An under the hood look at Polyform in action

A critical part of Kasada’s product development and R&D process involves building bots to stress test our platform. This allows us to observe our detection platform and isolate its components as we add and improve new functionality.

Where possible we will take characteristics of attacks in the wild to replicate the real world scenarios. We recently built a bot (nicknamed k2-bot) to specifically test the different layers of our platform.

This was the second iteration of this test. On this occasion we upped the ante and increased the sophistication of our bot.

Our goal was to build a tool that would easily evade static tools such as web application firewalls and basic bot detection vendors. We configured a customised version of puppeteer to control headless chrome over the DevTools protocol. This allowed us to obfuscate and anonymise key elements that can be used by bot detection vendors. We then connected this to a global proxy network and delivered 28 requests /second to our testing application. Each request was a test username/password set which mimicked a credential abuse attack.

K2-bot versus Standard WAF protection

We built our bot to automatically avoid detection of any static WAF configuration. We randomly cycled through user agent strings,distributed the attack across 5-600 nodes, rapidly rotated proxy nodes in short bursts and maintained rate limits below levels able to use controlled without impacting real users.

K-bot detection with WAF: 0-5%

IP reputation ability: low

False positive risk: high

Basically, WAF’s are not capable of defending these attacks. A WAF is a static configuration that is looking for known bad behaviour. Our ‘payload’ was benign: a username/password and our tactics evaded any form of network / request analysis. Any attempt to control this attack with a WAF would result in an unacceptably high number of false positives – denying real users access to their account.

Application fingerprinting

Polyform assumes that all users are guilty until proven innocent. Our application fingerprinting technology is capable of differentiating between human or bot. We use an advanced javascript inspection process to profile the client application. This allows us to easily differentiate between a common browser versus an attack tool such as Puppeteer.

Unsurprisingly, when the application fingerprint was involved we were able to capture 100% of the attack traffic

K-bot detection: 100%

False positive risk: low

Not all bot detection vendors are capable of detecting advanced headless chrome bots. Many DDoS and CDN providers claim to protect against bot but are not able to defend the against sophisticated headless bots. Click here to test your vendor’s ability to detect a headless chrome bot: https://becorbot.kasada.io/

Cryptographic challenge

Kasada’s proof of work allows us to rate limit attacks at their source. No amount of bot customization can avoid the crippling power of Polyform’s challenge. The beauty of the challenge is it’s simplicity. Polyform automatically increases the sophistication of the challenge as the number of requests over time increases.

in our testing we removed the fingerprinting defense and isolated the challenge to truly understand the mechanisms at play.

K-bot was capable of delivering 100,000 requests an hour, however only 500 requests were successfully sent. Polyform’s cryptographic challenge totally crippled K-bot. Each individual bot node was only able to send a single request before Polyform recognized the attack pattern and bricked the node.

Summary

External analysis of account takeover attacks suggests that 1-2% of attacks are successful. That is, at least 1 in every 100 sets of stolen credentials will successfully unlock an account. If this is true, by sending 100,000 requests per hour, K-bot would be able to unlock 24,000 accounts a day. Our cryptographic challenge as a standalone technology would reduce this by 99.5% to 12 accounts.

Ultimately the combination of advanced application fingerprinting, the cryptographic challenge and our dynamic detection is able to completely stop the attack in its entirety.

For more information on dynamic bot defenses read our blog post on IP Blacklisting to understand if blocking and blacklisting is an effective protection against automated attacks.

k2-bot analysis

Attack Profile

Attack profile Highly distributed account takeover attack
Attack tool Puppeteer + customisations
Botnet nodes 560
Geographic profile High distributed internationally

 

Attack Profile

Key metric WAF only Basic bot detection Kasada
Most CDN bot detection Proof of Work
only
Proof of Work
+ Fingerprint
Successful hits to origin per hour 100,000 100,000 500 0
Detection rate 5% 5% 99.5% 100%
Accounts breached per day 24,000 24,000 12 0

Want to learn more?

  • Kasada’s Reflections on the Q3 2024 Forrester Wave™ – Bot Management Evaluation

    Kasada named a Strong Performer. Here are some of our own reflections having taken part in this evaluation.

  • AI Data Poisoning: How Misleading Data Is Evading Cybersecurity Protections

    Discover why AI data poisoning is an emerging threat and how fake data is used to evade AI cybersecurity protections.

Beat the bots without bothering your customers — see how.