Threat Spotlight: When bad bots attack

The holiday shopping season makes e-commerce sites an attractive target for cybercriminals.

Bad bot distribution

Holiday shopping season makes e-commerce sites an attractive target for cybercriminals using bots to run distributed denial of service (DDoS) attacks, make fraudulent purchases, and scan for vulnerabilities they can exploit.

In mid-November, Barracuda researchers ran Barracuda Advanced Bot Protection in front of a test web application, and the number of bots they detected in just a few days was staggering, with millions of attacks coming in from thousands of distinct IP addresses.

When viewed by time of day, Barracuda researchers saw that bots don’t just wait until the middle of the night to attack. For example, in the UK, bot activity peaks mid-morning and doesn’t fall off until closer to 5 p.m., which may indicate the cybercriminals (aka “bot herders”) follow a regular working day.

Here’s a closer look at the trends Barracuda researchers found about the ways cybercriminals are spoofing good User-Agents and the new patterns for these types of attacks.

Highlighted Threat

Bad Bot Personas — Bad bot personas are bots that have been identified as malicious based on their pattern of behavior. Bad bots are grouped by User-Agent, but some User-Agents are good. For example, GoogleBot, which crawls sites and adds them to search rankings, is good and should not be blocked. Google has many different User-Agents:

Subset of GoogleBot User-Agents – Source:

The problem is bots will spoof these known good User-Agents, so you have to look deeper to tell them apart. To identify a bot as being bad when the User-Agent claims to be a good search engine, Barracuda researchers use methods including:

  1. Injecting honeytraps like hidden URLs and JS challenges. Bots follow links and respond to JS challenges quite differently than humans.
  2. Using rDNS (reverse DNS lookup) to verify a bot comes from the claimed source.
  3. Checking to see if the client is trying to access URLs used by common app fingerprinting attacks.
  4. If these methods do not catch it, researchers do further analysis with machine learning.

The Details

When viewed by top bad bot personas, the data gathered by Barracuda researchers shows an increase in the following bad bot personas: HeadlessChrome, yerbasoftware, and M12bot, ahead of newer browsers like Microsoft Edge.

BAD Bot Personas — November 2020

Bot Persona/User AgentPercentage of Bad Bot Traffic
Non-Standard User Agent/Malicious User72.00%
Headless Chrome5.00%
SemRush Bot1.50%

The Non-Standard User Agent/malicious user covers the following categories:

  • Bots pretending to be a specific browser but using a non-standard string
  • Bots pretending to be a specific software but using a non-standard string
  • Bots pretending to be a specific browser but caught because of unusual browsing patterns or other bot checks
  • Bots pretending to be a “good” bot but caught using rDNS lookups

When analyzing which ISP (Internet System Provider) or ASN (Autonomous System Number) is the source of bad bot activity, researchers found Indian mobile provider subnet ranges in the mix, as well as some of the big public cloud providers. This shows that the source of bots may be international, although this would depend on the bot and the site it is targeting.

BAD Bot ISP Sources — November 2020

ISPASN NamePercentage
AirtelBHARTI Airtel Ltd.34.96%
Microsoft CorporationMICROSOFT-CORP-MSN-AS-BLOCK22.00%
Tata Teleservices ISPTata Teleservices ISP AS9.80%
Google CloudGOOGLE7.64%
MEOServicos De Comunicacoes E Multimedia S.A.6.45%
Limestone NetworksLIMESTONENETWORKS3.63%

How to protect against bot attacks

With holiday shopping season now in full swing, e-commerce teams should take the following steps to safeguard their applications against bad bots:

  • Install a web application firewall or WAF-as-a-Service solution and make sure it is properly configured
  • Make sure these application security solutions include anti-bot protection so they can effectively detect advanced automated attacks
  • Turn on credential stuffing protection to prevent account takeover