How to Stop Bots from Exploiting Social Media Sites

/in /by

Thad Dupper

CEO Secure64

As I read the daily news about how “bad actors” have abused and exploited social media sites, flooding them with fake posts, I think back to a line from the classic movie Rudy. Leading up to the last game of the season, Coach Dan Devine (Chelcie Ross) famously says to his team, “Remember, no one, and I mean no one, comes into our house and pushes us around.”

I would hope some version of that sentiment is being repeated at companies like Facebook, Twitter and Google as the veracity of their sites has come into question as bots have attacked their sites posting a high volume of fake posts.

As these companies look to implement defenses against these exploits, there is role for the Domain Name System (DNS) to play.

As anyone who is reading this post knows, DNS is the system that the Internet uses to resolve and translate domain names into IP addresses. So critical is this function that strong defenses have been developed to protect the DNS from a wide range of very sophisticated attacks.  It has been correctly said, “The network is only as secure as the DNS.”

Drawing on our work at Secure64, I would suggest DNS protections can be used to defend social medias sites from malicious posts and attacks. Clearly, the overall solution will include protections to defeat the multitude of attack vectors, but in this discussion, I will limit my comments to how DNS can assist in this endeavor.

First, let’s look at a simple denial of service (DOS) attack and how DNS deals with it. In this scenario, a single IP address floods (attacks) the server(s) for the target domain, e.g., amazon.com, with a high volume of spurious requests.  The goal of the attack is to overwhelm the DNS resolver server, so it simply cannot continue to function, or at least prevent legitimate requests from being answered. To protect against denial of service attacks Secure64 has implemented client IP-based rate limiting, which will identify the source(s) of the attack and discard any further traffic.

As the bad actors grew more sophisticated, DOS attacks became distributed, reflective, amplified and recursive. In a reflected flood, for example, thousands of bot machines send innocuous-looking requests to a DNS server, but with a counterfeited IP address of the target system. Since the size of a DNS response can be significantly larger than the request, the DNS servers would unwittingly reflect and amplify the attack against the target.  Our protections correspondingly grew in sophistication to meet and defeat these various threats.

So how can DNS be applied to stop fake postings to social media sites? Simply put, by leveraging the advanced and wide-ranging protections Secure64 has incorporated in DNS, we can use those same techniques to identify and defeat Bot Factories and platforms.

We can also use analytics to identify Bots and fake Tweets. In the simplest use case, if a single IP address is posting a high volume of posts to Twitter more than a typical Twitter user could possibly post, that IP address can be flagged and excluded from future posts.

But the bad guys are smart, so it is unlikely they will post all their malicious posts from a single IP address.  That is where IP address penning comes into play.  We can identify groups of IP addresses that originate from different hosts but terminate at the same domain.  Once identified, this group of IP addresses too can be defeat.

What about the case where the “bad actor” hides their IP address via a VPN?  Again, using algorithms and applying some advanced techniques, we can still identify the offenders.

And while not related to DNS, Twitter must track the size and duration of twitter sessions. Using that data they should be able to identify automated posters from natural users.  Or when they get 17,000 identical posts all with the exact byte count they can assume that these are duplicate posts.

Not to give away any secrets, DNS can also identify suspected bot and malware users. Once identified, any post originating from them can be sent to a staging area or special landing page on Facebook, Instagram and Twitter for further inspection.

The bottom line: if the social media companies wish to dramatically eliminate the problem of fake postings, they can. And it is in their best interests to do so – if users can’t trust the posts on their sites they run the real risk of losing a large number of their users which, after all, is their greatest assets.

It no doubt will take added resources and talent with the skills like the cryptographers and cyber coders we have at Secure64 to defeat these threats, but the task is imminently achievable.

Remember, no one, and I mean no one, comes into our house and pushes us around!