Startup uses math puzzles to trap malicious bots in infinite loop

Kyle Chua
Kasada's goal is to exhaust the resources of bot operators and reduce the viability of malicious bot operations

MANILA, Philippines – The internet is riddled with malicious bots used to commit fraud, steal login credentials, take websites down, or launch cyber attacks. These automated programs are developed to perform repetitive tasks at speeds that human can ever match.

Cybersecurity company Kasada thinks the best way to fight the relentless persistence of bots and their makers is to trick the bots into doing something they can never finish, forcing bots to eat up a bot operator’s resources till they’re pulled back

How does it work?

Kasada first determines whether a particular website visitor is a bot or not using several methods.

If the visitor is a human or a good bot, the site loads as if nothing happened. If the visitor is a bot, Kasada will throw an unsolvable math puzzle at it to keep it busy. No alarms are triggered as the bot thinks the site has already loaded.

“You don’t want to alert the person behind the bot, or they’ll just keep trying,” said Sam Crowther told TechCrunch.

The bot then automatically uses more and more of its resources to try to solve the puzzle without alerting its operator. Crowther said a lazy bot operator would have likely walked away after the program was launched.

Because the puzzles are impossible to solve, the bot is now trapped into an infinite loop where it exhausts an operator’s resources and prevents it from visiting or targeting other sites.

“We cost them money, making their projects not fiscally viable,” Crowther said.

Bot authors reportedly take months to develop programs that will target specific sites.

“One bot targeted a betting company we protected, grabbing odds so that the most cost-effective bets are being placed at the micro-level – like stock trading,” Kasada director of field engineering Johnny Xmas said. “They’ll put months into a bot that’ll defeat every bot detection system.”

Crowther pointed out that retail outlets, hotels, major financial institutions and realty listings are most at risk because bots have a lot to gain from these enterprises. – Rappler.com