Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Gather Intelligence On Web Bots To Aid Defense

BotoPedia, a registry of Web bots, could help companies keep their sites open to good crawlers but closed to attackers and site scrapers

Automated traffic to Web sites has steadily increased, driven by legitimate search-engine indexing, questionable crawlers, and malicious attackers. Companies need to know which is which.

To that end, Web-security cloud service Incapsula launched a site on Wednesday for cataloging Web bots, the automated programs that crawl websites to index pages, grab competitive price information, gather information on social-networking users, or scan for vulnerabilities. With the site, dubbed BotoPedia, the company is gathering data on the Internet addresses used by Web bots as well as the user-agent strings and any other identifying information. The catalog will be open, but moderated, in much the same way as Wikipedia, says Marc Gaffan, co-founder and vice president of business development for Incapsula.

"This is essentially trying to take the gray area and classify it to a higher level of granularity, so that website operators have got the ability to cherry-pick who they want to let in and who they don't," Gaffan says.

While many services attempt to identify bots by the user-agent strings -- typically indicating browser information -- the signature is changed too easily to be useful, he says. Instead, BotoPedia will include the user-agent string, IP addresses, and other details.

While that is a simple change, it's an important one, says Bogdan Botezatu, senior threat analyst with security firm BitDefender.

"If you block my spider, I will change its name and come back and crawl your Web server in a few minutes without losing much money or time," Botezatu says. "But if you block my IP address, then I will have to either change my IP or change my provider or move to a different data center."

[ Researchers release free search engine-based data mining tools to identify and extract sensitive information from many popular cloud-based services. See Researchers To Launch New Tools For Search Engine Hacking. ]

BotoPedia was initially seeded with data on the top 50 bots, but another dozen had been submitted by outside sources by Wednesday evening. While the operators of good Web bots will self-submit, researchers will likely add information on bad bots as well, Gaffan says.

"I do expect a lot of bad bots to get in there, but obviously not by them coming forward," he says.

The rise of automated Web traffic is playing out against the backdrop of an estimated quadrupling of Internet traffic by the year 2016, according to networking giant Cisco's efforts to predict future bandwidth demand. Web traffic will increase slightly faster, expanding some five-fold between 2011 and 2016, the company estimates.

Automated traffic is taking an increasing share of the pie. Currently, slightly more than half of the traffic to websites comes from bots, according to Incapsula's data. Of the total, 20 percent are good page indexers and other desired bots, another 19 percent are intelligence-gathering bots that sites may not want, and the remaining 12 percent are scrapers, comment spammers, and flat-out attacks.

Attacks could be automated SQL-injection attacks on back-end databases, the scraping of user information, or just automated attempts at logging in. Overall, sites should expect each Web application to suffer a sustained attack nearly 120 days of each year, according to a report issued earlier this week by Web security firm Imperva. Companies should prepare for intense automated attacks, the company says.

"The success of the whole mission depends on the defense performance when under attack," states the report. "Therefore, the defense solutions and procedures should be designed to accommodate attack bursts."

Increasingly, attackers will cloak themselves in the appearance of legitimacy. By appearing to be a search-engine index bot, attackers will be able to bypass most filters, Incapsula's Gaffan says.

In a study of 1,000 customers, Incapsula found that more than 16 percent encountered Web bots that impersonated Google's automated crawlers. Because Google search rankings are so important, no site wants to block the company from indexing its pages.

In the end, the company hopes the online catalog will empower companies to make better decisions about what automated traffic they allow to peruse their sites, and what traffic they block, he says.

"This will give website owners a lot of different information and better awareness into who they want to let in," Gaffan says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-23
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10; v3.4...
PUBLISHED: 2020-11-23
Use after free vulnerability in EDK II may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via adjacent access.
PUBLISHED: 2020-11-23
Logic issue EDK II may allow an unauthenticated user to potentially enable denial of service via adjacent access.
PUBLISHED: 2020-11-23
Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
PUBLISHED: 2020-11-23
Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.