Bots Are Big

Did you know that up to 1/3 of website visitors aren’t even human anymore? Bots are taking over the web. They can hack a site, steal sensitive, would-be secured data, and drive up the cost of operating an online business all before anyone knew they were even there.

A lot of bots do good stuff for the internet, but most of them are automated hacking machines. According to some estimates, bots account for more than 97% of web application attacks and they’re creating serious headaches for online businesses across the spectrum.

 

nixCraft

nixCraft is one of the largest unix tutorial blogs with over 250,000 followers (between Twitter and Facebook) that covers Linux tips, hacks, and tutorials run by a guy named Vivek Gite.

nixCraft

 

According to Alexa, his blog has a traffic ranking of 3,703 in the US and a slightly higher ranking internationally. Ranking is calculated using a combination of visitors to the site and page views over the past month.


Subscriber Bots

Vivek discovered that subscriber bots accounted for hundreds of newsletter signups per day. With his site's popularity, this was costing him a great deal of money. 

Subscriber bots, in a way, commit a form of identity theft on the web; they act as if they’re legitimate humans visiting websites, but they do it with malicious intent. In extreme cases, such as a DDoS attack, bots can easily cause a site to crash completely. 

 

“The bots ended up increasing my bandwidth usage, driving up my email sending costs, and eating up disk space on my server. It was evident that nixCraft’s newsletter service was under attack. WAF from StackPath helped me stop the bots and the fake subscriptions. I’m very happy with it.”

- Vivek Gite

Using StackPath’s suite of WAF Rules, Vivek was able to cripple the bots’ attacks on his site at a very, very early stage in their scheme. He tweeted how he was driving down bot attacks using StackPath SecureCDN:

 

 

Good Bots vs Bad Bots

Not all bots are bad. Google employs bots that crawl around the web scouting out the best information, and many bots help the web run smoothly, improve efficiency or provide deep analysis.

We’re concerned with the bad bots. They outweigh good bots on the web by more than two times. These bots scan websites for vulnerabilities, with the aim of hacking into a site. Once inside, bots can retrieve all sorts of would-be secured information from personal data to financial information and corporate secrets.

The bots attacking nixCraft, thank the heavens, weren’t seeking highly confidential corporate secrets. They were taking advantage of a very basic security flaw to make fraudulent gains and meet malicious ends. Here is exactly how nixCraft nixed the bots:

 

 How StackPath WAF Beats the Bots

StackPath’s enterprise-grade WAF (web application firewall), included in every SecureCDN plan, gives users dozens of powerful ways to configure protection against common and more complex bot attacks. Once WAF is enabled, all sites are automatically covered with DDoS protection.

Follow these steps to find out how Vivek used WAF to stop the bots:

  1. Log in to your Dashboard. (If you don’t have an account, get one.)
  2. Click on Sites in the left navigation bar.
  3. Choose a Site and click Manage.
  4. On the Summary page, click on WAF to open the dropdown menu.
  5. Select Rules.
  6. Click + Add New Rule in the upper right hand corner and you're there!  

Now create a Rule to trigger a Captcha challenge on POST requests:

  1. Select a Rule Name. We chose “Captcha on Subscribe.”
  2. Select HTTP Method from the ‘If’ menu.
  3. Select POST from the method menu.
  4. Click the Copy this Condition to a New Line button.
  5. Select URL from the ‘And’ menu.
  6. Enter the URL path used to POST subscriptions. In this case it was “/subscribe”
  7. Select Captcha as the action.
  8. Click Save.

capcha.png

 

Bye Bye, Bots

The Rules said, if the HTTP method for subscribing to the newsletter was a POST request, a Captcha challenge would be the action triggered by StackPath WAF. Only a successful Captcha challenge would result in a subscription, thereby validating the submission as being from a human, not a bot.

WAF contains behavioral and reputational algorithms to protect against even the most sophisticated bots from scraping, learning, or attacking a site’s common points of compromise.

Sign up for a 15-Day Free Trial and see what StackPath can do for you.  

Start 15-day Trial

Every Secure Content Delivery Plan includes WAF and DDoS mitigation.

Choose plan