Battling The Bot Nation

There are massive distributed denial-of-service (DDoS) attacks that saturate a targeted website or network with unwanted traffic and knock it offline -- and then there are what renowned security expert Dan Kaminsky calls "resource-based DDoS" attacks that his startup White Ops increasingly is catching in action.

It's where stealthy bots are used to automate database lookups such that they ultimately sap performance for legitimate site visitors. Take a recent case where more than 20% of a major global retailer's website traffic during the Christmas holiday season came from stealthy bots recruited by its competitors to scrape in bulk pricing information from the retailer. "It's competitive intelligence" and it's happening en masse, says Michael Tiffany, CEO of White Ops, a bot-detection firm. "Everyone is spying on everyone to get everyone's prices."

Tiffany wouldn't name the retailer, a White Ops customer, but says it's so big that retailers tend to attempt to normalize around its pricing structure. "To succeed and hide in the noise, these are full... browsers in compromised machines scraping the websites from a major retailer," he says. "It was somebody who pretending to be a Google bot. They [the retailer] said, 'we don't mind scraping our prices, but they're doing it too fast and damaging the [online] experience for our real customers.'"

So White Ops' mission was more about "rate-limiting" the bots they found hitting the site, some of which were running 50 database lookups a second. "You take all of these bots doing database queries, relatively slowly but still high from a database lookup standpoint, and identify those bots so they can be put into a rate-limiting bucket," says Kaminsky, chief scientist at White Ops.

Such is the pervasive use of the bot -- basically a malware-infected machine remotely controlled by cybercriminals -- today. White Ops, which today announced that it has secured $7 million in funding from investors Paladin Capital Group and Grotech Ventures, offers technology it says can tell a bot from a real online user.

The new funding should help propel White Ops' move into the enterprise business, where it's already selling not only to e-commerce firms like the large retailer under resource-based DDoS attacks, but also to financial services firms adding another layer to detect man-in-the browser online banking fraud, e-commerce fraud, and resource-sapping DDoS attacks. Kaminsky and Tiffany say they can't give specifics or names of their customers.

White Ops' initial customers were in the online ad space, where botnet-driven click fraud abounds, but Kaminsky says the technology initially was built with financial services fraud in mind. "It just so happened the ad [industry] came running to us asking for help with this... threat, so we shifted our attention to ads because there was so much excitement there," Kaminsky says.

Botnets are the main weapon of most cybercriminals, as well as nation-state cyberspies. A recent study by Check Point Software found that a bot is born every 24 hours, and nearly three-fourths of enterprises have at least one bot-infected endpoint living in their corporate network. Some 77% of bots reside undetected for more than a month, and according to White Ops, experts estimate that 22% of online advertising is bot-driven worldwide, costing billions in lost revenue yearly.

White Ops basically relies on a single line of JavaScript inserted on the customer side. It collects telemetry about a session that is sent to White Ops cloud-based service, which determines whether the session is a bot or a human, and sends that intelligence to the customer's SIEM or other security system. "We find deterministic signs that this browser is not being driven by a human, but by a bot," Kaminsky says. "No matter how clever you [the attacker] are, you're not going to teleport to the machine in question. You're never looking at the physical machine or touching the keyboard," and there are some characteristics of physical versus remote control that White Ops studies, according to Kaminsky.

"We detect what that browser is doing," he says.