Jump to content

Bot prevention

From Wikipedia, the free encyclopedia

Bot prevention refers to the methods used by web services to prevent access by automated processes.

Types of bots

[edit]

Studies suggest that over half of the traffic on the internet is bot activity, of which over half is further classified as 'bad bots'.[1]

Bots are used for various purposes online. Some bots are used passively for web scraping purposes, for example, to gather information from airlines about flight prices and destinations. Other bots, such as sneaker bots, help the bot operator acquire high-demand luxury goods; sometimes these are resold on the secondary market at higher prices, in what is commonly known as 'scalping'.[2][3][4]

Detection techniques and avoidance

[edit]

Various fingerprinting and behavioural techniques are used to identify whether the client is a human user or a bot. In turn, bots use a range of techniques to avoid detection and appear like a human to the server.[2]

Browser fingerprinting techniques are the most common component in anti-bot protection systems. Data is usually collected through client-side JavaScript which is then transmitted to the anti-bot service for analysis. The data collected includes results from JavaScript APIs (checking if a given API is implemented and returns the results expected from a normal browser), rendering complex WebGL scenes, and using the Canvas API.[1][5] TLS fingerprinting techniques categorise the client by analysing the supported cipher suites during the SSL handshake.[6] These fingerprints can be used to create whitelists/blacklists containing fingerprints of known browser stacks.[7] In 2017, Salesforce open sourced its TLS fingerprinting library (JA3).[8] Between August and September 2018, Akamai noticed a large increase in TLS tampering across its network to evade detection.[9][7]

Behaviour-based techniques are also utilised, although less commonly than fingerprinting techniques, and rely on the idea that bots behave differently to human visitors. A common behavioural approach is to analyse a client's mouse movements and determine if they are typical of a human.[1][10]

More traditional techniques such as CAPTCHAs are also often employed, however they are generally considered ineffective while simultaneously obtrusive to human visitors.[11]

The use of JavaScript can prevent some bots that rely on basic requests (such as via cURL), as these will not load the detection script and hence will fail to progress.[1] A common method to bypass many techniques is to use a headless browser to simulate a real web browser and execute the client-side JavaScript detection scripts.[2][1] There are a variety of headless browsers that are used; some are custom (such as PhantomJS) but it is also possible to operate typical browsers such as Google Chrome in headless mode using a driver. Selenium is a common web automation framework that makes it easier to control the headless browser.[5][1] Anti-bot detection systems attempt to identify the implementation of methods specific to these headless browsers, or the lack of proper implementation of APIs that would be implemented in regular web browsers.[1]

The source code of these JavaScript files is typically obfuscated to make it harder to reverse engineer how the detection works.[5] Common techniques include:[12]

Anti-bot protection services are offered by various internet companies, such as Cloudflare[13] and Akamai.[14][15]

Law

[edit]

In the United States, the Better Online Tickets Sales Act (commonly known as the BOTS Act) was passed in 2016 to prevent some uses of bots in commerce.[16] A year later, the United Kingdom passed similar regulations in the Digital Economy Act 2017.[17][18] The effectiveness of these measures is disputed.[19]

References

[edit]
  1. ^ a b c d e f g Amin Azad, Babak; Starov, Oleksii; Laperdrix, Pierre; Nikiforakis, Nick (2020). "Web Runner 2049: Evaluating Third-Party Anti-bot Services". In Maurice, Clémentine; Bilge, Leyla; Stringhini, Gianluca; Neves, Nuno (eds.). Detection of Intrusions and Malware, and Vulnerability Assessment. Lecture Notes in Computer Science. Vol. 12223. Cham: Springer International Publishing. pp. 135–159. doi:10.1007/978-3-030-52683-2_7. ISBN 978-3-030-52683-2. PMC 7338186.
  2. ^ a b c Chiapponi, Elisa; Dacier, Marc; Todisco, Massimiliano; Catakoglu, Onur; Thonnard, Olivier (2021). "Botnet Sizes: When Maths Meet Myths". Service-Oriented Computing – ICSOC 2020 Workshops. Lecture Notes in Computer Science. Vol. 12632. pp. 596–611. doi:10.1007/978-3-030-76352-7_52. ISBN 978-3-030-76351-0. S2CID 232203240.
  3. ^ Marks, Tod. "Why Ticket Prices Are Going Through the Roof". Consumer Reports.
  4. ^ "Bad Bot Report 2021" (PDF). Imperva. Retrieved 23 August 2021.
  5. ^ a b c Jonker, Hugo; Krumnow, Benjamin; Vlot, Gabry (2019). "Fingerprint Surface-Based Detection of Web Bot Detectors". In Sako, Kazue; Schneider, Steve; Ryan, Peter Y. A. (eds.). Computer Security – ESORICS 2019. Lecture Notes in Computer Science. Vol. 11736. Cham: Springer International Publishing. pp. 586–605. doi:10.1007/978-3-030-29962-0_28. ISBN 978-3-030-29962-0. S2CID 202579603.
  6. ^ "Qualys SSL Labs - Projects / HTTP Client Fingerprinting Using SSL Handshake Analysis". www.ssllabs.com.
  7. ^ a b "Bots increasingly tampering with TLS to outfox filters". The Daily Swig | Cybersecurity news and views. 17 May 2019.
  8. ^ Althouse, John (5 February 2019). "Open Sourcing JA3". Medium.
  9. ^ "Bots Tampering with TLS to Avoid Detection - Akamai Security Intelligence and Threat Research Blog". blogs.akamai.com.
  10. ^ Wei, Ang; Zhao, Yuxuan; Cai, Zhongmin (2019). "A Deep Learning Approach to Web Bot Detection Using Mouse Behavioral Biometrics". Biometric Recognition. Lecture Notes in Computer Science. Vol. 11818. pp. 388–395. doi:10.1007/978-3-030-31456-9_43. ISBN 978-3-030-31455-2. S2CID 203847308.
  11. ^ Chu, Zi; Gianvecchio, Steven; Wang, Haining (2018). "Bot or Human? A Behavior-Based Online Bot Detection System". From Database to Cyber Security. Lecture Notes in Computer Science. Vol. 11170. pp. 432–449. doi:10.1007/978-3-030-04834-1_21. ISBN 978-3-030-04833-4.
  12. ^ "JavaScript Obfuscator Tool". obfuscator.io.
  13. ^ "Cloudflare Bot Management". Cloudflare.
  14. ^ "Bot Manager". Akamai Technologies. Retrieved 23 August 2021.
  15. ^ "Akamai Bot Manager". Akamai Technologies.
  16. ^ Sisario, Ben (9 December 2016). "Congress Moves to Curb Ticket Scalping, Banning Bots Used Online". The New York Times.
  17. ^ Keepfer, DLA Piper-Francis (10 January 2018). "UK Government criminalises the use of ticket tout bots". Lexology.
  18. ^ "New law will ban use of bots to bulk buy tickets". Which? News. 23 April 2018.
  19. ^ Elefant, Sammi (2018). "Beyond the Bots: Ticked-Off Over Ticket Prices or The Eternal Scamnation". UCLA Entertainment Law Review. 25 (1). doi:10.5070/LR8251039716. ISSN 1073-2896.