{"id":17846,"date":"2024-06-14T12:13:12","date_gmt":"2024-06-14T16:13:12","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=17846"},"modified":"2024-06-28T11:28:07","modified_gmt":"2024-06-28T15:28:07","slug":"researchers-blocked-6-trillion-requests-from-bad-bots-heres-what-they-found","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/researchers-blocked-6-trillion-requests-from-bad-bots-heres-what-they-found\/","title":{"rendered":"Researchers Blocked 6 Trillion Requests From \u2018Bad Bots.\u2019 Here\u2019s What They Found"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Nearly half of internet traffic identified by Imperva isn\u2019t human; it\u2019s bots, and most are up to no good. Here\u2019s what they\u2019re doing and how you can identify them and fight back\u2026<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s start by stating that not all bots are bad. After all, <a href=\"https:\/\/developers.google.com\/search\/docs\/crawling-indexing\/overview-google-crawlers\">Google\u2019s search engine web crawlers<\/a> make indexing your new web pages possible. But when \u201c<a href=\"https:\/\/www.thesslstore.com\/blog\/bad-bots-what-they-are-and-how-to-fight-them\/\">bad bots<\/a>\u201d engage in automated attacks against websites and\/or APIs to steal, damage, and defraud businesses and consumers, then it becomes a huge problem that must be dealt with ASAP.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Just how big of an issue are these bots? <a href=\"https:\/\/www.imperva.com\/resources\/resource-library\/reports\/2024-bad-bot-report\/\">Imperva\u2019s 2024 Bad Bot Report<\/a> data, which focuses on <a href=\"https:\/\/osi-model.com\/application-layer\/\">OSI Model layer 7<\/a> (i.e., application layer) bad bot activity, shows that nearly half of the internet traffic observed via the company\u2019s global network in 2023 stemmed from automated (i.e., non-human) sources. Bad bots represented nearly one-third of that traffic.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When we\u2019re talking about nearly 6 trillion blocked bad bot requests in that period alone, it\u2019s easy to see why they\u2019re considered a significant threat. If each bad bot request counted as a separate second, those bad bot requests would add up to more than <a href=\"https:\/\/www.grc.nasa.gov\/www\/k-12\/Numbers\/Math\/Mathematical_Thinking\/how_big_is_a_trillion.htm#:~:text=Six%20trillion%20seconds%20equals%20189%2C276%20years.\">189,000 years<\/a>!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Knowing this, it\u2019s time to explore the threats bad bots pose to organizations globally and what you can do to stop them.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">A High-Level View of These Threats: What Imperva\u2019s Data Tells Us<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Bad bot activity is on the rise and doesn\u2019t appear to be quitting anytime soon. Imperva\u2019s data tells us that total bot activity peaked in 2014, when nearly 60% of all internet traffic was comprised of bots (36.3% good bots, 22.8% bad bots). Now, compare this with the internet activities of us lowly humans \u2014 human-based actions were at an all-time low, accounting for just 40.9% of all internet traffic that year.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Fast forward to 2019, when the combined good\/bad bot activity dipped to just over 37%. But that activity has been growing steadily since then, with bad bots having the upper hand over good ones. In 2023, bad bots (32%) and good bots (17.6%) accounted for nearly half (49.6%) of all internet traffic!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But what are these bad bots capable of doing?<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Primary Bad Bot Uses and Actions<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In their 2024 Bad Bot Report, Imperva researchers identified bad bot-related activities as the following use cases (first three columns of the table below). We\u2019ve broken these down these 10 use cases into four overarching categories (right column):<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Bad Bot Problem<\/strong><\/td><td><strong>Definition<\/strong><\/td><td><strong>Business Impacts<\/strong><\/td><td><strong>Bad Bot Action Categor<\/strong>y<\/td><\/tr><tr><td>Price Scalping<\/td><td>Using bots to track and scrape product or service pricing information<\/td><td>Sales and revenue losses, decreased conversion rates, and brand reputational damages<\/td><td>Competitive Attacks<\/td><\/tr><tr><td>Content Scraping<\/td><td>Using bots to steal content and data from other sites<\/td><td>Loss of original content, SEO ranking drops, decreased site performance, and harm to brand reputation<\/td><td>Competitive Attacks<\/td><\/tr><tr><td>Account Takeover<\/td><td>Using bots to gain access to others\u2019 accounts illegally<\/td><td>Increased support and fraud-related costs, negative publicity and reputational harm, and decreased performance<\/td><td>Account Security Compromises<\/td><\/tr><tr><td>Account Creation<\/td><td>Using bots to automate create fake accounts for misuse and fraudulent activities<\/td><td>Revenue losses, brand and reputational damages, and potentially bad decision-making due to poor data<\/td><td>Account Security Compromises<\/td><\/tr><tr><td>Credit Card Fraud<\/td><td>Using bots to brute force credit card info verification<\/td><td>Regulatory non-compliance, reputational harm, financial losses, increased support requirements, and loss of customer relationships<\/td><td>Financially Focused Attacks<\/td><\/tr><tr><td>Denial-of-Service<\/td><td>Using bots to overload legitimate sites, web apps, and services with traffic<\/td><td>Revenue losses, poor performance, customer relationship losses, and brand and reputational harm<\/td><td>Product or Service Availability Hijacking<\/td><\/tr><tr><td>Gift Card Balance Checking and Abuse<\/td><td>Using bots to get their hands on gift card balances<\/td><td>Fraud-related financial losses, increased support requirements, reputational harm, and potential customer relationship losses<\/td><td>Financially Focused Attacks<\/td><\/tr><tr><td>Denial of Inventory<\/td><td>Using bots to shopping cart \u201csquat\u201d to prevent legitimate purchases<\/td><td>Sales and revenue losses, increased shopping cart abandonment rates, decreased conversions, reputational harm, and potential loss of customer relationships<\/td><td>Product or Service Availability Hijacking<\/td><\/tr><tr><td>Scalping<\/td><td>Using bots to obtain services or goods to the detriment of legitimate customers<\/td><td>Poor user experience, downtime or performance issues, decreased average basket value (ABV), and reputational harm that could impact customer relationships<\/td><td>Product or Service Availability Hijacking<\/td><\/tr><tr><td>Seat Spinning<\/td><td>Using bots to \u201cseat squat\u201d airline tickets to keep legitimate users from buying them<\/td><td>Revenue losses and reputational damage that could impact customer relationships<\/td><td>Product or Service Availability Hijacking<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Bad Bots + ATO = A Never-Ending Concern for Businesses<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Account takeover (ATO) is one of the attack methods for targeting businesses favored by bad guys. This approach often involves attackers using bots to brute-force or credential-stuff their way into an account using lists of guessed or stolen passwords. Imperva\u2019s data shows that over the past two years, ATO attacks increased 10% from 2022 to 2023.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As far as how often these attacks occur for businesses globally, the United States is leaps and bounds ahead of other countries. It ranks #1 as far as being targeted by the highest percentage of ATO attacks (40%). What can we say? While this rank isn\u2019t something to be proud of, we\u2019re not a country that likes to be outdone in virtually any category!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Are you wondering which industry experiences the most ATO attacks? Financial Services took the gold. But if you were to consider the industry that experienced the highest ATO malicious login ratio, then Business Services (38%) is the so-called \u201cwinner.\u201d<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"607\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/06\/imperva-ato-bad-bot-malicious-login-ratios-shadow-1024x607.png\" alt=\"A breakdown of malicious ATO login ratios from Imperva\" class=\"wp-image-17847\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/06\/imperva-ato-bad-bot-malicious-login-ratios-shadow-1024x607.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/06\/imperva-ato-bad-bot-malicious-login-ratios-shadow-300x178.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/06\/imperva-ato-bad-bot-malicious-login-ratios-shadow-768x455.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/06\/imperva-ato-bad-bot-malicious-login-ratios-shadow.png 1292w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Data source: Imperva 2024 Bad Bot Report.<\/em><\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Attackers &lt;3 Your APIs\u2026 And This Can Impact Your Reputation &amp; Bottom Line<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Your authentication APIs are incredibly attractive targets for cybercriminals that increase your organization\u2019s attack surface. More than two in five bot-based ATO attacks targeted application programming interfaces \u2014 likely because of the juicy data they provide access to. And a huge concern regarding API attacks relates to the use of automation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Imperva\u2019s data indicates that automation was used in 30% of the API attacks they analyzed in 2023. Automated attacks can be used for everything from brute force and credential stuffing attacks to DDoS attacks that overwhelm your API, disrupting services and impeding your legitimate customers.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">DDoS Attacks Can Take a Hefty Chunk Out of Your Bottom Line<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.radware.com\/multi-cloud-report-2023\/\">Data from Radware<\/a> indicates that a distributed denial of service (DDoS) attack costs an average of $6,130 per minute as of August 2023. Now, consider that <a href=\"https:\/\/www.zayo.com\/newsroom\/average-ddos-attack-cost-businesses-nearly-half-a-million-dollars-in-2023-according-to-new-zayo-data\/\">Zayo Group<\/a> estimates the average DDoS attack lasted 68 minutes in 2023. This means that the average company forked over an average of $416,840 in DDoS-related costs that otherwise could have stayed in their bank accounts.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Now, imagine if a DDoS attack on your business lasted 24 hours. Based on that per-minute estimate, it would mean $8.8+ million in potential DDoS-related costs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Consumers Increasingly Hold Businesses Accountable For Security Issues<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">According <a href=\"https:\/\/pages.sift.com\/rs\/526-PCC-974\/images\/Sift-2023-Q3-Index-Report_ATO.pdf\">to Sift\u2019s Q3 2023 Digital Trust &amp; Safety Index data<\/a>, 73% of consumers say that businesses are accountable for credential compromises stemming from ATO attacks. What makes matters worse for those organizations is that three in four of those customers indicate they\u2019d never again do business with ATO-sullied brands.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So, knowing all of this bad bot data\u2026 what can you do to protect your business?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to Battle Bad Bots: A 2-Pronged Approach<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Bots are automated software programs that are designed to mimic human behaviors and actions. Unlike human hackers, bots are automated systems that virtually never stop. They don\u2019t need to eat, they don\u2019t need to sleep, and they never get bored.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, there are things you can do to harden your organization and digital assets against automated attackers without impeding \u201cgood\u201d bots. We\u2019ll explore two primary approaches you can take to mitigate the risks of bad bots to your business.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Manage and Block Bad Bots From the Get-Go Using the Right Tools<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Use Device, Network, and Website Monitoring &amp; Analysis Tools<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Robust <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-a-firewall-definition-types-uses\/\">firewalls<\/a> can help you keep a close eye on your network and website traffic. It\u2019s a good indicator that you have some potentially malicious bot-related activity if you notice any or all of the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Significant jumps in traffic<\/li>\n\n\n\n<li>Increased bounce rates<\/li>\n\n\n\n<li>Specific IP addresses with record-high page view rates<\/li>\n\n\n\n<li>Increased traffic from IP addresses from outside your customers\u2019 and other network users\u2019 geographic regions<\/li>\n\n\n\n<li>Other related metrics<\/li>\n<\/ul>\n\n\n\n<h5 class=\"wp-block-heading\">Web Application Firewalls (WAFs)<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">These tools are traditionally viewed as the go-to solutions for detecting and blocking bots. They\u2019re useful for monitoring and detecting OSI Model layer 7 activity to identify and mitigate application layer attacks. However, relying on traditional WAFs may not be enough anymore due to the increasing complexity of these attacks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Within the industry, we\u2019ve been seeing movement toward web application and API protection (WAAP) solutions for bot mitigation, which expand upon traditional WAF capabilities to encompass greater protections.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Although Imperva\u2019s research data focuses on application layer attacks, it\u2019s important to note that bots can also be used to carry out network and transport layer attacks as well. Which brings us to the next firewall solution worth mentioning\u2026<\/p>\n\n\n\n<div class=\"wp-block-media-text is-stacked-on-mobile has-central-palette-1-color has-central-palette-19-background-color has-text-color has-background has-link-color wp-elements-ad79bbf9aade16856cd247e0972144e3\"><figure class=\"wp-block-media-text__media\"><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"449\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/06\/cWatch-OWASP-wp-product-patternx.jpg\" alt=\"cWatch example dashboard selection\" class=\"wp-image-17856 size-full\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/06\/cWatch-OWASP-wp-product-patternx.jpg 800w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/06\/cWatch-OWASP-wp-product-patternx-300x168.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/06\/cWatch-OWASP-wp-product-patternx-768x431.jpg 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading has-central-palette-7-color has-text-color has-link-color wp-elements-24f69ddc251d0a3bd7ca7fa73873f8f1\" id=\"h-digicert-trust-lifecycle-manager-simplifies-pki-digital-certificate-management\">Simplify Your Website Security with cWatch Web <\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">cWatch Web is a 24\/7 CSOC-managed Security-as-a-Service (SaaS) solution that encompasses many trusted technologies in one affordbable cybersecurity stack:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security Incident &amp; Event Management (SIEM)<\/li>\n\n\n\n<li>Secure Content Delivery Network (CDN)<\/li>\n\n\n\n<li>Managed Web App Firewall (WAF)<\/li>\n\n\n\n<li>Malware Remediation <\/li>\n\n\n\n<li>Distributed Denial of Service (DDoS) Protection<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-buttons is-layout-flex wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link has-central-palette-7-background-color has-text-color has-background has-link-color wp-element-button\" href=\"https:\/\/www.thesslstore.com\/comodo\/cwatch-web.aspx\" style=\"color:#ffffff\">Learn More<\/a><\/div>\n<\/div>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n<\/div><\/div>\n\n\n\n<h5 class=\"wp-block-heading\">Next-Generation Firewalls (NGFWs)<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">Next-gen <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-a-firewall-definition-types-uses\/\">firewalls<\/a> offer enhanced packet filtering and deep packet inspection (DPI). They\u2019re great for monitoring and detecting threats on multiple OSI layers (3, 4, and 7).&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Using these firewalls, in addition to other third-party solutions and tactics, can give you a multi-layered approach that paints a clearer picture of what\u2019s going on within your IT ecosystem.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security incident and event management (SIEM)<\/li>\n\n\n\n<li>Network traffic analysis (NTA)<\/li>\n\n\n\n<li>Network behavior analysis (NBA) or network behavior anomaly detection (DBAD) <\/li>\n\n\n\n<li><a href=\"https:\/\/www.varonis.com\/blog\/user-entity-behavior-analytics-ueba\">User and entity behavior analytics<\/a> (UEBA)<\/li>\n\n\n\n<li>Encrypted traffic analysis \/ encrypted traffic intelligence (ETA\/ETI)<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Some of these tools use machine learning (ML) to enable you to analyze the traffic flowing between users\u2019 clients and your server(s) without having to decrypt the sensitive data first. This enables you to keep an eye out for increased traffic stemming from outdated browser versions. (It\u2019s a big red flag if you see a bunch of traffic coming from legacy browsers and devices.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In particular, a combination of WAFS and NGFWs can help your business stay on top of ever-evolving threats at all three OSI model levels.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Implement Bad Bot Blocking and Mitigation Techniques<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Creating a traditional server <a href=\"https:\/\/www.robotstxt.org\/robotstxt.html\">robots.txt<\/a> file isn\u2019t going to aid your fight against bad bots. However, it does help you limit good bots from crawling off-limits areas and sending too many requests, which can overwhelm your server if they get a little overzealous.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here are a couple of techniques that can help mitigate bad bot traffic on your site and network:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Move your login page to a non-traditional file path<\/strong> \u2014 Bad bots can\u2019t hammer your login page if they can\u2019t find it. Rather than using a traditional login page like \/<em>wp-login.php<\/em>, rename the file path to something unique like <em>\/not-today-hackers.php<\/em> or something else different that they aren\u2019t likely to guess. By moving the end zone, they won\u2019t be able to score a touchdown.<\/li>\n\n\n\n<li><strong>Use honeypots to keep bad bots busy <\/strong>\u2014 Some researchers believe <a href=\"https:\/\/link.springer.com\/chapter\/10.1007\/978-981-16-6285-0_50\">another way to mitigate DDoS attacks<\/a> on your network\u2019s legitimate systems involves implementing honeypots. By feeding them fake data, you keep the bots distracted and focused on a safe target. Additionally, you can use the data gleaned from these bot interactions to further harden your defenses against future attacks.<\/li>\n\n\n\n<li><strong>Implement IP allowlisting and blocklisting <\/strong>\u2014 Traditional blacklists\/blocklists are not as effective anymore. This is in part because evasive or <a href=\"https:\/\/www.imperva.com\/resources\/resource-library\/infographics\/bad-bot-sophistication-levels\/\">increasingly sophisticated bad bots<\/a> often use IP distribution techniques and you also risk blocking legitimate users whose IP addresses change regularly. However, <a href=\"https:\/\/medium.com\/anti-bot-bot\/why-a-bot-whitelist-is-a-better-approach-for-bot-protection-611d8e34e1dd\">allowlists\/whitelists may still have anti-bot uses<\/a> in some cases. &nbsp;&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Set API Request Rate Limits<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">One way to up your <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-api-security-and-how-do-you-achieve-it\/\">API security<\/a> game is to restrict the number of requests that can be made to your network, website, or services. If any given IP address tries to make too many API call requests, then it\u2019s going to either throttle its traffic or shut it down completely.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Furthermore, be sure to <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-api-security-and-how-do-you-achieve-it\/\">secure all of your organization\u2019s APIs<\/a> against common threats, including injection attacks. This statement applies to your website, apps, and online services. Check out <a href=\"https:\/\/owasp.org\/API-Security\/editions\/2023\/en\/0x11-t10\/\">OWASP\u2019s Top 10 API Security Risks<\/a> for more information on common API security risks and how to address them.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Set Login Failure Rate Limits<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">High rates of login failures are a big red flag for bot-related activities. To help prevent brute force and credential stuffing attacks, limit the number of times a user, device, or IP address can attempt to log in.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Use a Content Delivery Network (CDN) and DNS Failover for Traffic Distribution<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Of course, your business needs to be prepared to handle the traffic surges that are common with DDoS attacks that can cause failing servers and downtime. Using a secure <a href=\"https:\/\/www.thesslstore.com\/comodo\/cwatch-secure-cdn.aspx\">content delivery network (CDN)<\/a> is a great way to combat these surges.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A CDN takes all of the inbound traffic your site, app, or service receives and distributes it across many servers around the world. Likewise, a <a href=\"https:\/\/www.digicert.com\/blog\/dns-failover-and-secondary-dns\">DNS failover<\/a> solution updates your DNS records to direct traffic to the fastest available instance.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This way, the responsibility doesn\u2019t fall on only a handful of devices that attackers can overwhelm and result in downtime.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. Eliminate Vulnerabilities That Bots Like to Exploit<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Now, let\u2019s explore what you can do to harden your security against common exploits that bad bots like to target and use to their advantage.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Regularly Scan for Vulnerabilities<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">The first task on this list is scanning for vulnerabilities on your network, endpoints and website. These are weaknesses in your organization\u2019s defenses that bad guys and their drones can focus on. Think of it like having holes in your castle wall that they can slip through.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Cybercriminals love to go after the lowest-hanging fruit (i.e., insecure businesses that are the easiest to attack using the least amount of effort). Examples of the insecurities they love to target include legacy apps and firmware, outdated themes, security misconfigurations, and coding-related exploits.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Lock Down Authentication<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Like onions and chocolate cake, account security is all about the layers. Having robust authentication mechanisms on your side is one of your biggest defenses when it comes to controlling access to your site, web apps, and services. Some examples of these approaches include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Adopting a zero-trust architecture when applicable<\/strong> \u2014 This self-explanatory approach is all about requiring continuous authentication. Rather than a user signing in once and having free reign, you\u2019re requiring the user to authenticate throughout their session.<\/li>\n\n\n\n<li><strong>Use authentication challenges to control access<\/strong> \u2014 CAPTCHAs are useful (albeit annoying) security measures to help mitigate bots. However, another approach you can take is a simple UX trick: stack two elements on a page so that human users click on the upper element, whereas bots wind up \u201cclicking\u201d both layers simultaneously because they can\u2019t differentiate the layers.<\/li>\n\n\n\n<li><strong>Rolling out multi-factor authentication<\/strong> \u2014 Require users to provide multiple authentication factors in order to gain access to access your systems. When MFA is enabled, a user must provide two or more of the following authentication factors:<ul><li>Something you know (such as a password or PIN)<\/li><\/ul><ul><li>Something you have (e.g., a push notification on your phone or a USB token)<\/li><\/ul>\n<ul class=\"wp-block-list\">\n<li>Something you are (a biometric such as a fingerprint or face ID scan)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h5 class=\"wp-block-heading\">Set Stringent Password Requirements<\/h5>\n\n\n\n<p class=\"wp-block-paragraph\">Educate and encourage employees to use secure passphrases in lieu of traditional passwords. A passphrase like <em>WordleGam3r$Un1te!<\/em> is easy for you to remember but difficult for a bot to guess.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">According to <a href=\"http:\/\/www.hivesystems.com\/password\">Hive\u2019s 2024 Password Table<\/a> (shown below), this 18-character passphrase containing upper and lowercase letters, numbers, and symbols would take 19 quintillion (qn) years (19,000,000,000,000,000,000 years) to brute force using the brcrypt hashing algorithm (and the specified hardware noted in the table below).<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/06\/hive-systems-password-table-shadow-1024x1024.png\" alt=\"This table breaks down the time it takes ot crack passwords of increasing length and complexity. Image source: hivesystems.com\/password. \" class=\"wp-image-17849\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/06\/hive-systems-password-table-shadow-1024x1024.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/06\/hive-systems-password-table-shadow-300x300.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/06\/hive-systems-password-table-shadow-768x768.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/06\/hive-systems-password-table-shadow-1536x1536.png 1536w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/06\/hive-systems-password-table-shadow.png 2039w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Image source: Hive Systems.<\/em><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Implement Robust Password Policies and Rules<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">There is more you can do for <a href=\"https:\/\/www.thesslstore.com\/blog\/password-security-what-your-organization-needs-to-know\/\">password security<\/a> than setting strict password requirements. You also can implement account password reset limits. This way, if one or more bots repeatedly try to reset a password for a specific account, it\u2019ll trigger an account lock that shuts down the attempts.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Use Cryptographic Password Storage Protections<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Storing your network users\u2019 and customers\u2019 passwords in your database in any form \u2014 plaintext or encrypted \u2014 is a big no-no. (Plaintext passwords can be stolen via eavesdropping and encrypted ones can be exposed if the decryption key is compromised.) Instead, store <a href=\"https:\/\/www.thesslstore.com\/blog\/password-salting-a-savory-way-to-secure-your-secrets\/\">salted and peppered <em>password hashes<\/em><\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Applying a cryptographic <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-a-hash-function-in-cryptography-a-beginners-guide\/\">hash function<\/a> to your passwords gives you a way to allow users to authenticate without their plaintext passwords needing to be stored (and potentially exposed) in your database. A one-way hashing algorithm (such as bcrypt) generates a fixed-length hash value. It\u2019s this hash value (i.e., hash digest) that you should store in your database instead in place of plaintext or encrypted passwords.&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Looking for More Info? Check Out These Industry Resources<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Open Web Application Security Project (OWASP)<\/strong> \u2014 This OWASP Foundation offers many great resources through its <a href=\"https:\/\/owasp.org\/www-project-automated-threats-to-web-applications\/\">OWASP Automated Threats to Web Applications Project<\/a> to help web app owners fight back against automated attackers. &nbsp;<\/li>\n\n\n\n<li><strong>CISA, FBI and Multi-State Information Sharing &amp; Analysis Center (MS-ISAC)<\/strong> \u2014 The joint guide <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2024-03\/understanding-and-responding-to-distributed-denial-of-service-attacks_508c.pdf\">\u201cUnderstanding and Responding to Distributed Denial of Service Attacks\u201d<\/a> addresses many of the needs and concerns surrounding DDoS attacks. It breaks down three common types of DDoS and DoS attacks and outlines best practices you can implement.<\/li>\n\n\n\n<li><strong>Imperva<\/strong> \u2014 This security company has some great information on <a href=\"https:\/\/www.imperva.com\/learn\/application-security\/what-are-bots\/\">basic and advanced bot mitigation techniques<\/a>.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Nearly half of internet traffic identified by Imperva isn\u2019t human; it\u2019s bots, and most are up to no good. Here\u2019s what they\u2019re doing and how you can identify them and&#8230;<\/p>\n","protected":false},"author":17,"featured_media":17850,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[13107,16,10200],"tags":[12333],"class_list":["post-17846","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-beyond-hashed-out","category-hashing-out-cyber-security","category-monthly-digest","tag-bad-bots","post-with-tags"],"views":4977,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2024\/06\/6-trillion-bot-requests-feature-sm.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/17846","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=17846"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/17846\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/17850"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=17846"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=17846"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=17846"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}