Combatting Botnet Traffic with Behavioral Analysis: Part I

Posted by Will Woodson | Senior Security Engineer on Jun 6, 2018 7:25:47 AM
Will Woodson | Senior Security Engineer
Find me on:

The following is the first post in a three-part series surrounding bot detection and neutralization based on botnet analysis. The series will begin by addressing commodity form/comment spam. 

Botnet Form Spam

One of the unfortunate realities of running a site on the Internet is the amount of "background noise" -- the automated, unsophisticated, poorly targeted attacks, which make up the bulk of malicious web traffic. For the sake of this series, we're calling this 'botnet' traffic. 

Botnet traffic can be a nuisance, no doubt, but it isn't necessarily interesting or deserving of action until viewed in aggregate. The posts in this series describe methods for identifying and blocking botnet traffic, and aggregating this data, each through a different case:
 
1. Identifying Bot Behavior - Form Spam 
2. Bot Behavior - Distributed Attacks
3. Behavioral Analysis - Grouping Bot Actors
 

Identifying Bot Behavior - Form Spam 

The Behavior

We've written before about active interrogation as a method for distinguishing bots from human users, but sometimes telling the two apart can require much lower precision and zero active measures.

A great example of easily identified bot behavior is form spam or comment spam, where the botnet's activities are pretty straightforward: identify a webform and `POST` data to it in hopes that the content will end up displayed somewhere on the unwitting website. This is very easy to automate with numerous tools -- a simple piece of software and a botnet or a list of open proxies and you're in business.
 
So what does a mass form spammer post? Links! Links inline, links in a designated 'website' field (how has this field ever been a good idea?), links instead of names, link after link from bot after bot. Links all posted with the intention of raising the profile of the spammer's website via SEO or getting in front of a human to click.
 

Tracking Spammers 

Form spam looks very different from legitimate use of the forms -- where a legitimate user will post once or twice, at a rate consistent with hand-typing messages, consistent with, you know, having other things to do, sleeping, etc. A spammer or commodity bot, on the other hand, just doesn't look right. POSTs are sustained, even at a low rate, the content doesn't match the site it's posted to, and they overwhelmingly include links.

Some form spam examples:

comment=<a+href=http://www.some-spam[.]it/air-max-90-gialle-
331>Air+Max+90+Gialle</a> +Make+existence+skills+an+element+of+your+home+schooling+encounter.
+Training+a+young+child+to+harmony+a+checkbook,+prepare+a+dish+or+shingle+a+roof+top+
has+many+worth.+Moreover,+various+subject+areas,+which+include+math+concepts,+looking+
at+and+technology+may+be+incorporated+into+these+ability+lessons.+It+is+a+smart+way+for
+a+child+to+have+genuine-world+encounter,+achieve+a+valuable+expertise+and+require+a+
hands-on+strategy+to+their+discovering+path. +http://www.some-more-spam[.]com/balenciaga
-envelope-clutch-with-strap-review-545.html +Engage+in+golf+using+a+buddy+rather+than+single+
if+you+really+want+to+boost+your+video+game.+Not+only+will+you+be+capable+of+talk+about+tips+
and+phrases+of+assistance+having+a+close+friend,+and+viceversa,+but+there's+yet+another+tiny+
rivalry+there+that+will+draw+out+the+most+effective+within+you. <a+href=http://even-more-spam
[.]it/nike-free-5.0-uomo-nere>Nike+Free+5.0+Uomo+Nere</a> +http://wow-i-guess-youre-going-
for-3-spam-sites[.]com/635-converse-black-high-tops-mens.html
 
author=EugeneLieft&email=inbox458@a-mail-host[.]&comment=it's+my+first+time+visiting+
your+site+and+I+am+very+fascinated.+Thanks+for+sharing+and+keep+up+;)+ [url=http://www.
spam-site[.]nl/2016/03/12/essay-writing-online-service-custom-paper-writing/]http://www.
spam-site[.]nl/2016/03/12/essay-writing-online-service-custom-paper-writing/[/url]
&recaptcha_challenge_field=it's+my+first+time+visiting+your+site+and+I+am+very+
fascinated.+Thanks+for+sharing+and+keep+up+;)+ [url=http://www.spam-site[.]nl/2016/03/12/
essay-writing-online-service-custom-paper-writing/]http://www.spam-site[.].nl/2016/03/12/
essay-writing-online-service-custom-paper-writing/[/url] &recaptcha_response_field=
manual_challenge&submit=Post+Comment&comment_post_ID=841&comment_parent=0
 
ohid=709498&chkshowshipaddr=1&savestep=g1&nextstep=&offer_2=offer_2_182_US_IGZN&ship_
firstname=daytona&ship_lastname=180&ship_address=180&ship_address2=180&ship_city=New+
York&ship_country=US&ship_state=68&ship_zip=180&countryinput=180&giftemail=1&
giftemailaddress=11849@another-mail-host[.]com&giftdate=60165@another-mail-host[.]&
gifttext=[b]<a+href="http://spam-site[.]com/cgi_bin/">daytona</a>[/b][b][url=http://
spam-site[.]com/cgi_bin/]daytona[/url][/b][b][url=http://spam-site[.]com/cgi_bin/]
rolex+oyster+perpetual+date+price+list[/url][/b] <ul><li><strong><a+href="http://
spam-site[.]com/cgi_bin/">daytona</a></strong></li><li><strong><a+href="spam-site[.]
com/cgi_bin/">daytona</a></strong></li><li><strong><a+href="http://spam-site[.]com/
cgi_bin/">rolex+oyster+perpetual+date+price+list</a></strong></li></ul><br>&giftfromname
=41053@a-mail-host[.]com&submit=Next+Recipient

These posts are easily recognized as spam to the human reader and many popular blogging platforms can detect them and send them to a spam folder if configured to do so, but this typically relies on either IP reputation (error prone), analysis of each and every post (inefficient), or a phrase blacklist (inefficient AND error prone).

Protecting Your Application 

For many applications, an IP reputation list or comment blacklist is difficult to implement or not available, enter behavioral analysis. The Threat X WAF combines analysis of individual form `POSTs` with long-lived reputation for a given actor and analysis of all your application's traffic to quickly identify the bot behavior and block the spammer.
 
We automatically deploy signatures to detect common spam behavior, like including multiple embedded links (no matter what field they're in), posting at a sustained rate over time, and including content that doesn't match the corresponding page content (character sets, keyword density, and nonsense phrases). When an actor looks like spam over time, it is automatically blocked.
 
Stay tuned for Part II, which will address Distributed Bot Attacks. 
 
Learn More About Advanced Web Application Firewalls
 

Topics: Threat Intelligence

Threat X Labs - Blog

Arm yourself with information and insights on the latest cybersecurity trends to defend against today's most advanced cyber criminals with articles from the leader in SaaS-based web application firewall solutions.

Subscribe Here!

Recent Posts

Follow Me