The Contrast Between ‘Low & Slow’ and DDoS Attacks
In the bot management industry, you’ll frequently hear about ‘low and slow attacks’ and DDoS (Distributed Denial of Service) attacks which are the most common attack techniques used by bots. Low and slow attacks attempt to evade website defenses by attacking in low enough numbers to avoid setting off alarm bells in basic rate-limiting security systems. Using advanced exploit kits sold on the Dark Web, attackers target websites using bots launched from several thousand IP addresses ─ but each address is only used once per attack. This is because conventional security systems rely on IP address blacklists that specify addresses from which bot attacks have previously originated. These exploit kits usually contain several attack tools that can launch bots using multiple rotating proxy IPs and device User Agents that execute programmatic or sequential requests to evade detection and perform large-scale attacks.
The graph below shows all the bot traffic to a single website in our customer base over a period of one day. Low and slow attacks are interspersed throughout the course of the day, unlike bots that attack in large clusters in short timeframes. This attack strategy makes them appear to be relatively innocuous to security systems when compared to the clustered high-intensity bot attack patterns, which is why low and slow attacks are so prevalent and harmful. This also helps attackers carry out systematic scraping campaigns by staying below typical traffic thresholds that would otherwise raise red flags.
Figure 1: Bot traffic to customer website plotted over the course of one day
Now let’s look at volumetric or DDoS attacks, which leverage large numbers of bots originating from thousands of devices that could be globally distributed. The ensuing volume of traffic is intended to overwhelm web applications and their supporting infrastructure, causing severe slowdowns ─ and in many cases website and application outages. In an application DDoS scenario, legitimate users are unable to access the required resources and are essentially locked out due to the unresponsiveness of the web application. High-frequency attack strategies are mostly used to carry out DDoS and are also used in account takeover (ATO) attacks that use credential stuffing and cracking techniques to compromise accounts. Though our customer uses a dedicated DDoS mitigation solution, it could not stop this Application DDoS attack, but our solution could.
Figure 2: All traffic to customer website over the course of one day
The growing prevalence and impact of low and slow as well as DDoS attacks have led to enterprises increasingly choosing to deploy dedicated bot management solutions. Specialized solutions rely on advanced machine learning-based technologies to detect malicious automated activities in what seems to be legitimate HTTP requests which usually go undetected by basic security systems in general use today. For a deep dive into bot types, threats, origins, and mitigation recommendations read our Ultimate Guide to Bot Management.
Originally published at https://www.shieldsquare.com on March 31, 2020.