login requests / hour 8,723 malicious login requests / hour 800 malicious login requests / hour Botnet #1 • Requests – 94,296 (average 9/min) • Clients – 2 IPs, same UA Botnet #3 • Requests – 5,286 (average 0.5/min) • Clients – 1500 IPs, 188 UAs Botnet #2 • Requests – 190,487 (average 59/min) • Clients – 10k+ IPs, 695 UAs Legitimate and malicious requests to a login endpoint compared Total logins 4,251,661 Malicious logins 315,178 IP addresses 19,992 ASNs 1,743 User agents 4,382 Key Take-aways: • Botnets #1, #2 are dumb bots that could be mitigated by signatures or rate controls • Botnet #3 is low, slow, highly distributed, highly sophisticated bot. A dedicated bot solution with true behavioral machine learning, not dependent on browser and network info, is required to detect Average 0.00035 requests/min per IP Low & Slow Stealth Mode Bot | © 2019 Akamai | Confidential