Benjamin Fabre, DataDome: Bots-as-a-Service Lower the Barrier to Entry for Launching Attacks

Bad bots continue to be big trouble. Not only do they account for a quarter of all Internet traffic, but it’s also now easier than ever for the average, non-technical person to launch malicious bot attacks, thanks to Bots-as-a-Service.

People are increasingly monetizing bots, providing them in exchange for a subscription fee. As such, having money trumps technical knowledge when it comes to launching hard-hitting bot attacks. The wake of destruction caused by bad bots can seriously jeopardize businesses’ website performance, customer experience, data security, and overall reputation.

We spoke with Benjamin Fabre, co-founder and CTO of DataDome for a deeper dive into Bots-as-a-Service attacks, and best practices for combating them.

How, with just a few clicks, can anyone launch an attack that spawns a headless browser that can simulate human actions, bypass the CAPTCHA, scrape content, and more?


In the past, hackers needed coding skills to develop and execute cyberattacks on their own. Now, cyber criminals can buy or lease bots-as-a-service on the black market. This means that financial means, over technical knowledge, is now the key to launching hard-hitting bot attacks, jeopardizing a businesses’ website performance, customer experience, data security and overall reputation.


For example, scraping services like Scraper API, scrapingBee, or scrapingDog. These services provide all the necessary mechanisms to make requests to a website using a headless browser or a HTTP request library. They handle proxy rotation for the user, and automatically spoof HTTP headers in a consistent way to minimize the chance of being detected. Some services even integrate with Captcha farm APIs, which makes it easy to forge Captchas with the help of human workers in low-income countries. They typically rely on open-source projects such as Puppeteer Extra, which comes with plugins enabling users to lie about their fingerprints and to easily connect to Captcha farms.


So-called AIO (all in one) bots also provide the mechanisms users need to easily rotate their fingerprints, change their IP with proxies, and pass Captchas (either via Captcha farms or by the centralizing Captcha solving in the software by the bot operator).


How do Bots-as-a-Service create a cascade of problematic events for e-commerce businesses?


Bots-as-a-Service don’t only allow just anyone to launch an attack directly; they also help other bots bypass the website’s security systems.


Making a bot becomes as simple as making an API call to scrape a URL, even if it’s protected. Instead of making the request directly to the protected website, the bot makes API calls to the Bot-as-a-Service, passing the parameters of the URLs it wants to scrape. The difficult part, avoiding detection, is left to the Bot-as-a-Service.


Most Bots-as-a-Service only charge for successful (non-blocked) requests, taking on the responsibility for properly forging the fingerprint and using good proxies.


Why are Bots-as-a-Service more difficult to detect and combat?


They are not necessarily more difficult to detect than other sophisticated bots, but they have certain strengths which make them challenging to combat.


The people behind these services have expert knowledge of bot detection and how to minimize the risk of being detected. For example, they spoof headers consistently, and lie convincingly about their browser fingerprints.


And there is strength in numbers; because the cost is spread over a large number of users, they can profitably rent or acquire large sets of high-quality residential proxies which may be too expensive for individuals or companies making bots only for themselves.


How did a gaming company that was recently the victim of a Bots-as-a-Service attack recover?


Recently, a well-known gaming company which lists popular servers of sandbox, survival, and indie games was the victim of a Bots-as-a-Service attack. One of the company’s most important lists ranks Minecraft servers by using a voting system: the more people vote for a server, the higher the server ranks and the more popular it becomes.


To make sure a particular server ranked higher on the list, hackers purchased a Bots-as-a-Service program that circumvented the gaming company’s detection system and voted for a particular server, skewing the list ranking. What’s more, it had become a business; companies were offering cheats with a price-per-vote, such as $5 for 1,000 daily votes.


This not only threatened the reputation of the company’s Minecraft list, but it cost them money, too. The time spent dealing with bot traffic represented a cost, and it wasn’t the only one. The company uses a number of third-party services, including a VPN detection service that makes charges based on the number of requests. By increasing the traffic volume, bots were driving up the costs of these services significantly.


The gaming company eventually solved the problem by implementing an anti-bot protection solution that saved its reputation, and significantly lowered operating costs, especially for services whose rates are based on traffic and the number of requests.


###