SNCF Connect & Tech Reduces Scraping-Related Costs & Carbon Footprint With DataDome

The challenge: Scrapers skew KPIs & drive up infrastructure costs

With 125 million tickets sold on SNCF Connect in the first nine months of 2022 and an average of 3 million visits every day to its website and mobile application, SNCF Connect & Tech is a French e-commerce heavyweight. However, the COVID-19 pandemic put its teams to the test.

“With various travel restrictions related to the crisis, we had unpredictable and very complex traffic flows,” explains Thomas Aligand, Lead Run Manager at SNCF Connect & Tech. “In particular, we had huge spikes in traffic when the government announced new measures, but overall, the French traveled less during this period, and there was much less human traffic on our website.”

Thomas and his team track a multitude of performance indicators to monitor the health of their information system, and in particular “look to book”: the ratio of searches to actual bookings. During the first lockdowns, look to book rose sharply compared to previous years.

“During this period, our ratio was 3 to 4 times higher than normal,” Thomas explains. “This reflected unprecedented behaviors: an enormous volume of searches, but few bookings.”

When the IT department took a closer look, they discovered that a large proportion of requests were not coming from real travelers, but from scraper bots retrieving ticket prices.

“We needed to find a way to block this traffic, which was not only skewing our performance metrics, but also represented an unnecessary burden on our infrastructure,” Thomas points out.

The solution: DataDome eliminates scrapers from the website & mobile application

Already equipped with a WAF, the team began by defining a large number of new rules—to little avail.

“It was a cat-and-mouse game, and we quickly ran into new technical constraints,” Thomas admits. “The more IPs we blocked, the more our attackers generated new IPs to continue to call us. In trying to stop the bleeding, we rather increased it. In the past, we had already tried to implement an in-house industrial solution, but it proved complex to monitor and maintain. We didn’t want to manage this ourselves anymore, and decided to turn to an external partner.”

To quickly find a more sustainable solution, the team members sought advice from their counterparts at other large e-commerce companies. It was during a discussion with a major European retailer that DataDome came up.

“We met with their team, who shared their excellent experience with DataDome,” Thomas says. “Following this exchange, we contacted DataDome to assess whether the solution could meet our needs. I was pleasantly surprised by the ease of implementation using AWS Lambda@Edge—we went from project start to go-live in just two weeks.”

SNCF used the DataDome Lambda@Edge integration to deploy in minutes on Amazon CloudFront. The solution instantly provides real-time bot protection wherever end users are without the need to provision or manage infrastructure. The protection was initially enabled only on the website, and then extended to the mobile app to block all bots.

“We added the DataDome SDK to protect the app as well,” Thomas shares. “The DataDome teams understood how important this hunt for scrapers was for us, and made themselves very available to support us.”

The results: Reduced costs & carbon footprint

The SNCF Connect & Tech teams could soon observe the benefits of DataDome’s solution.

“Since we implemented the DataDome solution, our bad bot traffic has been divided by 3 or 4,” Thomas attests. “When you implement this kind of tool, many attackers lose patience and go elsewhere. By limiting the number of requests, DataDome enables us to run a production environment that’s better sized, hence less expensive—we save about 10% on our infrastructure costs–and more sustainable.”

Another success metric for the project is a safeguarded user experience.

“The protection has no impact on our website performance, nor on the mobile app’s startup time,” he confirms.

In the rare event that real customers are classified as bad bots, they are presented with a CAPTCHA to confirm that they are human.

“We track the rate of CAPTCHAs solved, and it remains extremely low. The CAPTCHA developed by DataDome, which we use, is also proving to be very effective and intuitive, easier for real customers to solve than traditional CAPTCHAs,” says Thomas.

In conclusion, Thomas praises the excellent collaboration with DataDome.

“It’s a great team. Customer support is always available and ready to help us. Before the recent Christmas ticket sales operation, we notified DataDome’s threat research team so that they could be ready to make any necessary adjustments, but it all went very smoothly.”

Want to know if you’re protected?

If you’re wondering how bot-proof your website is, try our free Vulnerability Scan today.