Can you spot the bots hiding in rotating residential proxies?
By Stacey Mugridge / 31st Aug 2021
On the countdown to a new release, every second counts to snap up those limited-edition new kicks or sought-after concert tickets. Online attackers know that when deploying bots to gain a competitive advantage, without masking their activity it’s a matter of time before their activity is blocked by the target eCommerce platform.
Industries are becoming more and more alert to bots and their ever-increasing sophistication. In a constant game of cat and mouse, threat actors in turn become savvier to the traditional defenses businesses might set up to try to block automated activity. Hustlers will hustle, infuriating but true.
How do bots go undetected for so long?
In the cybersecurity world, it’s common knowledge that threat actors rely heavily on datacenter proxies to mask their own IP and keep their anonymity when partaking in illegal and fraudulent activity. However, given that it’s easy to identify a datacenter by their autonomous system number (ASN), it’s fair to say most security solutions would have little difficulty blocking the datacenter from a targeted website, if malicious activity was suspected.
This has given rise to a new approach of masking bot activity – through rotating residential proxies (RRP).
What is a rotating residential proxy?
A residential proxy network allows for the proxying of network traffic through home internet connections. Allocating genuine residential IPs gives users anonymity within a sea of traffic that is usually deemed less suspicious.
Bot operators get their hands on residential IPs via various means:
- Individuals sell on their unused bandwidth to a proxy provider
- Some mobile apps are monetized by using up the device’s IP address instead of showing ads, feeding residential proxy networks
- ISPs rent out unused bandwidth and IPs to proxy servers
Bots are like the internet’s worst houseguests, and rotating residential proxies helps them to look right at home within the target platform’s web traffic. Combining the use of bots with the use of a rotating residential proxy allows the illicit activity to blend in amongst genuine customer activity. Enlisting an RRP essentially guarantees the threat actor that the bots deployed will be able to carry out requests at speed, with a much higher likelihood that they will operate without challenge by client-side security measures.
Why does activity being masked by rotating residential proxies go undetected?
A credential stuffing attack sends hundreds of requests per second, rotating stolen usernames and credentials using brute force to takeover legitimate customer accounts. The difference between doing this from one anonymized IP or relying on datacenter’s IP range – which is usually straightforward to identify by the fact they share the first few integers – is that, anonymized or not, this type of activity can be easily identified by most security solutions at the point of log-on.
By distributing suspicious requests amongst several IPs deemed unsuspicious in nature, the motive of attacks can be very easily concealed, as can the scale of requests involved in such an attack by being interwoven between genuine customer requests. Without being flagged as suspicious activity, unlimited requests going unchallenged can stockpile limited items, or scrape competitors to gain pricing advantages. It is common for businesses who are a target of a bot attack masked by residential proxy networks to not even know they are or have been a target.
What can retail companies do to combat attacks of this sophistication?
Netacea has identified a multi-layered approach to be the most effective way to protect any web interfacing platform. Our bot management solution has been designed to handle the level of data and complexity of analysis required to identify bots in this way. The solution works by analyzing web logs in real time and combining this with historic trends to analyze user behavior and determine the intent of traffic.