Cloudflare battles malicious bots with 'fight mode'

Cloudflare is taking aim at malicious bots attacking its customers with a new security measure scheduled to go live for all by the end of the year.

The new Bot Fight Mode is rolling out now as an opt-in only feature to help Cloudflare customers avoid damage caused by malicious bots. John Graham-Cumming, chief technology officer for Cloudflare, described the new mode as a way to "frustrate" and disincentivize bots through tarpitting.

"If our models show that the traffic is coming from a bot, and it's on a hosting or a cloud provider, we'll deploy CPU-intensive code to make the bot writer expend more CPU and slow them down. By forcing the attacker to use more CPU, we increase their costs during an attack and deter future ones," Graham-Cumming wrote in a blog post. "Every minute we tie malicious bots up is a minute they're not harming the Internet as a whole."

However, Cloudflare won't just to waste the resources of malicious bots through computationally intensive challenges. The company also plans to share the IP addresses of bots with its Bandwidth Alliance partners in order to get those bots taken offline. 

Cloudflare said that of the 750 billion HTTP requests it handles per day, 3 billion are made by bots. A company spokesperson could not estimate how many individual bots are making those requests.

The spokesperson did note that how much effort it will take to stop bots will depend on "a number of factors."

"The persistence of the bot is generally correlated to the value of the target," the spokesperson told SearchSecurity. "A bot gives up quickly if the site is common and the value of a successful attack is low, but for bots that do things like inventory hoarding, the attacks are persistent."

According to Graham-Cumming in the blog post, adopting tactics like this is important, because "malicious bots harm legitimate web publishers and applications, hurt hosting providers by misusing resources, and they doubly hurt the planet through the cost of electricity for servers and cooling for their bots and their victims."

Graham-Cumming acknowledged that Bot Fight Mode lead to even higher electricity and cooling costs, so Cloudflare will be donating to One Tree Planted in order to offset the carbon costs.

Cloudflare also noted that this is just the first step in plans to fight malicious bots.

"Blocking outright is effective in preventing one bot from attacking one website, but the bot will just move on to a softer target. Bot Fight Mode makes that bot spend more time and resources before being able to move on," the spokesperson said. "We have a number of other ideas we are working on that we're not quite ready to share yet."

However, there may be unintended consequences to Bot Fight Mode. Jean-Philippe Paradis, a programmer living near Montreal, shared a note from the Cloudflare Dashboard that warns: "Defeating Bots may affect some actions on your website and/or non-automated traffic. For example, it may block access to your APIs and prevent access from mobile applications."

Cloudflare did not respond to requests for comment on this warning at the time of this post. Graham-Cumming noted in the blog post that the company's model "spots the behavior of bots based on past traffic and blocks them," and he said on Twitter that, "We look at how humans behave on the web vs. how bots behave. Bots behave differently (think how fast they click, or when they click, or what they click etc.)". But it is unclear what recourse customers will have if access issues arise.