
  • Web Session Hijacking: Attackers hijack a session ID (normally stored within a cookie or URL) and masquerade as an authorized user.

The WAF did a pretty good job of identifying bots, but it has to analyze traffic while it’s happening before it can block anything. It takes a few minutes for it to kick in, so we were still having this situation where multiple times per week, we’d be down for 5 minutes.

Will Brown, President of eTool Developers

eTool Developers DataDome Helps Customer Story

How Bots Have Outgrown WAFs

Bots have been improving in their ability to sneak past your WAF in more ways than one, thanks to increases in both the quality (ability to appear human/pass security checks) and quantity (availability of bots as a service and distribution of proxies) of resources used by attackers. Before digging into the sophisticated quality of today’s malicious bots, let’s first address the increasing quantity of bad bots and automated attacks.

The numbers say it all:

  • More than 47% of online traffic today is made up of bots. This surge in automated traffic has significantly contributed to the rise in bot fraud, affecting sectors from e-commerce to financial services.
  • Roughly 40% of bots target mobile apps. (Bots still target all endpoints.)
  • Between 2019 and 2021, account takeover (ATO) attacks (which are most often executed using bots) increased 307%!
  • The global bot services market is projected to grow from $1.6 billion in 2022 to $6.7 billion by 2027, at a compound annual growth rate (CAGR) of 33.2%.

Bots as a service (BaaS) are making high-quality, sophisticated bots easier and cheaper by the second for fraudsters to access.

What makes the bots more sophisticated?

Bot developers are making bots more advanced by the second with techniques that include:

  • Human-Like Behavior: Mimicking mouse movements, typing speed, etc.
  • Distributed Attacks: Bots leverage proxies to access millions of IP addresses.
  • High-Quality IPs: Residential proxies help keep bots anonymous and unblocked.
  • Forged Fingerprints & CAPTCHAs: Bots use headless browsers and tools like Puppeteer Extra Stealth and CAPTCHA farms to bypass security.
  • AI-Based Upgrades: AI tools give bot developers easy ways to increase the sophistication of bad bots, leading to attacks that are larger, faster, and harder to mitigate.

Unfortunately, the list doesn’t end here. New techniques are developed to enhance bots every day, and cybercriminals are always eager to implement them for personal gain.

We had been under attack for months … causing performance issues and outages, and driving up our infrastructure costs. We were also spending a lot of time trying to block it with our WAF, only to find that the attackers changed tactics or that we were blocking legitimate traffic.

Mathew Samuel, VP of Technology at Ladders, Inc.

Ladders DataDome Customer Story

During Ladders, Inc.’s free trial period with DataDome, they were able to stop an ongoing bot attack with the AWS WAF after spotting the threat in their DataDome dashboard. Even though our free trial runs in monitoring mode—not blocking or interacting with traffic, but analyzing and classifying all incoming requests—the Ladders saw proof of DataDome’s advanced detection engine in action.

Even if we had all the necessary engineers, we’d never get a global perspective on what bad actors are up to. DataDome can see what’s happening elsewhere and proactively apply the right measures to us.

Mathew Samuel, VP of Technology at Ladders, Inc.

Why WAFs Are No Match for Advanced Bots

WAFs analyze incoming GET and POST-based HTTP requests and apply predefined rules to filter out suspicious traffic with familiar attack signatures. But many bots do not carry attack signatures or target software vulnerabilities.

Also, WAFs are IP-centric in a world where botnets, IoT deployments, and IPv6 allow malicious bot operators to easily rotate through hundreds, thousands, or even millions of different IPs to work around WAF filters.

Therefore, a WAF is ineffective against various types of attacks using advanced bots. And there is no way to scale security operations to handle these distributed bot attacks with new rules set manually.

5 Attacks That Leverage Advanced Bots

Below are just some of the many attack types known to be associated with advanced bots.

  1. Ad Fraud/Click Fraud: Bots falsify the number of times an online advertisement is clicked on or displayed.
  2. Account Takeover (ATO): Bots help criminals gain access to a person’s online account (through attacks like credential stuffing).
  3. Credential Cracking: Bots use brute force, testing vast numbers of different values for usernames and passwords, in an attempt to guess usable login credentials.
  4. Credential Stuffing: Bots attempt to access user accounts using stolen or leaked username and password pairs.
  5. Scraping: Bots collect data from your website, often for malicious purposes like content reselling and price undercutting.

How You Can Detect Advanced Bad Bots

Bot detection is the first step in preventing the most severe security threats in today’s online world. And when it comes to cybersecurity and malicious bot activity—seconds matter.

How quickly you can identify bad bot traffic determines how effectively you can defend against fraud, ATO, DDoS, and any other type of attack. Besides having an efficient bot and online fraud protection solution, below are some measures you can take to detect advanced bad bot activity on your websites, apps, and APIs.

Bot Traffic Red Flags to Look for

These indicators signal that something bad is happening on your site:

  • Abnormally High Pageviews: Certain bot attacks try to overwhelm your servers. Whether it’s a DDOS attack or a large number of scrapers, you will see a sudden, inexplicable pageview spike in your analytics software.
  • Abnormally High Bounce Rate: Once a malicious bot either achieves its goal or realizes it cannot achieve its goal, it will leave immediately. With bots operating in milliseconds instead of seconds, you might see an abnormally high, fast bounce rate.
  • Abnormal Session Durations: Sessions in the range of milliseconds are suspicious, and the same goes for abnormally long sessions. Humans tend to stay for at least a few seconds, but don’t often stay on one page for more than a few minutes. Keep an eye out for session duration outliers in your analytics software.
  • Spikes in Traffic From Unknown Locations: Requests coming from countries that don’t make sense for your business are often bot requests. For example, if your business doesn’t operate in Vietnam, but you suddenly receive an influx of requests from Vietnam, there’s a good chance it’s a bot attack.
  • Junk Conversions: Are you receiving contact form submissions that make no sense? Do certain users constantly place items in their shopping carts without buying them? Does your free newsletter suddenly have a large number of bouncebacks? All these are junk conversions that indicate bot behavior.

In an ideal world, you (or more likely, your bot management solution) would always see and stop bot traffic on your site before fraud occurs. However, if your platform deals with online payments of any kind, you should understand which red flags indicate payment fraud, and keep your eyes peeled.

Online Payment Fraud Red Flags to Look for

For e-commerce enterprises especially, here are some of the most common signs of online payment fraud to look for:

  • Multiple Orders From Multiple Credit Cards: When an account (or different accounts with similar signatures, like the same IP address) makes multiple purchases with multiple credit cards, it’s a clear red flag for fraud, especially card testing fraud.
  • Data Inconsistencies: Look for any inconsistencies, such as a mismatched city and zip code. One example could be if a shopper with a Singaporean IP address makes a purchase on a credit card with a US billing address.
  • Unusual Purchasing Behaviors: If the credit card owner has shopped your site before, you can check their purchase history for suspicious activity. For example, if the account suddenly makes an order far larger than what the customer typically spends.
  • Unusual Location: For return customers, you can check for activity from different or unusual locations. If the customer typically purchases from an IP address in Japan, but suddenly makes a purchase from an IP address in Angola, it’s possible they are simply on vacation, but better safe than sorry.
  • Multiple Orders From Unusual Locations: If you’ve never received any order from Indonesia, but suddenly you receive 10+ orders from Indonesia, it’s worth looking into further.
  • Multiple Shipping Addresses: When a shopper requests to ship goods to an address other than the card’s billing address, you should be reasonably suspicious. For example, if a buyer makes multiple purchases using one credit card and billing address, but ships the products to multiple different addresses.
  • Declined Transactions: While legitimate shoppers may occasionally forget their PIN or use up a card’s limit, if an account makes more than five attempts without getting the credit card credentials right (number, expiry date, name, CVV), you should be suspicious.
  • Fast, Back-to-Back Transactions: While multiple purchases back to back from a single customer may be possible, it could also be a fraudster card testing on your site.

Protection Measures You Can Take Against Advanced Bot Attacks

Audit Your Platform Security Regularly

Cybercrime happens when fraudsters, attackers, and bots find flaws in your system before you do. Identifying your vulnerabilities before attackers know about them will keep you one step ahead.

Security audits can be rather complex, but here are some important elements you should assess regularly:

  • Updates: Make sure everything is up to date at all times. Ideally, everyone should install updates as soon as they are available, especially if it’s a security fix.
  • SSL Certificate (HTTPS): If you haven’t implemented HTTPS, you should right away, and regularly check whether your SSL certificate is working well.
  • End-to-End Encryption: Ensure all data transmissions and communications between your business and your customers feature end-to-end encryption.
  • Maintain Compliance: If your site or app processes payments (e.g. e-commerce), make sure it stays PCI-DSS compliant.
  • Regular Backups: Make sure your data is backed up regularly.
  • Regular Scanning: Scan your website regularly for malware with appropriate antivirus/anti-malware solutions.
  • Monitor Malicious Activity: Track the activities of malicious bots and block them right away to prevent account takeover attempts and other bot-related threats.

Implement Adequate Fraud Detection Solution

To really protect your website, mobile app, and/or APIs from sophisticated bot attacks and online fraud, you should implement a robust fraud detection solution that will identify red flags on autopilot and block suspicious activity, effectively preventing the damage from happening.

For example, DataDome’s advanced bot and fraud detection software rapidly identifies unusual visitor behavior on your platform that shows any sign of automated and/or malicious activity. DataDome automatically blocks the source before attacks unfold to effectively prevent fraud without negatively impacting the customer experience.

DataDome’s bot detection engine leverages artificial intelligence (AI) and machine learning (ML) to analyze billions of daily events (5 trillion signals per day) and continuously update the protection across all customers, so the solution can effectively detect and prevent brand new bot and fraud tactics in real time.

The Most Effective Bot, Fraud, & Threat Protection

Bot detection and identification are very complex tasks. WAFs provide solid protection against known attack vectors you’ve already created rules for. But bots aren’t sticking to the same attack styles—they’re evolving. Effective bot management requires a much more granular analysis than a WAF can provide to detect bots based on their respective behavior and intentions. Bot requests can now be massively distributed, and bot developers are increasingly savvy and continuously evolving, deliberately designing their bots to bypass standard WAFs. Even WAFs with basic bot protection added cannot keep up against the increasing sophistication of bots.

The solution? With real-time event tracking and behavioral detection, DataDome protects your websites, APIs, and mobile apps from the most sophisticated bots. It is the only bot and online fraud protection solution delivered as a service.

Compatible with any web infrastructure, DataDome mostly works on autopilot. The AI-powered bot detection engine identifies, classifies, and blocks all automated threats in real time. You’ll receive a notification whenever your site is under attack, but you don’t have to do anything.

Our expert threat researchers and data scientists proactively monitor and mitigate your automated traffic to ensure optimal security and performance at all times. The SOC team is available to investigate any suspicious activity, or analyze mitigated attacks, 24/7.

Ready to finally put an end to bots bypassing your WAF? Start your free trial or contact us to request a demo.

DataDome
Kira Lempereur
Sr. Technical Writer
Kira Lempereur is the Sr Technical Writer for DataDome and the leader of the company’s LGBTQ+ pod. She collaborates with the threat research, marketing, and product teams to build content for thought leadership in bot and online fraud mitigation. Kira has more than 6 years of experience in the cybersecurity industry, from enterprise antivirus software to bot mitigation.

Related posts

DataDome
dd product home overview

Still exploring?

Start with an on-demand demo.

Watch a demo