What are Bots as a Service? (BaaS)
Bots as a Service (BaaS) are a new breed of bot platforms, that are designed to offer third-parties an easy way of launching bots without the need for any experience in data scraping or writing automated bots. Typically, they are designed as SaaS subscription models, with various levels of service, packaged up in a monthly fee, payable by credit card.
Why are Bots as a Service a problem?
The Bots as a Service providers claim to be able to penetrate 99% of all web sites.
Offering a paid SaaS service, means these providers can offer scalable bot platforms that are designed to evade capture at scale.
Typically, this involves many separate services, all bundled into one SaaS package.
- Residential IP or mobile Proxies - each service is different, but most boast that they have hundreds of thousands or even millions of IP as part of their service. With millions of residential IPs, traditional WAF IP reputation services just won't be able to cope with the sheer number of IP addresses. With such a large installed base of IP, IP analysis isn't going to reveal any patterns or persistent IP addresses hitting constantly
- Scaleable platforms: using ISP Proxies allows the service to scale, and provide a huge number of both IP addresses and rotating user agents that help to avoid traditional rate limiting and WAF, as well as old school bot protection using signatures.
- Mouse Movement Emulation - to trick fingerprint detection into thinking a real client with natural mouse movements has been detected.
- Passing CATCHA - typically these vendors work with 3rd parties and others to provide CAPTCHA passing abilities.
- Custom scripts - for large sites such as Amazon and Linkedin are often available as pre-built templates.
- Choice of IPs, by region / country / mobile etc.
- Scripts for most common bot activity such as data scraping, etc.
How can these services be stopped?
All these services use the same platform for the SaaS to work - detect the platform and you detect all the bots.
Although we have seen how these services can easily evade traditional WAF and IP based reputation services, it is possible to stop these attacks by using sophisticated bot management software such as VerifiedVisitors. These platform are automated, and do leave traces of their automation. Some of these platforms are easy to spot, others much harder.
As with all platforms these bot platform change constantly, and are frequently updated to avoid detection methods.