Overview

This automotive retailer operates hundreds of stores and websites, where customers can research and order products as well as make service appointments.

In 2013, the company turned to Imperva (formerly Distil Networks). Their sites were crashing frequently due to bad bots attempting to scrape content from its nearly 100 web properties. Despite multiple firewalls, appliances, and other mechanisms for blocking attacks, bad bots were still getting in and taking sites down. “We experienced a lot of pain and headache trying to manage blacklists and whitelists,” said their Infrastructure Engineer. “We’re an automotive retailer, not a web application security company. We want to sell automotive parts, not manage IP blacklists.”

Challenges

Malicious bot traffic was out of control and causing site brownouts

This automotive retailer had an ongoing problem. For several years, their site was crashing due to bots and scrapers who were crawling their websites. Though they tried different firewall mechanisms, DDoS solutions and other appliances, they could not stop the bad bots. In addition, their legacy tools were cumbersome, time-consuming and difficult to manage.

“There was always a huge learning curve with every tool. We had to keep them up to date, and the tools never really did what people said they were going to do. In the end, we were often left with heartache and pain, trying to manage a blacklist or a whitelist,” they explained.

Bad bots continued to crawl through their web properties, pulling an average of 8,000 pages per second for the purpose of competitive data mining. Other bots were probes, scanning the Internet looking for weaknesses in websites. The sites continued to crash frequently, and bad traffic had grown to thousands of IP addresses. “The volume and the frequency of hits was just massive.”

Blocking bad bots manually was an ineffective game of “Whack-a-Mole”

“Anytime we saw an IP address that was causing issues, we would blacklist it. But with the evolution of infrastructure as a service, we ended up blocking our customers. They were coming in from large IaaS providers. Managing that was an administrative nightmare. It didn’t work,” they said.

“Amazon has 10 million IP addresses, so you can’t just block one—the hacker will just spin up a new instance, get a new IP address, and scrape your site again.”

Managing the bad bot problem consumed one FTE

Managing all of the bad bot traffic was not only an administrative nightmare, it was taking too much time. The “Whack-a-Mole” approach was consuming the equivalent of one full-time employee (FTE).

“It wasn’t just one person. There was one person that identified the bot, a second person that researched it, and then a third person that actually blocked it. So there were three different people spending a percentage of their day on our bot problem. When you add it all up, it was a full-time person,” he said.

Requirements

Technical requirements for blocking and latency

Their technical requirements for bot blocking were straightforward. First, any solution had to intelligently block traffic, and secondly, it must maintain the same service level that they had from a performance standpoint. “If latency on our website is ten milliseconds, it can’t be above ten milliseconds.”

Integration with existing complex infrastructure

Playing well with existing infrastructure was another critical requirement. The automotive retailer maintains dual datacenters with highly available disaster recovery solutions, a three-tier web application architecture, and load balancing between all the layers. The infrastructure also integrates with other services on the backend. “There are a lot of different people and groups involved in managing all this infrastructure, and the service we chose had to work well with all of it,” they said.

Seamless integration with existing monitoring tools

The automotive retailer has powerful distributed monitoring and testing tools to observe client sessions — how long people spent on the site, how long they were on a page, and how they flowed through a page. This allows them to keep close tabs on the customer experience and the performance of their site.

“When we see the traffic come to us, it looks like it comes from Imperva because the IP says, “Oh, this belongs to Imperva.” Imperva passes the original client IP address. We simply changed our monitoring tools to look at the XForwarded-For (XFF) header in the packet to identify the true client IP.

Why Imperva

Implementation of Imperva cloud-based offering was fast and easy

Delivered as a service, Imperva Bot Management was easy to implement and adopt. “We pointed one of our low-traffic websites to Imperva for a week to try out the service. It only took us 15 minutes to make the DNS change. A week later, we did another higher volume site with more public awareness. With Imperva, we can spin up a test domain, make a DNS change and test it, and it doesn’t involve a lot of effort,” he said. “To disable it, you just turn the light off. It’s pretty much that simple.”

After the second site was filtered through Imperva successfully for two weeks, they implemented a full-blown pilot program. “It worked better than expected,” he said. “Once the contract was signed, we went into full production.” Imperva Bot Management is now used to filter roughly 100 website properties.

The Results

Improved site performance by 25%

The IT infrastructure engineer paid close attention to the Imperva service over the months following implementation, and he was delighted to report a 25% gain in performance.

“Not only have we solved the bot problem, but we’ve also expanded our footprint globally. We’re caching content, and performance has improved because of some of the other technologies that we’re using through Imperva.

At the end of the day, we thought we bought a scooter, and then we found out the scooter has a Swiss army knife, LED flashlight, and Bluetooth.”

Eliminated “Whack-a-Mole” approach to bot blocking, saving time and hassle

Prior to implementing Imperva Bot Management, the IT security team was spending a lot of time blocking IP addresses one by one. “The question was, do we spend time building the site and expanding our business, or worrying about knuckleheads and other people out there trying to bring us down? Imperva Bot Management filters through all of our web traffic, ‘distills’ it, cleanses it and makes sure that we don’t have to deal with any of the bad bots that try to scrape our sites. It eliminates all the management tasks for us and makes protecting our sites simple.”

Significantly reduced need for management of bot problem, saving 1 FTE for other dev projects

“We still have issues, but not as frequently, and they’re easier to deal with,” said they said. “We now have one FTE spending only about 5% of his time managing the environment, and we got 95% of him back to work on other things. Imperva’s service is basically ‘set it and forget it.’ I only log in every couple of weeks, mostly to pat myself on the back and feel good about what we did.”

Legitimate traffic passes through and bad bots are blocked

With Imperva Bot Management, they were able to block malicious bot traffic and still let through customers from countries all over the world. “We haven’t heard from one customer that they can’t get to our website. We’re confident we are blocking true malicious traffic.”

Stakeholders gained peace of mind from successful proof-of-concept tests, detailed reporting and ability to track bad bot origins

Imperva has great reporting including the “malicious bots by country,” “traffic overview” and “cache analysis” reports. “Of the content we cache, 99% of it is being served from the Imperva network and not even hitting our origin servers,” he said. “Seeing that in the report gives me peace of mind.”

They said the reporting helps them understand and prepare for big threats before it’s too late. “Imperva provides a visual representation of hundreds of thousands of blocked requests. You can tell when the big threats are coming simply by glancing at the reports. It’s easy — the darker the red, the more malicious traffic. The color coding shows you where the threats are originating.”

Imperva exceeded expectations, providing myriad capabilities

The solution is performing better than expected in terms of blocking bad bots while providing additional benefits, such as the 25% gain in site performance. “Not only have we solved the bot problem, we’ve expanded our footprint globally, we’re caching content and our site performance has increased by about 25%,” he said.

“The service that we have with Imperva now, we love it. It’s great,” he concluded.