| The Reign of Botnets (Wiley) |
|
Author: David Sénécal This book is subtitled 'Defending against Abuses, Bots and Fraud on the Internet', which is a big and important topic. David Sénécal is a bot detection expert for Akami Technologies, who make cloud computing and app security products. As such, he knows what he's talking about. 
The book opens with a short history of the Internet, from ARPANET to the Metaverse. This chapter also takes a first look at the makeup of the web and has some fascinating figures on bot traffic on the Internet. Sénécal looks at one-week samples of traffic for a variety of sites including a sportswear company that had just 18 percent of traffic from actual humans, and 77% of its visits from scrapers designed to extract content and data for replication elsewhere. A home improvement company had 40% scraper traffic, and nearly 20% from 'good bots such as web search engines and search engine optimization. The chapter concludes that botnets are unpredictable and enforcing laws against them is difficult.
Chapter 2 looks at the most common types of attack using botnets- account takeover, account opening abuse, web scraping, scalping (finding popular or scarce items) and carding attacks. Chapter 3 examines the evolution of botnet attacks, and has an interesting description of six stages of botnet evolution that have evolved as website owners have put increasing security measures in place, starting from deploying on a few nodes running a simple script all the way to attacks that use a combination of humans and bots. In each case the ways website owners can guard against the attack is examined. This chapter also looks at botnets that can solve CATCHPAs, though Sénécal says cheap human labor is the chosen technique to handle the most complex CATCHPA designs. The next chapter looks at how website owners can detect attacks by botnets. There are good discussions of positive v negative security, transparent detection methods and risk scoring. Sénécal points out that even detection can't be a perfect science because of the need not to annoy legitimate users with overly stringent detection techniques while doing enough to keep malicious traffic out. This is followed by a chapter on how to assess detection accuracy, with a case study showing the detection of four different types of botnet. While the information so far in the book has been fascinating and unnerving, most people will want to know how to respond to and stop botnet attacks, and that's the subject of the next chapter. Of course, as Sénécal says, most companies leave the problem to a web security company, but Chapter 6 looks at best practices for handling bot and fraud activity. As you'd expect, he advises the use of defense in depth, having multiple layers of defense, and the chapter has some useful and interesting discussion of techniques that can be used. The final chapter considers Internet user privacy versus security considerations, and discusses options such as the private access token approach. This is an interesting and well informed book. Sénécal obviously knows his stuff, and explains it well. A good read, if a disturbing one. To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.
|
