Recent searches
Search options
Spent the day looking into data and it's got me thinking.
If you run a service that provides an API, what methods can you employ to detect bots?
Datadome can protect against bot[net] attacks, and maybe some use of scripts is ok for people to query data. But what about something in the middle, where someone's scripting something to look like the browser, but they're maybe not playing fair.
Fundamentally, if someone puts in enough #effort, there is no server-side way to #detect a #difference between their traffic and any "legitimate" #API #client.
25 years ago I was writing scraping software (not nefariously...) that sent plausible referer: headers, paused appropriately between requests, operated from a widespread set of machines, etc.
The techniques have only gotten better and more widespread since, and it's even easier to apply them to an API.
@cazabon yeah this is what I thought might he the case. Just good to have it confirmed.
Maybe I need to get skilled with ML to detect certain behaviour patterns.
It depends on how advanced your adversaries are, and how much work they want to put into evading your defences.
If either or both of those values are low, you may be able to detect them relatively easily. What kind of threat model are you trying to design around?