IoT and Serverless - AWS - Serverless Summit - Madhusudan Shekar
NextGen Bot Solution with Serverless Architecture · 2020. 7. 21. · Advantages of Serverless...
Transcript of NextGen Bot Solution with Serverless Architecture · 2020. 7. 21. · Advantages of Serverless...
NextGen Bot Solution with Serverless Architecture
Shikhar SharmaSecurity Architect
Proprietary and confidential. Do not distribute.
PC vs Console Gaming
Proprietary and confidential. Do not distribute.
The Bad Bot Landscape
What is a bad bot?
Bad bots scrape data from sites without permission in order to reuse it (e.g., pricing, inventory levels) and gain a competitive edge. The truly nefarious ones undertake criminal activities, such as fraud, account takeovers and outright theft.
The Open Web Application Security Project (OWASP) provides a list of the different bad bot types in its Automated Threat Handbook.
Proprietary and confidential. Do not distribute.
Common Issues Caused by Bots
Content and Price Scraping
● Revenue loss to competitors● Availability targeting, undercutting
prices and promotions● Content theft and negative SEO● Fake registrations and lead form fills
Slowdowns and Downtime
● Side effect from scraping and ATO● Poor customer experience● Brand damage and customer churn● Lower conversion rates and
revenue loss
Account Takeover and Fraud
● Brand damage● Revenue loss● Increased chargebacks● Increased customer support costs
Operational Visibility and Skewing
● Flying blind● Can’t manage what you can’t see● Bots skew KPIs● Misinformed business decisions
Proprietary and confidential. Do not distribute.
Industry Trends
Proprietary and confidential. Do not distribute.
Reality of Web Traffic
How to tackle bots?
Proprietary and confidential. Do not distribute.
How to tackle bots?
Two fundamentals of solving bot problems
Bot Detection Bot Mitigation
Bot Detection Strategies
Proprietary and confidential. Do not distribute.
Bot Detection Strategies
Signature based detection mechanism
Anomaly based detection mechanism
Behavioral based detection mechanism
Broadly we can classify bot detection strategies into 3 categories
User-Agent/Referer: *skyscanner*
Risk scoring used to calculate magnitude of anomalies.
Collecting browser/machine fingerprints to identify a human vs bot by injecting JS.
Bot Mitigation Strategies
Proprietary and confidential. Do not distribute.
Bot Mitigation Strategies
Serving alternate content
Slow Down/Halt the connections
Drop the traffic
We can classify bot mitigation strategies into 4 categories
Serving fake content / Serving content from cache
Slow down responses to bots, keeping their connection open while not responding with content or responding in timely manner.
Serving a 403 or any custom response code.
Serve Captcha Google Recaptcha or Geetest
Traditional Deployment Strategies
Proprietary and confidential. Do not distribute.
CDN’s Offering Bot Mitigation Solutions
Web Server
End User Load Balancer
Anonymous: “We had to buy a particular CDN service even though we just needed their bot mitigation solution. It would have been much easier if we could choose different CDN’s, WAF and Bot mitigation solutions instead of all baked into one. It would be like choosing best of both worlds. Life would have been so much simpler.”
Proprietary and confidential. Do not distribute.
Load Balancer Load Balancer
Vendor Proxy EC2
Vendor Proxy EC2
Origin Server
Origin Server
Internet Gateway
CUSTOMER VPC
Customer Managed Private Cloud
Proprietary and confidential. Do not distribute.
Load Balancer Load Balancer
Vendor Proxy EC2
Vendor Proxy EC2
Origin Server
Origin Server
Internet Gateway
CUSTOMER VPCVendor’s VPC
Vendor Managed VPC with Cloud Infrastructure
Proprietary and confidential. Do not distribute.
Load Balancer
Vendor Proxy EC2
Internet Gateway Load Balancer
Vendor Proxy EC2
CUSTOMER DATACENTER
Server
Server
Vendor Managed VPC with Physical Datacenters
Proprietary and confidential. Do not distribute.
On Prem Solutions
DATA CENTER
Vendor Appliances on VM’s
Load Balancer Web ServersFirewallClient
Proprietary and confidential. Do not distribute.
Limitations of Traditional Deployment Models
1. You need to buy a CDN even though you just need bot mitigation solution.
2. Switching between CDN’s is a pain.
3. Deploying reverse proxy models is time consuming.
4. Reverse proxy models add additional transit times.
5. Auto scaling may require vendor’s AMI’s.
6. Vertical scaling is still limited to availability zones.
7. Effective horizontal scaling would need your application to be stateless.
8. Legacy applications do not adhere to microservice architecture without which achieving effective
horizontal scaling is really tough.
Serverless Deployment
Proprietary and confidential. Do not distribute.
Serverless Deployment
Confidential
Imperva Connector Ecosystem
Client
API Call’s carrying telemetry data
Proprietary and confidential. Do not distribute.
Connector Sequence Diagram Prior to Page Load
Imperva Connector Ecosystem
Customer ConnectorIntegration
End User or Bot
Requests protected Webpage
Allow or Block page
API call via POST /Analysis
Customer "action": based on policy in portal
Distil Tag AddedTo Response
API response with VisitorInfo
Proprietary and confidential. Do not distribute.
Connector Challenge Injection Sequence Diagram
Browser or BotEnd User or Threat Actor
Displays page with JS Tag
GET JavaScript challenge
POST browser data
Update Token
Execute challenge
Update Encrypted Cookie
Customer ConnectorIntegration
Imperva Connector Ecosystem
Proprietary and confidential. Do not distribute.
Advantages of Serverless Deployment
1. No need to rely on baked in solutions and pay for something you don’t need or use.
2. Scalability will never be a problem if serverless deployments occur on lambda@edge or
workers.
3. No additional latencies will be added due to reverse proxy machines.
4. No need for on-demand instances or creating Auto Scaling groups for bot solutions.
5. No need to redirect DNS.
6. No need to manage reverse proxy machines.
7. Deployment can happen in minutes.
8. Requires no infrastructure changes.
9. You get the power to choose on which compute platform you wish to deploy bot mitigation
solution.
Questions?