Tripadvisor’s TheFork Blocks Scraping on Its Site & App
No more web scraping.
No more account takeover attempts.
100% of infrastructure available for legitimate traffic.
TheFork, a Tripadvisor company, is the leading online restaurant booking platform in Europe, Australia and Latin America, with a network of more than 60,000 restaurants worldwide and more than 21 million visits per month. The platform operates under different brands in France, Switzerland, Spain, Italy, Belgium, Portugal, Brazil, Sweden, Australia, Denmark, Netherlands as well as in Latin America.
Through the TheFork website and application, as well as through Tripadvisor, users can easily select a restaurant based on preference criteria, consult user reviews, check availability in real time, and instantly book online.
As for restaurants, TheFork provides them with a software solution, TheFork Manager, that allows restaurant owners to optimize reservation management, streamline operations, and ultimately improve service and revenue.
We are the European reference platform for restaurants and for individuals looking for a restaurant. Therefore, it is essential that our resources are available only for our users and not for malicious activities.
Damien Gilloz, Linux and DevOps System Engineer, TheFork
The Problem: Unwanted resource use.
TheFork’s website offers its users two types of content: public content (restaurant opening hours, menus, etc.) and value-added content such as user reviews and table availability at each listed restaurant. It was first and foremost this high value-added content that was targeted by scraper bots: bots that steal online data either for competitive purposes or for resale.
TheFork also experienced credential stuffing attempts. “Although they never managed to get through our security barriers, we regularly noticed that hackers came to our site to test email addresses and see if they were associated with existing accounts. If they had managed to enter, it would have allowed them to complement their databases and then resell them with consolidated data,” says Damien Gilloz, Linux and DevOps System Engineer at TheFork.
The combination of these two sources of malicious traffic lead to unpredictable traffic peaks, which could culminate in service interruptions for the site and the mobile application. The unwanted and sometimes malicious requests overloaded TheFork’s servers, driving up hosting and maintenance costs.
“We have natural traffic peaks at certain times of the year, such as Valentine’s Day, that can lead to additional hosting costs,” says Damien Gilloz. “Our teams know how to anticipate, manage and cushion these peaks. But when it comes to scraper bots or impersonators, we were paying for traffic that had no added value and was utterly useless for our customers.”
At the time, before the DataDome solution was implemented, the IT teams were manually blocking unwanted IP addresses, a long and tedious process that required constant traffic monitoring.
The Solution: DataDome identifies & filters all automated traffic on first request.
The DataDome solution was deployed when Damien Gilloz joined the company. “The team at TheFork was aware that they had a traffic problem, but they didn’t necessarily know that it was related to bots. In parallel with my arrival, one of our partners recommended DataDome. As it happens, I was already familiar with the solution, so all we had to do was agree on the conditions,” he explains.
The DataDome installation phase was entirely managed by TheFork’s internal teams, whose highly skilled system engineers are well versed in the architecture of their applications.
The DataDome solution was very quick and easy to install. The DataDome on-boarding team were very reactive and always ready to answer our questions, but for the most part we were able to manage it internally.
Damien Gilloz, Linux and DevOps System Engineer
Today, the TheFork teams primarily use the Custom Rules function, which allows them to create rules that are specific to their traffic.
“We decided to block all bots identified as ‘bad bots’ by default. This first filter allows us to guarantee quality traffic. Next, we worked with all our partners to ensure that they use a specific user agent, allowing us to allow-list them and guarantee them full access to the site. These Custom Rules are quick to implement, but requires preparatory work with our partners to make sure they are using the right user agent.”
Today, the IT team is in charge of the operational management of the solution. TheFork has also chosen to grant access to the DataDome dashboard for its Tech Partners and Analytics team. They can consult the dashboard data and alert IT teams in real time when a new partnership is signed, or in the case of Analytics teams, get better insights into the site’s traffic.
The Results: 100% of resources available for legitimate traffic.
After several months of use, the results are unequivocal: credential stuffing attempts are blocked in real time by DataDome’s artificial intelligence, with no intervention from the technical teams. Scraping has been eliminated, and TheFork’s server resources are 100% available for legitimate site traffic.
“Our visitor numbers are constantly growing, so it’s difficult to indicate precise figures. However, thanks to the installation of DataDome, we have noticed that we no longer have peak bandwidth consumption at times which are inconsistent with human usage patterns. We are certain that we are focusing 100% of our efforts on our users, whether they are consumers or professionals,” concludes Damien Gilloz.