How to Keep Bots Away From Your Website
Growing Threat of Bots
From speakers to TVs, fridges to cars, more and more devices are built with internet connectivity. The growing prevalence of such IoT (Internet-of-Things) devices has made our lives easier. Yet, many IoT devices lack security measures, making them easy targets for hackers.
How does IoT security have anything to do with bots? Oftentimes, hackers are not interested in stealing data from these devices, but instead would hijack them and utilize them as bots. A botnet is then formed when hackers gain control of a number of computers and smart devices.
A botnet is a powerful weapon that can be used for exploiting application vulnerabilities, credential stuffing, and launching DDoS (distributed denial-of-service) attacks.
Due to this increased connectivity, hackers today are able to create botnets that are larger than ever. In the 1990s, a typical DDoS attack contained a little more than a hundred requests per second, while attacks today involve more than 7,000 requests per second.
Types of Bots
Today, it is believed that more than half of all website traffic is bot traffic. Nevertheless, not all bots are malicious bots. Many of them are benign and are used for driving website traffic (e.g. Googlebots) or website analytics.
However, a lot of other bots are malicious bots that come from compromised hosts. Some of the malicious bots are used by firms to track the activities and pricing information of competitors for the purpose of gaining competitive advantages. These bots do not harm a website’s functionality, but can interfere with website analytics and generate click fraud.
More destructive botnets are used for credential stuffing and DDoS attacks, severely disrupting the normal functions of a website by flooding the web applications, and could sometimes bring down the website altogether.
Measures to Keep Bad Bots Away From Your Website
1. Watch for signs of bad bots
More often than not, website managers won’t even notice that their website is targeted by bad bots. It is important to watch for the following signs of abnormalities.
A sudden spike in pageviews. If a sudden spike in pageview occurs for no particular reason, these views are likely from malicious bots clicking through the website.
A sudden spike in bounce rate. When a high number of clicks enter a particular web page and leave the website before clicking on anything, it is likely that the page is targeted by bots.
A sudden change in session duration. If an increased duration of stay on the website is observed, it is possible that bots are crawling the website at a slow pace. Similarly, if extremely low session duration is observed, it could be because bots are clicking through the website.
A sudden spike in traffic from a specific location. If an increased number of clicks come from an unexpected location, botnets from that location are likely deployed to target the website.
2. Filter bot traffic from Google Analytics
If all one cares about is having accurate website analytics, they can configure Google Analytics to exclude all hits from known bots. Users can also add additional IPs on Google Analytics to have them excluded from the record. However, this measure will only identify a portion of the known bots. Moreover, configuring Google Analytics is only for the purpose of keeping analytics accurate, and won’t actually stop the bots from clicking through the website.
3. Add a CAPTCHA to web forms
CAPTCHAs can be put in place on the login pages and web forms to prevent credential stuffing and fake requests. Most CAPTCHAs would ask the user to perform a simple task such as identifying a number or object from an image, which would filter out most bots. However, CAPTCHAs are not as effective when it comes to advanced and sophisticated bots. Another downside is that they result in an extra layer of inconvenience for website users.
4. Block hosting providers and proxy services
Even though advanced threat actors can hijack residential IP addresses, many attackers tend to use common hosting services. Hence, filtering traffic from certain data centers can effectively mitigate the risk of bots.
5. Monitor failed login attempts
When botnets are deployed for credential stuffing attacks, an increased number of failed login attempts would be observed. This is why it is important to monitor any suspicious login attempts and set up automated alerts for them. To effectively prevent credential stuffing, it is recommended to adopt a multi-factor authentication (MFA) framework that combines a mix of security questions, one-time passwords, and even biometric authentication. To learn more about how to stop credential stuffing attacks, read here: 5 Effective Ways to Prevent Credential Stuffing.
Penta Security’s ISign+ is a single sign-on MFA solution that protects business accounts from fraudulent access, allowing for an integrated login process for all internal system accounts.
6. Invest in a bot mitigation solution
Bots might not seem like an imminent threat, but their underlying effects can be extremely harmful for an organization in the long-run, leading to a waste of IT and marketing resources, loss of customers, and even data breaches. There are many solutions available in the market to prevent bad bots from exploiting web application vulnerabilities, credential stuffing, and launching DDoS attacks. It is crucial to choose a product that effectively prevents all these threats.
Penta Security’s WAPPLES is an advanced web application firewall (WAF) that is equipped with a logical rule-based detection system, effectively protecting web vulnerabilities from the threats of bad bots. Through an automated DDoS tool, WAPPLES is also capable of mitigating the risk of credential stuffing, brute force attacks, and DDoS attacks.
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: ISign+
Car, Energy, Factory, City Solutions: Penta IoT Security