Bot Attacks - EasySend Active Protection

Article Overview

The following article describes how EasySend defends and protects against bot attacks. 

Overview

A bot attack is a cyber attack that uses automated scripts to:

• Disrupt a site
• Steal data
• Make fraudulent purchases
• Perform other malicious actions

These attacks can be deployed against many different targets, such as:

• Websites
• Servers
• APIs
• Other endpoints

The purpose of these attacks can vary but often include stealing sensitive information or causing damage to the target’s infrastructure.

There are many types of bot attacks, all of which are designed for a specific purpose. Any actions by a bot that violates a website’s Terms of Services or the site’s Robots.txt rules are considered malicious.

Bot attacks include:

• Credential stuffing - attackers use stolen login credentials to gain access to another website. Bots circumvent existing built-in security features in web application login forms by attempting multiple, simultaneous logins from various device types and IP addresses. The goal is to blend in bot attempts with typical login traffic.
• Web/content scraping - bots download (or “scrape”) content from a website to use it in future attacks. A website scraper bot sends a series of HTTP GET requests and copies and saves the information - all within seconds.
• Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks - infect networks of Internet-connected machines such as computers or IoT devices. Once the network is infected, attackers send remote instructions to each bot to overwhelm the server or network, causing outages and downtime.
• Brute force password cracking - attacks that use bots to infiltrate protected accounts by trying every possible password combination or cracking encryption keys to gain unauthorized access to sensitive data.
• Click fraud - attackers target pay-per-click ads to boost the search rankings of a webpage via fake clicks. A bot pretends to be a legitimate visitor and clicks on an ad, button, or other hyperlink. By imitating human patterns of behavior, it may trick the platform or service into thinking real users are interacting with the links.

EasySend Default Bot Protection Policy

EasySend ensures continuous protection for your production player server (where your processes run) against potential bot attacks. To detect and counter bot activity, EasySend leverages the Bot Score Cloudflare service.

A bot score is a score from 1 to 99 that indicates how likely that request came from a bot. For example, a score of 1 means Cloudflare is quite certain the request was automated, while a score of 99 means Cloudflare is quite certain the request came from a human.

Table 1: Bot Score

According to Table 1, EasySend implements a rule for any activity scoring below 30, routing them to encounter Cloudflare's managed challenge service. While it's unlikely for genuine users to encounter this managed challenge, the following sections describe how to operates if they do.

Managed Challenge

Managed challenges are where Cloudflare dynamically chooses the appropriate type of challenge based on the characteristics of a request. This helps avoid reCAPTCHA, which also reduces the lifetimes of human time spent solving reCAPTCHA across the Internet.

Depending on the characteristics of a request, Cloudflare will choose an appropriate type of challenge, which includes:

• A non-interactive challenge page JS challenge - Cloudflare presents a challenge page that requires no interaction from a visitor, but rather JavaScript processing by their browser. The visitor will have to wait until their browser finishes processing the JavaScript, which should be less than five seconds.
• Turnstile (reCAPTCHA) - a custom interactive challenge, with Turnstile, we adapt the actual challenge outcome to the individual visitor or browser. First, we run a series of small non-interactive JavaScript challenges to gather more signals about the visitor/browser environment. Those challenges include proof-of-work, proof-of-space, probing for web APIs, and various other challenges for detecting browser quirks and human behavior. As a result, we can fine-tune the difficulty of the challenge to the specific request and avoid ever showing a visual puzzle to a user. Turnstile also includes machine learning models that detect common features of end visitors who were able to pass a challenge before. The computational hardness of those initial challenges may vary by visitor but is targeted to run fast. Turnstile helps avoid CAPTCHA's Open external links, which also reduces the lifetimes of human time spent solving CAPTCHAs across the Internet. Turnstile widget types include:
  • A non-interactive challenge.
  • A non-intrusive interactive challenge (such as clicking a button), if the visitor is a suspected bot.
  • An invisible challenge to the browser.

Active Monitoring

EasySend provides a set of bot monitoring, managed rules by Cloudflare Bot Management, to monitor random bot attacks on the customer's Players. Below is the set of bot monitoring EasySend provides:

• Requests by bot score - the number of requests to your application, organized into groups based on the requests bot score.
• Bot score distribution - Cloudflare scores each request 1 (definitely automated) through 99 (definitely human).
• Top attributes of requests - a breakdown of attributes of requests. Useful for creating rules specifically blocking or allowing desired request attributes.

This data is viewed and analyzed by EasySend itself.

In addition, EasySend provides DDoS protection against a variety of DDoS attacks by using the Cloudflare service that constantly updates the DDoS managed rulesets to:

• improve the attack coverage.
• increase the mitigation consistency.
• cover new and emerging threats.
• ensure cost-efficient mitigations.

Custom Web Application Firewall (WAF)

In addition to the default policy, EasySend customers have the option to acquire an extended service tailored to address their specific requirements. This service can be activated based on actions such as Cloudflare's managed challenge or blocking.