Crop from a map of the internet
Crop from a map of the internet (source: The Opte Project on Wikimedia Commons)

In this episode of the O’Reilly podcast, I spoke with Stephen Gates of Oracle Dyn. Gates joined the Oracle Dyn Global Business Unit from Zenedge, the web application security company recently acquired by Oracle. Gates and I discussed how growing malicious bot activity impacts organizations.

Here are some highlights:

The rise of malicious bots

One of the factors driving the current proliferation of malicious bots is the Mirai malware. It works by using a list of default usernames and passwords (from previous data breaches) to take control of IoT devices. One key differentiator with Mirai is that it’s self-propagating—each infected device has the ability to scan the internet to find similar devices and subsequently infect them. This has also spurred other self-propagating, copycat malware.

Another key factor driving malicious bot growth is the increase in malware that focuses on exploiting vulnerabilities (versus relying on usernames and passwords). The malware automates the process of scanning and infecting IoT devices for known vulnerabilities. Then, they're exploiting those known software vulnerabilities, which are quite common in IoT devices. The volume of attack traffic these devices can generate is a huge differentiator because many of these devices have access to pretty sizeable CPUs, and they've got access to a lot of bandwidth. As a result, we're seeing DDoS attacks being launched by these botnets in excess of 1.5 terabits per second. That's enough traffic to take a small country offline.

Mitigating malicious bot threats

To manage the risks malicious bots pose, organizations need to be aware that, realistically, bots represent a significant portion of site and application traffic. They must understand the threats against their specific business models and recognize the need to build systems that can differentiate between good bot traffic, bad bot traffic, and human activity. Sites and applications must allow good bots to continue performing critical activities (scrape data for Google search queries, for example), but also mitigate malicious bot activity. Done poorly, you could reduce the effectiveness of your SEO, or worse yet, block paying customers from your sites or applications.

An effective DDoS incident response plan includes detection and mitigation of these bot-driven attacks. Defenses should be layered, including cloud-based defenses for volumetric attacks, and most likely web application firewalls for the more measured attacks. Without having a DDoS response plan in place, you’re a sitting duck and effectively just waiting for one of these attacks to take your organization offline.

Preparing for the malicious bot attacks of the future

The malicious bot threat landscape will continue to evolve rapidly. To prepare, organizations must embrace advanced data capabilities, such as AI and supervised machine learning, to detect and defeat sophisticated malicious bot attacks. Additionally, businesses need to focus on hiring security intelligence analysts. Embracing AI and machine learning is only helpful if we have the capabilities to analyze the output. Accordingly, security analyst skills will be in very high demand.

This post is a collaboration between O'Reilly and Oracle Dyn. See our statement of editorial independence.

Article image: Crop from a map of the internet (source: The Opte Project on Wikimedia Commons).