NextGen Bot Solution with Serverless Architecture

Shikhar SharmaSecurity Architect

Proprietary and confidential. Do not distribute.

PC vs Console Gaming

Proprietary and confidential. Do not distribute.

The Bad Bot Landscape

What is a bad bot?

Bad bots scrape data from sites without permission in order to reuse it (e.g., pricing, inventory levels) and gain a competitive edge. The truly nefarious ones undertake criminal activities, such as fraud, account takeovers and outright theft.

The Open Web Application Security Project (OWASP) provides a list of the different bad bot types in its Automated Threat Handbook.

Proprietary and confidential. Do not distribute.

Common Issues Caused by Bots

Content and Price Scraping

● Revenue loss to competitors● Availability targeting, undercutting

prices and promotions● Content theft and negative SEO● Fake registrations and lead form fills

Slowdowns and Downtime

● Side effect from scraping and ATO● Poor customer experience● Brand damage and customer churn● Lower conversion rates and

revenue loss

Account Takeover and Fraud

● Brand damage● Revenue loss● Increased chargebacks● Increased customer support costs

Operational Visibility and Skewing

● Flying blind● Can’t manage what you can’t see● Bots skew KPIs● Misinformed business decisions

Proprietary and confidential. Do not distribute.

Industry Trends

Proprietary and confidential. Do not distribute.

Reality of Web Traffic

How to tackle bots?

Proprietary and confidential. Do not distribute.

How to tackle bots?

Two fundamentals of solving bot problems

Bot Detection Bot Mitigation

Bot Detection Strategies

Proprietary and confidential. Do not distribute.

Bot Detection Strategies

Signature based detection mechanism

Anomaly based detection mechanism

Behavioral based detection mechanism

Broadly we can classify bot detection strategies into 3 categories

User-Agent/Referer: *skyscanner*

Risk scoring used to calculate magnitude of anomalies.

Collecting browser/machine fingerprints to identify a human vs bot by injecting JS.

Bot Mitigation Strategies

Proprietary and confidential. Do not distribute.

Bot Mitigation Strategies

Serving alternate content

Slow Down/Halt the connections

Drop the traffic

We can classify bot mitigation strategies into 4 categories

Serving fake content / Serving content from cache

Slow down responses to bots, keeping their connection open while not responding with content or responding in timely manner.

Serving a 403 or any custom response code.

Serve Captcha Google Recaptcha or Geetest

Traditional Deployment Strategies

Proprietary and confidential. Do not distribute.

CDN’s Offering Bot Mitigation Solutions

Web Server

End User Load Balancer

Anonymous: “We had to buy a particular CDN service even though we just needed their bot mitigation solution. It would have been much easier if we could choose different CDN’s, WAF and Bot mitigation solutions instead of all baked into one. It would be like choosing best of both worlds. Life would have been so much simpler.”

Proprietary and confidential. Do not distribute.

Load Balancer Load Balancer

Vendor Proxy EC2

Vendor Proxy EC2

Origin Server

Origin Server

Internet Gateway

CUSTOMER VPC

Customer Managed Private Cloud

Proprietary and confidential. Do not distribute.

Load Balancer Load Balancer

Vendor Proxy EC2

Vendor Proxy EC2

Origin Server

Origin Server

Internet Gateway

CUSTOMER VPCVendor’s VPC

Vendor Managed VPC with Cloud Infrastructure

Proprietary and confidential. Do not distribute.

Load Balancer

Vendor Proxy EC2

Internet Gateway Load Balancer

Vendor Proxy EC2

CUSTOMER DATACENTER

Server

Server

Vendor Managed VPC with Physical Datacenters

Proprietary and confidential. Do not distribute.

On Prem Solutions

DATA CENTER

Vendor Appliances on VM’s

Load Balancer Web ServersFirewallClient

Proprietary and confidential. Do not distribute.

Limitations of Traditional Deployment Models

1. You need to buy a CDN even though you just need bot mitigation solution.

2. Switching between CDN’s is a pain.

3. Deploying reverse proxy models is time consuming.

4. Reverse proxy models add additional transit times.

5. Auto scaling may require vendor’s AMI’s.

6. Vertical scaling is still limited to availability zones.

7. Effective horizontal scaling would need your application to be stateless.

8. Legacy applications do not adhere to microservice architecture without which achieving effective

horizontal scaling is really tough.

Serverless Deployment

Proprietary and confidential. Do not distribute.

Serverless Deployment

Confidential

Imperva Connector Ecosystem

Client

API Call’s carrying telemetry data

Proprietary and confidential. Do not distribute.

Connector Sequence Diagram Prior to Page Load

Imperva Connector Ecosystem

Customer ConnectorIntegration

End User or Bot

Requests protected Webpage

Allow or Block page

API call via POST /Analysis

Customer "action": based on policy in portal

Distil Tag AddedTo Response

API response with VisitorInfo

Proprietary and confidential. Do not distribute.

Connector Challenge Injection Sequence Diagram

Browser or BotEnd User or Threat Actor

Displays page with JS Tag

GET JavaScript challenge

POST browser data

Update Token

Execute challenge

Update Encrypted Cookie

Customer ConnectorIntegration

Imperva Connector Ecosystem

Proprietary and confidential. Do not distribute.

Advantages of Serverless Deployment

1. No need to rely on baked in solutions and pay for something you don’t need or use.

2. Scalability will never be a problem if serverless deployments occur on lambda@edge or

workers.

3. No additional latencies will be added due to reverse proxy machines.

4. No need for on-demand instances or creating Auto Scaling groups for bot solutions.

5. No need to redirect DNS.

6. No need to manage reverse proxy machines.

7. Deployment can happen in minutes.

8. Requires no infrastructure changes.

9. You get the power to choose on which compute platform you wish to deploy bot mitigation

solution.

Questions?