In The Reign of Botnets: Defending Against Abuses, Bots and Fraud on the Internet, fraud and bot detection expert David Senecal delivers a timely and incisive presentation of the contemporary bot threat landscape and the latest defense strategies used by leading companies to protect themselves. The author uses plain language to lift the veil on bots and fraud, making a topic critical to your website's security easy to understand and even easier to implement.
You'll learn how attackers think, what motivates them, how their strategies have evolved over time, and how website owners have changed their own behaviors to keep up with their adversaries. You'll also discover how you can best respond to patterns and incidents that pose a threat to your site, your business, and your customers.
The book includes: - A description of common bot detection techniques exploring the difference between positive and negative security strategies and other key concepts - A method for assessing and analyzing bot activity, to evaluate the accuracy of the detection and understand the botnet sophistication - A discussion about the challenge of data collection for the purpose of providing security and balancing the ever-present needs for user privacy
Ideal for web security practitioners and website administrators, The Reign of Botnets is the perfect resource for anyone interested in learning more about web security. It's a can't-miss book for experienced professionals and total novices alike.
Table of Contents
Introduction xviiChapter 1 A Short History of the Internet 1
From ARPANET to the Metaverse 2
The Different Layers of the Web 7
The Emergence of New Types of Abuses 9
The Proliferation of Botnets 11
Quantifying the Bot Traffic Volume on the Internet 14
Botnets Are Unpredictable 16
Bot Activity and Law Enforcement 18
Summary 19
Chapter 2 The Most Common Attacks Using Botnets 21
Account Takeover 22
Data Harvesting 23
Credential Harvesting 26
Account Takeover 31
Targeted ATO Attacks 34
A Credential Stuffing Attack Example 35
Account Opening Abuse 38
The Tree Hiding the Forest 39
Fraud Ring 41
Web Scraping 48
The Intent Behind Scraping by Industry 49
Good Bot Scraping 51
Inventory Hoarding 53
Business Intelligence 55
Scalping: Hype Events 58
Online Sales Events Mania and Scalping 58
The Retailer Botnet Market 59
Anatomy of a Hype Event 61
Carding Attacks 64
Gift Cards 65
Credit Card Stuffing 66
Spam and Abusive Language 66
Summary 67
Chapter 3 The Evolution of Botnet Attacks 69
Incentive vs. Botnet Sophistication 70
HTTP Headers 101 71
Common HTTP Headers 71
Legitimate Browser Signatures 74
Header Signatures from Bot Requests 75
The Six Stages of a Botnet Evolution 77
Stage 1: Deploy the Botnet on a Handful of Nodes Running a Simple Script 77
Stage 2: Scale the Botnet and Impersonate the Browsers' Header Signatures 79
Stage 3: Reverse Engineer JavaScript and Replay Fingerprints 80
Stage 4: Force the Web Security Product to Fail Open 81
Stage 5: Upgrade the Botnet to a Headless Browser 82
Stage 6: Resort to Human/Manual Attack 84
Botnets with CAPTCHA-Solving Capabilities 85
Human-Assisted CAPTCHA Solver 85
Computer Vision 88
The CAPTCHA Solver Workflow 88
AI Botnets 89
The Botnet Market 91
Summary 93
Chapter 4 Detection Strategy 95
Data Collection Strategy 96
Positive vs. Negative Security 98
The Evolution of the Internet Ecosystem 99
The Evolution of Detection Methods 100
Interactive Detection 100
Transparent Detection 103
The State of the Art 106
Transparent Detection Methods 108
Good Bot Detection 109
Good Bot Categories 111
IP Intelligence 115
Cookie Handling 118
JavaScript Execution Handling 119
Device Intelligence 120
Proof of Work 123
Behavioral Biometric Detection 125
Headless Browser Detection 128
User-Behavior Anomaly Detection 130
Email Intelligence 135
Advanced PII Data Assessment 140
Risk Scoring 142
Formula 143
Consuming the Risk Score 144
Summary 145
Chapter 5 Assessing Detection Accuracy 147
Prerequisites 148
High-Level Assessment 149
Website Structure 150
Website Audience 151
Types of Clients 151
Assessing the Shape of the Traffic 152
Quantitative Assessment (Volume) 155
Feedback Loop 156
Response Strategy Assessment 158
Low-Level Assessment 158
IP Intelligence 159
Device Intelligence 163
Assessment Guidelines 168
Identifying Botnets 170
Botnet Case Study 173
The Evening Crawler 174
The Sprint Scraper 175
The Night Crawler 176
The Cloud Scraper 177
Summary 177
Chapter 6 Defense and Response Strategy 179
Developing a Defense Strategy 180
Do-It-Yourself 180
Buying a Bot Management Product from a Vendor 182
Defense in Depth 184
Technology Stack to Defend Against Bots and Fraud 186
Detection Layer to Protect Against Bot Attacks 186
Detection Layer to Protect Against Online Fraud 188
Response Strategies 189
Simple Response Strategies 190
Advanced Response Strategies 191
Operationalization 193
Mapping a Response Strategy to a Risk Category 193
Preparing for Special Events 195
Defending Against CAPTCHA Farms 196
Summary 197
Chapter 7 Internet User Privacy 199
The Privacy vs. Security Conundrum 199
The State of Privacy and Its Effect on Web Security 201
IP Privacy 201
Cookie Tracking Prevention 204
Anti-fingerprinting Technology 206
The Private Access Token Approach 213
The High-Level Architecture 214
The PAT Workflow 214
PAT Adoption 216
Summary 218
References 219
Index 223
