
A Startup With a Way to Filter Botnet Traffic Gets Funding - digital55
http://bits.blogs.nytimes.com/2014/06/24/a-start-up-with-a-way-to-filter-botnet-traffic-gets-funding/?_php=true&_type=blogs&ref=technology&_r=0
======
opendais
> "Our discovery is that both Javascript and Flash will also tell you if
> there’s a real user behind that inferface,” Mr. Kaminsky said."

That isn't how that works. That isn't how any of it works.

Selenium + [https://code.google.com/p/flash-
selenium/](https://code.google.com/p/flash-selenium/) == Has both.

People who block flash & javascript for security reasons? Also blocks both.

The sheer ease of bypass and the rate of false positives for any sophisticated
operator is going to be huge.

Maybe I'm overly skeptical but I don't see this filtering any bot operation
that is sophisticated enough to run something like selenium.

EDIT: Folks, I'm aware Selenium is a terrible example but it was the first
thing that came to mind.

There are plenty of other headless toolkits that are easier to weaponize.
Maybe I didn't want to point that out by linking to them/mentioning them? :|

~~~
morley
Is there any research on how many botnets use Selenium? I would guess that
most of them use something more basic just because it's a lot easier to put
together.

~~~
eli
My personal experience with comment/forum spam bot networks is that at least
90% do not understand javascript. The ones that do tend to have _extremely_
realistic traffic patterns and the ability to solve captchas. I suspect those
are actually real people with incredibly crappy jobs, not super-intelligent
Selenium-powered bots.

~~~
paulgb
Comment/forum spam is different game than botnet ad fraud. The latter executes
JavaScript by design since it's often necessary to load the ads.

~~~
acfou
see the charts from Incapsula in this article which show a third of the bots
are not executing javascript
[https://www.linkedin.com/today/post/article/20140623200557-8...](https://www.linkedin.com/today/post/article/20140623200557-84444-five-
separate-vendors-confirm-bot-traffic-in-60-range)

------
briancass
[http://www.marketwired.com/press-release/White-Ops-
Secures-7...](http://www.marketwired.com/press-release/White-Ops-
Secures-7-Million-in-Series-A-Funding-1923780.htm)

This is a more descriptive article on this funding round and what White Ops
does. The company uses side channel analysis across an array of variables to
detect behavioral differences between humans and bots.

~~~
mmaunder
Side-channel analysis generally refers to analyzing emitted signals like RF
emissions and power consumption patterns to defeat crypto systems. So it's an
interesting turn of phrase considering it's referring to analysis of
'variables', implying in-channel data, rather than signals.

------
nailer
This seems pretty much exactly like [http://spider.io](http://spider.io), now
acquired by Google.

------
parley
I don't usually complain about titles (and I know it's the original one from
the article), but I came here with the fascinated (though admittedly
skeptical) hope that someone had improved radically on botnet DDoS mitigation
techniques. It would be better if the title contained words like perhaps "ad"
and "fraud".

~~~
dang
Happy to change it if you or anyone can suggest a more accurate title.

------
morley
> White Ops sells customers one line of code that allows them to differentiate
> between bot traffic and the real thing... White Ops tells website operators
> how much of their traffic is coming from humans and how much of it is coming
> from bots.

Looks like they only report on the percentage of bot users. While that can be
useful in the long-run (especially if you're implementing ways to mitigate
it), but it seems like it'd be much more useful if you could tell on a per-
user or per-session level whether the user was a bot, so you could turn off
features like ad-serving or message-sending or whatever.

~~~
ryan-c
We have more detailed information about our detection decisions beyond bot
percentage available to clients who want it, including statistics on a number
of properties such as the type of bot and what bot markers are present.

------
kylequest
Trying to derive technical details from a business press release or an article
in NY Times is silly. Unless you know about the tech and know how to read
between the lines it will not make much sense.

------
thirsteh
So this is a piece of JavaScript. What happens when a bot blocks that
JavaScript from running and/or emulates it but returns a result that indicates
the user is human?

~~~
ryan-c
Posted this elsewhere in the thread already, but bots that don't run our code
can be detected by comparing our traffic numbers with the client's traffic
numbers.

------
AznHisoka
Is the startup's secret sauce simply: \- Scrape all IP's of server hosts from
Arin.net \- if IP in that list, it's a bot. \- if not, it's human

~~~
ryan-c
That's a fairly noisy data source with lots of both false positives and false
negatives.

I've actually been burned by use of that data as a user - the last time I was
in Germany for a CCC camp, I needed to log into my bank account. Not trusting
the WiFi, I bounced through my VPS to do so. It seemed to work fine, but a few
days later the bank froze my account. When I called them they insisted that
this activity meant my computer and email had been hacked and I needed to
change my email password, virus scan my computer, change my username with the
bank and change my password. There was no way for them to mark the use as
'legitimate'.

On the other side of the coin, there are _lots_ of ad fraud bots running
through residential ISPs.

