Security researchers claim to have stopped the largest bot attack they’ve ever seen, leveraging 400,000 compromised IP addresses to scrape web data.
Imperva said the large-scale botnet generated 400 million requests from the IP addresses over four days, comprising around 10 requests per IP per hour on average. Its mitigation service spotted the 30-fold surge in traffic volume to the impacted site and mitigated the attack.
The victim in this case was a job listings site with a presence in six countries. The attack was designed to harvest job seekers’ profiles from the site.
“Web scraping is considered by the OWASP Foundation as an automated threat (OAT-011), defined as collecting accessible data and/or processed output from the application. While web scraping treads a fine line between business intelligence and violating data privacy, it remains one of the most prominent automated attacks affecting organizations today,” Imperva warned.
“Scraping can result in lower conversion rates, skewed marketing analytics, decrease in SEO ranking, website latency, and even downtime (usually caused by aggressive scrapers).”
Similar tactics can be used in “scalping” attacks designed to buy-up in-demand, limited edition products for resale later at a higher price.
During Black Friday week, Imperva mitigated one such attack on a retailer’s website, which saw nine million bot requests in just 15 minutes – 2500% more than its average traffic volume.
“Stopping automated bot attacks on hyped, limited-edition product launches ensures that legitimate customers take first priority while leaving scalpers out of the equation,” said Imperva.
“Furthermore, it reduces impact on an organization’s infrastructure from unwanted bot traffic. When websites or applications are overwhelmed by bot traffic, it can result in denial of service, revenue losses, and reputational damage.”