<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>Peakhour.IO - API Security</title><link href="https://www.peakhour.io/" rel="alternate"></link><link href="https://www.peakhour.io/feeds/tag/api-security.atom.xml" rel="self"></link><id>https://www.peakhour.io/</id><updated>2026-06-19T00:00:00+10:00</updated><entry><title>An Operating Model for API and Account Protection</title><link href="https://www.peakhour.io/blog/api-account-protection-operating-model/" rel="alternate"></link><published>2026-06-19T00:00:00+10:00</published><updated>2026-06-19T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-06-19:/blog/api-account-protection-operating-model/</id><summary type="html">&lt;p&gt;API and account protection works best as an operating model: map routes, classify signals, choose proportionate actions, preserve evidence, and tune controls from monitor to enforce.&lt;/p&gt;</summary><content type="html">&lt;p&gt;API and account protection is often discussed as a stack of controls: authentication, MFA, bot detection, rate limiting, WAF rules, logging, fraud checks, and incident response. Those controls matter, but the missing piece is usually the operating model.&lt;/p&gt;
&lt;p&gt;Who owns the route? Which signals are trusted? What action should happen before origin? What evidence is preserved? When does a rule move from monitor to enforce? How does the team know whether it helped or hurt?&lt;/p&gt;
&lt;p&gt;Without those answers, account protection becomes a set of disconnected gates. The login page has one policy. The mobile API has another. Password reset is reviewed only after support tickets appear. Rate limits are tuned during incidents, then left in place because nobody wants to touch them.&lt;/p&gt;
&lt;p&gt;A better model is route first, signal second, action third, evidence always.&lt;/p&gt;
&lt;h2&gt;1. Map the Routes That Matter&lt;/h2&gt;
&lt;p&gt;Start with the account and API routes that change trust, money, access, or user state. Do not begin with every endpoint in the estate. Begin with the flows where abuse has a clear consequence.&lt;/p&gt;
&lt;p&gt;Typical routes include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Login and token issue.&lt;/li&gt;
&lt;li&gt;Token refresh.&lt;/li&gt;
&lt;li&gt;Password reset start and completion.&lt;/li&gt;
&lt;li&gt;MFA enrolment and recovery.&lt;/li&gt;
&lt;li&gt;New account registration.&lt;/li&gt;
&lt;li&gt;Email, phone, address, and password changes.&lt;/li&gt;
&lt;li&gt;Stored payment, wallet, loyalty, or checkout actions.&lt;/li&gt;
&lt;li&gt;High-volume read APIs.&lt;/li&gt;
&lt;li&gt;Partner or machine-to-machine API access.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;For each route, record the owner, normal traffic shape, expected clients, authentication method, downstream cost, and likely abuse case. A login endpoint and a product search endpoint can both be APIs, but they should not have the same policy.&lt;/p&gt;
&lt;p&gt;This is where &lt;a href="/solutions/use-case/traffic-control/"&gt;traffic control&lt;/a&gt; becomes part of account security. The route tells the edge what kind of decision is being made: allow, challenge, throttle, block, route, cache, or log.&lt;/p&gt;
&lt;h2&gt;2. Classify the Signals Before Choosing the Action&lt;/h2&gt;
&lt;p&gt;A useful account decision combines several signal families:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Identity and token state.&lt;/li&gt;
&lt;li&gt;Credential exposure or failed-login history.&lt;/li&gt;
&lt;li&gt;Residential proxy, VPN, hosting, mobile, or office network context.&lt;/li&gt;
&lt;li&gt;IP reputation and ASN behaviour.&lt;/li&gt;
&lt;li&gt;Client, browser, TLS, or HTTP fingerprint.&lt;/li&gt;
&lt;li&gt;Request rate and response codes.&lt;/li&gt;
&lt;li&gt;Route sequence and session behaviour.&lt;/li&gt;
&lt;li&gt;Account event context, such as reset, recovery, or profile change.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The mistake is treating any one signal as the whole answer. A residential proxy signal on a low-risk route may only need monitoring. The same signal on a password reset route, with repeated failures and a first-seen client, should be handled differently.&lt;/p&gt;
&lt;p&gt;This is the job of &lt;a href="/solutions/use-case/contextual-security/"&gt;contextual security&lt;/a&gt;: apply friction where the request context justifies it, while keeping trusted users on the shortest path.&lt;/p&gt;
&lt;h2&gt;3. Choose Actions That Match Route Risk&lt;/h2&gt;
&lt;p&gt;Not every suspicious request should be blocked. Blocking is one action, and it should be available, but account protection needs a wider set of responses.&lt;/p&gt;
&lt;p&gt;Common actions include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Allow and record.&lt;/li&gt;
&lt;li&gt;Log only.&lt;/li&gt;
&lt;li&gt;Add to a rate-limit zone.&lt;/li&gt;
&lt;li&gt;Throttle or return a 429.&lt;/li&gt;
&lt;li&gt;Require a challenge.&lt;/li&gt;
&lt;li&gt;Require step-up authentication.&lt;/li&gt;
&lt;li&gt;Deny the request.&lt;/li&gt;
&lt;li&gt;Route to a safer path.&lt;/li&gt;
&lt;li&gt;Alert security or support.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;a href="/products/advanced-rate-limiting/"&gt;Advanced rate limiting&lt;/a&gt; is useful here because the counter does not have to be the source IP. For API traffic, a policy may key on an Authorization header, token, fingerprint, route, cookie, response code, or a combination of fields. For account flows, response-aware limits can count failed logins or suspicious reset attempts, then apply a stricter rule on the next request.&lt;/p&gt;
&lt;p&gt;This matters for distributed abuse. If attackers rotate through residential proxies, a simple IP counter sees fragments. A route-aware, signal-aware policy can still recognise the behaviour that matters.&lt;/p&gt;
&lt;h2&gt;4. Preserve Evidence While the Control Runs&lt;/h2&gt;
&lt;p&gt;A security decision that cannot be explained will be difficult to tune and harder to defend internally. Teams need to know why a request was allowed, challenged, throttled, or blocked.&lt;/p&gt;
&lt;p&gt;The evidence should keep the request, route, signal, policy, action, and outcome together. That includes useful fields such as the matched route, rate-limit zone, proxy or IP classification, fingerprint, response code, decision reason, and timestamp.&lt;/p&gt;
&lt;p&gt;&lt;a href="/products/log-forwarding/"&gt;Log forwarding&lt;/a&gt; is part of the operating model, not an afterthought. If the evidence only exists in a dashboard screenshot or a short-lived edge event, support, fraud, platform, and security teams will end up reconstructing incidents by hand. Forwarded logs should carry enough context into the SIEM, object store, or observability pipeline for investigation and tuning.&lt;/p&gt;
&lt;p&gt;This also protects the rollout. When a control is in monitor mode, evidence shows who would have been affected. When it is enforced, evidence shows who was affected and why.&lt;/p&gt;
&lt;h2&gt;5. Tune From Monitor to Enforce&lt;/h2&gt;
&lt;p&gt;The safest way to deploy account and API controls is usually staged:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Monitor the route and collect baseline evidence.&lt;/li&gt;
&lt;li&gt;Add low-friction actions, such as logging or soft thresholds.&lt;/li&gt;
&lt;li&gt;Review false positives, support impact, and route ownership.&lt;/li&gt;
&lt;li&gt;Enforce on the clearest abuse patterns.&lt;/li&gt;
&lt;li&gt;Expand enforcement only where evidence supports it.&lt;/li&gt;
&lt;li&gt;Keep rollback and emergency tightening paths documented.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;This avoids two common failures. The first is leaving controls in monitor mode forever because nobody owns the decision to enforce. The second is enforcing too broadly and creating customer friction that causes the business to bypass the control.&lt;/p&gt;
&lt;p&gt;A staged model gives security, platform, product, and support teams a shared language. The rule is not "on" or "off". It has a route, a risk case, an action, evidence, and a review cycle.&lt;/p&gt;
&lt;h2&gt;6. Fit the Model to the Edge You Already Run&lt;/h2&gt;
&lt;p&gt;Some teams want Peakhour as the active application edge. Others need to keep Cloudflare, Fastly, CloudFront, another CDN, or an existing hosting edge in place. That deployment choice should not change the operating principle.&lt;/p&gt;
&lt;p&gt;The goal is still to classify request context before origin, apply the right action, and preserve evidence. &lt;a href="/solutions/bring-your-own-edge/"&gt;Bring Your Own Edge&lt;/a&gt; matters because many organisations cannot redesign delivery just to improve account protection. They need a control path that fits the architecture they already operate.&lt;/p&gt;
&lt;p&gt;The practical test is straightforward: can the team explain what happened to a sensitive account or API request without guessing?&lt;/p&gt;
&lt;p&gt;If the answer is no, the next step is not another generic control. It is an operating model: map the route, classify the signals, choose the action, preserve the evidence, and tune the policy from observed behaviour.&lt;/p&gt;
&lt;p&gt;That is how API and account protection becomes something the organisation can run, not just something it bought.&lt;/p&gt;</content><category term="API Security"></category><category term="API Security"></category><category term="Account Protection"></category><category term="Log Forwarding"></category><category term="Rate Limiting"></category><category term="Contextual Security"></category><category term="Traffic Control"></category></entry><entry><title>API Bot Abuse Does Not Stay in One Endpoint</title><link href="https://www.peakhour.io/blog/api-bot-abuse-login-checkout-account-journeys/" rel="alternate"></link><published>2026-06-19T00:00:00+10:00</published><updated>2026-06-19T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-06-19:/blog/api-bot-abuse-login-checkout-account-journeys/</id><summary type="html">&lt;p&gt;API bot abuse moves across login, checkout, and account journeys. Defenders need route-aware bot, rate, and account controls that follow the campaign rather than treating each endpoint as a separate incident.&lt;/p&gt;</summary><content type="html">&lt;p&gt;API bot abuse rarely stays politely inside one endpoint.&lt;/p&gt;
&lt;p&gt;A campaign may start at login, move through token refresh, test account recovery, check saved addresses, probe checkout, abuse coupons, scrape product availability, and then return to account actions once a working session is found. Looking at each route alone makes the activity seem smaller than it is.&lt;/p&gt;
&lt;p&gt;The pattern matters more than the individual request.&lt;/p&gt;
&lt;p&gt;That is why &lt;a href="/solutions/use-case/api-bot-protection/"&gt;API bot protection&lt;/a&gt; has to follow journeys, not just endpoints.&lt;/p&gt;
&lt;h2&gt;Login Is the First Measurement Point&lt;/h2&gt;
&lt;p&gt;Login endpoints are the obvious place to look for bot abuse. Credential stuffing, password spraying, brute force attempts, and token abuse all show up there.&lt;/p&gt;
&lt;p&gt;But the login endpoint is only the first measurement point. Attackers are not trying to create a failed-login graph. They are trying to find usable accounts and move to the next action.&lt;/p&gt;
&lt;p&gt;A bot campaign may keep failed attempts low per IP address. It may rotate through residential proxies. It may slow down to avoid simple thresholds. It may mimic the browser request shape closely enough to get past a basic check. It may use an API route that exists for the mobile app rather than the public login form.&lt;/p&gt;
&lt;p&gt;So the useful question is not just "how many login attempts did we see?" It is "which client, route, network, fingerprint, account, and response pattern suggests automation?"&lt;/p&gt;
&lt;p&gt;That is where &lt;a href="/products/bot-management/"&gt;bot management&lt;/a&gt; belongs in the account journey. It should not be an isolated "human or bot" label. It should become part of the request evidence used for login, recovery, checkout, and account-change decisions.&lt;/p&gt;
&lt;h2&gt;Checkout Abuse Is Often API Abuse&lt;/h2&gt;
&lt;p&gt;Checkout abuse is not always a stolen-card problem. It can be a request-path problem.&lt;/p&gt;
&lt;p&gt;Bots can test coupon codes, reserve inventory, create carts, check delivery combinations, retry payment flows, and exploit business logic at machine speed. Some of this happens through visible browser journeys. Much of it happens through APIs used by the front end or mobile app.&lt;/p&gt;
&lt;p&gt;The damage is not always dramatic in a single request. A few extra cart creations may look normal. A small number of coupon checks may be expected. A payment retry can be legitimate. The problem is the campaign shape across routes.&lt;/p&gt;
&lt;p&gt;If the same automation profile moves through login, cart, promo, shipping, and payment APIs with abnormal timing or sequencing, the response should not depend on one endpoint crossing a crude global limit.&lt;/p&gt;
&lt;p&gt;It should be route-aware.&lt;/p&gt;
&lt;p&gt;A checkout API can tolerate different behaviour from a catalogue API. A payment route deserves different thresholds from a product search route. A coupon route may need controls around account age, session state, rate, and client evidence. A cart route may be harmless in one context and abusive in another.&lt;/p&gt;
&lt;h2&gt;Account Journeys Need Sensitive-Action Controls&lt;/h2&gt;
&lt;p&gt;Account abuse becomes most damaging when a session moves into sensitive actions.&lt;/p&gt;
&lt;p&gt;Changing an email address, resetting a password, adding a new delivery address, viewing stored payment details, redeeming loyalty value, or placing an order are different from normal browsing. They deserve stronger context.&lt;/p&gt;
&lt;p&gt;The request may be technically valid. The token may pass validation. The password may be correct. The API schema may be satisfied. That does not mean the action is safe.&lt;/p&gt;
&lt;p&gt;A strong control model looks at the full path into that action. Did the session begin with credential stuffing signals? Is the client first seen? Did the network change? Is there proxy or fingerprint drift? Has the account recently failed login attempts? Is the request cadence consistent with a human journey? Is the action unusually soon after authentication?&lt;/p&gt;
&lt;p&gt;These are not abstract "zero trust" slogans. They are practical checks on the account request path.&lt;/p&gt;
&lt;h2&gt;Rate Limits Need Better Keys&lt;/h2&gt;
&lt;p&gt;API abuse prevention often starts with rate limiting, but IP-only limits struggle with distributed automation and shared networks. The hard part is deciding what to count.&lt;/p&gt;
&lt;p&gt;For API bot abuse, useful rate keys can include route, method, account, token, API key, response code, ASN, country, TLS or HTTP fingerprint, verified bot state, and combinations of headers. The right key depends on the journey.&lt;/p&gt;
&lt;p&gt;A login endpoint might count failed attempts by account and fingerprint. A token endpoint might count refresh patterns by client and session. A checkout route might count attempts by account, payment state, and client fingerprint. A partner API might count by API key and route.&lt;/p&gt;
&lt;p&gt;&lt;a href="/products/advanced-rate-limiting/"&gt;Advanced rate limiting&lt;/a&gt; is valuable because it can model the abusive actor more precisely than a single IP address. It also gives teams response options short of blanket blocking: log, challenge, throttle, or deny depending on the route and risk.&lt;/p&gt;
&lt;p&gt;That matters because real API traffic includes customers, mobile apps, partners, service clients, good bots, bad bots, and increasingly AI-driven agents.&lt;/p&gt;
&lt;h2&gt;Agents Will Make the Journey Problem Harder&lt;/h2&gt;
&lt;p&gt;The next wave of automated API use will not all look like simple scripts. As discussed in &lt;a href="/blog/agentic-ai-vs-your-api/"&gt;Agentic AI vs. Your API&lt;/a&gt;, reasoning agents can explore, adapt, and change their behaviour based on responses.&lt;/p&gt;
&lt;p&gt;That does not mean every AI agent is malicious. It does mean endpoint-by-endpoint rules will age quickly.&lt;/p&gt;
&lt;p&gt;A reasoning agent can try one path, observe the result, and adjust. It can move from documentation to browser-backed APIs to mobile-shaped requests. It can test which routes are protected, which errors reveal state, and which actions trigger stronger checks.&lt;/p&gt;
&lt;p&gt;Defence needs the same journey view. The campaign should be visible as it moves, even when the exact request pattern changes.&lt;/p&gt;
&lt;h2&gt;Keep Evidence Attached to the Campaign&lt;/h2&gt;
&lt;p&gt;API bot abuse is easier to manage when the evidence stays attached.&lt;/p&gt;
&lt;p&gt;The useful record is not just "blocked by rule 42". It is the route, account state, token or key context, fingerprint, proxy signal, rate key, response pattern, action taken, and protected business step. That evidence lets teams tune controls without guessing and investigate incidents without reconstructing the whole path from raw logs.&lt;/p&gt;
&lt;p&gt;For broader background, &lt;a href="/learning/api-protection/what-is-api-abuse-prevention/"&gt;API abuse prevention&lt;/a&gt; covers the categories. The operational point is narrower: login, checkout, and account APIs should not be defended as separate islands.&lt;/p&gt;
&lt;p&gt;Attackers use the journey.&lt;/p&gt;
&lt;p&gt;The defence should too.&lt;/p&gt;</content><category term="API Security"></category><category term="API Bot Protection"></category><category term="Bot Management"></category><category term="Account Protection"></category><category term="Rate Limiting"></category><category term="API Security"></category><category term="Threat Detection"></category></entry><entry><title>API Protection and Account Protection Are One Request-Path Problem</title><link href="https://www.peakhour.io/blog/api-protection-account-protection-request-path/" rel="alternate"></link><published>2026-06-19T00:00:00+10:00</published><updated>2026-06-19T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-06-19:/blog/api-protection-account-protection-request-path/</id><summary type="html">&lt;p&gt;Account protection does not stop at the login form. The same request path carries API, bot, rate, token, and account-risk evidence, and that is where the decision needs to happen.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Account protection is often discussed as if it belongs to the login page. That made sense when most account abuse looked like someone submitting a username and password into a web form.&lt;/p&gt;
&lt;p&gt;That is not how modern account journeys work.&lt;/p&gt;
&lt;p&gt;A customer signs in through a browser, a mobile app, a partner integration, a password reset flow, a token refresh endpoint, a profile update request, a checkout API, and sometimes a service-to-service call that exists nowhere in the visible front end. The account is not protected by one screen. It is protected, or exposed, by the whole request path.&lt;/p&gt;
&lt;p&gt;That is why &lt;a href="/products/api-security/"&gt;API security&lt;/a&gt; and account protection should not be treated as separate operating problems. The API route, the identity context, the client evidence, the rate pattern, the token behaviour, the bot signal, and the account action all arrive together. Splitting those signals across disconnected tools makes the final decision weaker.&lt;/p&gt;
&lt;h2&gt;The Login Is Only the Start&lt;/h2&gt;
&lt;p&gt;Credential stuffing is the obvious example. Attackers test leaked credentials against login endpoints, but the useful outcome is rarely the login itself. The value comes after the session opens.&lt;/p&gt;
&lt;p&gt;They try to change the email address. They add a shipping address. They reset a password. They check stored cards. They redeem loyalty value. They place an order. They call account APIs that were built for the real customer journey and then abuse them in a different sequence.&lt;/p&gt;
&lt;p&gt;If the login defence is separate from the API defence, the organisation may see only fragments:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;A spike in failed logins in one dashboard.&lt;/li&gt;
&lt;li&gt;A suspicious token refresh pattern somewhere else.&lt;/li&gt;
&lt;li&gt;A burst of profile-change requests in application logs.&lt;/li&gt;
&lt;li&gt;A fraud case after checkout.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Each of those is useful. None is the full story.&lt;/p&gt;
&lt;p&gt;The better model is to keep the decision close to the request. A request to &lt;code&gt;/login&lt;/code&gt; is different from a request to &lt;code&gt;/account/email&lt;/code&gt;, &lt;code&gt;/checkout/payment&lt;/code&gt;, or &lt;code&gt;/api/token/refresh&lt;/code&gt;. The route matters. So does the method, the session state, the previous failures, the network, the client evidence, and the account action being attempted.&lt;/p&gt;
&lt;h2&gt;APIs Carry Account Risk&lt;/h2&gt;
&lt;p&gt;APIs are not just developer plumbing. They are where many account journeys now happen.&lt;/p&gt;
&lt;p&gt;Mobile apps use APIs for login, registration, password reset, saved addresses, payment methods, and checkout. Single-page applications call APIs behind browser journeys. Partner systems may call account or order APIs directly. Internal services may use API keys or service credentials that function like non-human accounts.&lt;/p&gt;
&lt;p&gt;That creates a practical issue: account protection must cover both human and non-human identity paths.&lt;/p&gt;
&lt;p&gt;OAuth, JWTs, API keys, refresh tokens, and service credentials all need lifecycle control, least-privilege access, rotation, validation, and monitoring. But those controls are still not enough if the protected API cannot see whether the request is behaving like abuse.&lt;/p&gt;
&lt;p&gt;A valid token can be stolen. A valid API key can be overused. A real session can be driven by automation. A known customer can suddenly perform a high-risk action from a first-seen client through proxy infrastructure.&lt;/p&gt;
&lt;p&gt;The request has to be judged in context.&lt;/p&gt;
&lt;h2&gt;Rate Limiting Has to Follow Business Logic&lt;/h2&gt;
&lt;p&gt;Basic rate limiting often starts with an IP address. That is an understandable first step, but it is not enough for account protection. Attackers rotate through proxy networks. Legitimate users may share a carrier or office IP. Some attacks are low and slow enough that no single IP looks exceptional.&lt;/p&gt;
&lt;p&gt;For account journeys, rate limiting needs to be tied to the thing being protected.&lt;/p&gt;
&lt;p&gt;Login attempts can be counted differently from password resets. Token refreshes can be counted differently from product searches. A failed authentication response can be treated differently from a normal read request. A route hit by a first-seen client can be treated differently from one used by a known browser session.&lt;/p&gt;
&lt;p&gt;That is the point of &lt;a href="/solutions/api-protection/"&gt;API protection&lt;/a&gt; as an operating layer, not just an API inventory exercise. The route, schema, authentication state, bot signal, and rate key should be available to the same decision. Otherwise teams end up writing compensating rules in several systems and hoping the gaps line up.&lt;/p&gt;
&lt;h2&gt;The Edge Decision Needs Options&lt;/h2&gt;
&lt;p&gt;Not every suspicious request should be blocked. Some should be logged. Some should be rate limited. Some should be challenged. Some should be allowed because the business impact of a false positive is worse than the risk presented by that specific request.&lt;/p&gt;
&lt;p&gt;Account protection is strongest when the action matches the journey.&lt;/p&gt;
&lt;p&gt;A login request with weak risk signals might be allowed but watched. A password reset request with stronger signals might require step-up. A checkout attempt from a newly compromised session might be blocked or reviewed. A partner API key exceeding expected usage might be throttled without affecting normal customers.&lt;/p&gt;
&lt;p&gt;Peakhour's position here is simple: API, bot, WAF, rate, and account controls work better when they share request evidence. That can run on Peakhour Edge, or it can sit beside the CDN and cloud edge already in place through &lt;a href="/solutions/bring-your-own-edge/"&gt;bring your own edge&lt;/a&gt;. The important part is not the label on the component. It is whether the request path has enough context to make the right decision.&lt;/p&gt;
&lt;h2&gt;Account Protection Is a Journey Control&lt;/h2&gt;
&lt;p&gt;A useful account protection programme should be able to answer operational questions.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Which routes are involved in account takeover attempts?&lt;/li&gt;
&lt;li&gt;Which sessions moved from suspicious login behaviour into account changes?&lt;/li&gt;
&lt;li&gt;Which tokens or API keys are behaving outside their expected pattern?&lt;/li&gt;
&lt;li&gt;Which controls created friction, and where?&lt;/li&gt;
&lt;li&gt;Which blocked requests actually protected account, checkout, or recovery actions?&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Those questions cannot be answered from a login form alone. They require API visibility, account-event context, rate data, bot signals, and reviewable evidence.&lt;/p&gt;
&lt;p&gt;That is the thesis of this series: API protection and account protection are one request-path problem. The account is compromised through a sequence of requests. The defence needs to see that sequence early enough to act.&lt;/p&gt;
&lt;p&gt;For teams already working on &lt;a href="/solutions/use-case/prevent-account-takeovers/"&gt;account takeover prevention&lt;/a&gt;, the next step is not simply adding another login prompt. It is connecting the account journey to the API routes that now carry it.&lt;/p&gt;</content><category term="API Security"></category><category term="API Security"></category><category term="Account Protection"></category><category term="Bot Management"></category><category term="Rate Limiting"></category><category term="Threat Detection"></category><category term="Fraud Prevention"></category></entry><entry><title>The Real Cost of Breached Credentials</title><link href="https://www.peakhour.io/blog/cost-of-breached-credentials/" rel="alternate"></link><published>2026-06-19T00:00:00+10:00</published><updated>2026-06-19T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-06-19:/blog/cost-of-breached-credentials/</id><summary type="html">&lt;p&gt;Breached credentials keep creating cost after the original breach. They feed credential stuffing, account takeover, fraud, support, and reputation costs across login, recovery, checkout, and API flows.&lt;/p&gt;</summary><content type="html">&lt;p&gt;The cost of breached credentials is usually counted in the wrong place.&lt;/p&gt;
&lt;p&gt;When an organisation suffers a data breach, the obvious costs are incident response, legal work, notification, customer support, remediation, and regulatory attention. Those costs matter. IBM's &lt;a href="https://www.ibm.com/reports/data-breach"&gt;2025 Cost of a Data Breach Report&lt;/a&gt; puts the global average breach cost at about USD 4.4 million. IBM's &lt;a href="https://www.ibm.com/think/topics/data-breach"&gt;data breach explainer&lt;/a&gt; also says stolen or compromised credentials were one of the top five initial attack vectors in the 2025 report, accounting for 10% of breaches and taking up to 186 days to identify.&lt;/p&gt;
&lt;p&gt;But that is only the first bill.&lt;/p&gt;
&lt;p&gt;Once usernames and passwords leave the original system, they do not stay attached to the original incident. They are copied, sorted, bundled, tested, resold, and mixed with other personal data. Another company's breach becomes your login problem. A password reused somewhere else becomes your fraud queue, your support call, your chargeback, your locked account, your angry customer, and your next security review.&lt;/p&gt;
&lt;p&gt;That is the real cost of breached credentials: not just the breach, but the long tail of account abuse that follows.&lt;/p&gt;
&lt;h2&gt;The Roundup: Breaches Are Feeding Account Abuse&lt;/h2&gt;
&lt;p&gt;The numbers are not subtle.&lt;/p&gt;
&lt;p&gt;The Identity Theft Resource Center's &lt;a href="https://www.idtheftcenter.org/post/2025-annual-data-breach-report-record-number-compromises/"&gt;2025 Annual Data Breach Report&lt;/a&gt; tracked 3,322 data compromises in 2025, a record high and a 79% increase over five years. The same report found that 70% of breach notices did not include attack information, making it harder for consumers and downstream businesses to understand what risk they now carry.&lt;/p&gt;
&lt;p&gt;The ITRC also introduced a category it calls Previously Compromised Data: old stolen data that is repackaged and recirculated. In the &lt;a href="https://www.idtheftcenter.org/wp-content/uploads/2026/01/2025-ITRC-Annual-Data-Breach-Report.pdf"&gt;full report&lt;/a&gt;, the ITRC says there were four major PCD releases in 2025, including two incidents involving roughly 16 billion records with no known notices. Its warning is the important part: while this may not be "new" stolen data, aggregation makes it highly effective for credential stuffing and account takeover attacks.&lt;/p&gt;
&lt;p&gt;That matches the operational pattern security teams see on login endpoints. &lt;a href="https://owasp.org/www-community/attacks/Credential_stuffing"&gt;OWASP describes credential stuffing&lt;/a&gt; as automated testing of stolen username and password pairs against login forms. The reason it works is boring and persistent: people reuse passwords. Attackers do not need to breach your site if a customer has already reused a working credential somewhere else.&lt;/p&gt;
&lt;p&gt;For Australian organisations, the local signals are just as relevant. The OAIC received &lt;a href="https://www.oaic.gov.au/news/blog/latest-notifiable-data-breach-statistics-for-january-to-june-2025"&gt;532 Notifiable Data Breach notifications&lt;/a&gt; between January and June 2025, with malicious or criminal attacks remaining the largest source of notifications. ASD's &lt;a href="https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025"&gt;Annual Cyber Threat Report 2024-25&lt;/a&gt; notes that its credential exposure notification process proactively sent 9,587 credential exposure events to about 220 organisations between 19 November 2024 and 30 June 2025.&lt;/p&gt;
&lt;p&gt;None of that means every fraud loss starts with a reused password. It does mean credential exposure is part of the operating environment. Attackers have supply, tooling, proxy infrastructure, and plenty of places to turn account access into money.&lt;/p&gt;
&lt;p&gt;The FBI's &lt;a href="https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf"&gt;2025 IC3 report&lt;/a&gt; gives useful context for that monetisation path. Cyber-enabled fraud accounted for 452,868 complaints and USD 17.697 billion in reported losses. Those losses include many crime types, not just credential stuffing, but the transaction paths are familiar to anyone dealing with account abuse: wire and ACH transfers, cards, peer-to-peer transfers, prepaid and gift cards, and cryptocurrency.&lt;/p&gt;
&lt;h2&gt;Where the Cost Actually Lands&lt;/h2&gt;
&lt;p&gt;A breached credential is cheap for the attacker and expensive for everyone else.&lt;/p&gt;
&lt;p&gt;The first cost is detection. A login using the right username and password does not automatically look malicious. If the attacker spreads attempts across residential proxy infrastructure, uses one attempt per account, or targets mobile API endpoints directly, simple IP-based rate limits may not see the pattern. Peakhour has written about this in &lt;a href="/blog/credential-stuffing-threat-australian-businesses/"&gt;The Australian epidemic of Account Takeover attacks&lt;/a&gt; and in &lt;a href="/blog/credential-stuffing-after-the-login/"&gt;Credential Stuffing Does Not Stop at the Login Form&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;The second cost is fraud. Once a credential works, the attacker looks for value: stored cards, gift cards, loyalty points, refunds, store credit, subscription changes, delivery addresses, and saved payment flows. This is why account takeover is not just an authentication problem. The expensive moment may be checkout, not login.&lt;/p&gt;
&lt;p&gt;The third cost is support. Customers do not usually know whether the original password leak happened somewhere else. They know their account was used, their card was charged, their loyalty balance disappeared, or their email address changed. The business still has to handle the support ticket, freeze the account, unwind the transaction, review the evidence, and explain what happened.&lt;/p&gt;
&lt;p&gt;The fourth cost is trust. We have covered this before in &lt;a href="/blog/credential-stuffing-business-impact/"&gt;The Cost of Credential Stuffing&lt;/a&gt;: the reputational damage is practical. Customers see refunds, account locks, suspicious messages, and public complaints. Even if the business was not the source of the original breach, it becomes the place where the harm is felt.&lt;/p&gt;
&lt;p&gt;The fifth cost is friction. If the only response is to challenge everyone, the business pays through abandonment and customer frustration. If the response is too soft, the business pays through fraud. The work is to apply friction where the evidence justifies it.&lt;/p&gt;
&lt;h2&gt;You Do Not Need Surveillance to Secure Accounts&lt;/h2&gt;
&lt;p&gt;There is a bad version of account protection that tries to identify people everywhere they go. That is not necessary, and it is not the right model for this problem.&lt;/p&gt;
&lt;p&gt;Credential abuse defence should be scoped to the account security decision in front of you. Is this login using a known exposed credential pair? Is the session coming from suspicious infrastructure? Is it a first-seen device for the account? Is it trying to change email, reset the password, add a payout method, redeem stored value, or check out with saved payment details? Did the same client pattern just test many accounts?&lt;/p&gt;
&lt;p&gt;Those questions can be answered with security-specific signals, not advertising-style tracking. Hash the credential check. Treat &lt;a href="/blog/fingerprints-are-evidence-not-identity/"&gt;fingerprints as evidence, not identity&lt;/a&gt;. Keep the evidence tied to the protected account and request path. Use network, device, route, behaviour, and credential-risk context to decide whether to allow, step up, throttle, block, or review. Do not build a cross-site identity graph when the job is to stop account abuse on your own service.&lt;/p&gt;
&lt;p&gt;That distinction matters. Users should not have to trade privacy for basic account security. Businesses also do not need to choose between doing nothing and adding blanket friction. &lt;a href="/solutions/use-case/contextual-security/"&gt;Contextual security&lt;/a&gt; is useful because it lets the response match the risk.&lt;/p&gt;
&lt;h2&gt;What Teams Should Measure&lt;/h2&gt;
&lt;p&gt;If breached credentials are a business cost, measure them like one.&lt;/p&gt;
&lt;p&gt;Useful measures include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;How many login attempts match known breached credential pairs.&lt;/li&gt;
&lt;li&gt;How many breached-credential attempts result in a successful login.&lt;/li&gt;
&lt;li&gt;Which routes see the risk: login, password reset, email change, stored-card checkout, gift card redemption, account recovery, mobile API, partner API, or admin access.&lt;/li&gt;
&lt;li&gt;How often high-risk sessions move from login into sensitive account actions.&lt;/li&gt;
&lt;li&gt;Which signals appear together: breached credential, residential proxy, first-seen device, unusual geography, repeated failure, rapid checkout, or recovery-flow pressure.&lt;/li&gt;
&lt;li&gt;How many support tickets, refunds, chargebacks, account locks, and fraud reviews are linked to account takeover.&lt;/li&gt;
&lt;li&gt;How many controls create customer friction, and whether that friction is landing on risky sessions or ordinary customers.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This does not need to be perfect on day one. The important step is to stop treating credential stuffing as a vague security category and start treating it as an observable account-risk workflow.&lt;/p&gt;
&lt;h2&gt;The Control Pattern&lt;/h2&gt;
&lt;p&gt;The control pattern is layered.&lt;/p&gt;
&lt;p&gt;Start with &lt;a href="/products/breached-credentials/"&gt;breached credential scanning&lt;/a&gt; so reused or exposed credentials are visible at login. Feed that signal into &lt;a href="/solutions/use-case/prevent-account-takeovers/"&gt;account takeover prevention&lt;/a&gt; rather than treating it as a standalone report. Add &lt;a href="/products/bot-management/"&gt;bot management&lt;/a&gt; and &lt;a href="/products/advanced-rate-limiting/"&gt;advanced rate limiting&lt;/a&gt; so automation and distributed testing are harder to run at scale. Use &lt;a href="/products/residential-proxy-detection/"&gt;residential proxy detection&lt;/a&gt; as a risk signal, especially where attackers are trying to make automated traffic look like normal customer traffic.&lt;/p&gt;
&lt;p&gt;Then carry the risk forward after login.&lt;/p&gt;
&lt;p&gt;A low-risk page view and a saved-card checkout should not inherit the same level of trust just because the password worked. A session that begins with a breached credential match, comes through suspicious infrastructure, and immediately changes the email address or redeems stored value deserves a different response from a known customer browsing order history.&lt;/p&gt;
&lt;p&gt;The response can be graduated:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Log low-risk activity for visibility.&lt;/li&gt;
&lt;li&gt;Tighten rate limits on suspicious automation.&lt;/li&gt;
&lt;li&gt;Require step-up verification before sensitive account changes.&lt;/li&gt;
&lt;li&gt;Hold or review risky transactions.&lt;/li&gt;
&lt;li&gt;Notify the customer when high-risk account changes are attempted.&lt;/li&gt;
&lt;li&gt;Block sessions when the evidence is strong enough.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;That is how breached credential data becomes useful. It is not a panic button. It is a signal that helps decide when trust should be earned again.&lt;/p&gt;
&lt;h2&gt;The Practical Takeaway&lt;/h2&gt;
&lt;p&gt;Breached credentials are not only a breach-response issue. They are an account protection issue, a fraud issue, a support issue, and a customer trust issue.&lt;/p&gt;
&lt;p&gt;The original breach may have happened somewhere else. The cost can still land on your login form, your checkout, your API, and your support team.&lt;/p&gt;
&lt;p&gt;The goal is not to make every login difficult. The goal is to make stolen credentials harder to turn into account control, money movement, stored-value abuse, or customer harm.&lt;/p&gt;
&lt;p&gt;That starts by making credential risk visible, connecting it to session and route context, and applying proportionate controls where the cost would otherwise show up.&lt;/p&gt;</content><category term="Account Protection"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Breached Credentials"></category><category term="Fraud Prevention"></category><category term="Bot Management"></category><category term="API Security"></category><category term="Residential Proxies"></category></entry><entry><title>Credential Stuffing Does Not Stop at the Login Form</title><link href="https://www.peakhour.io/blog/credential-stuffing-after-the-login/" rel="alternate"></link><published>2026-06-19T00:00:00+10:00</published><updated>2026-06-19T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-06-19:/blog/credential-stuffing-after-the-login/</id><summary type="html">&lt;p&gt;Credential stuffing risk continues after a password works. Account protection needs to watch password reset, email change, stored payment, gift card, and checkout flows.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Credential stuffing is usually described as a login problem. An attacker takes breached username and password pairs, tests them against a site, and tries to find accounts where people reused passwords.&lt;/p&gt;
&lt;p&gt;That description is accurate, but incomplete. The login is only the first gate. The real damage often happens in the flows that follow a successful login: password reset, email change, saved cards, loyalty balances, gift cards, account recovery, address changes, and checkout.&lt;/p&gt;
&lt;p&gt;If account protection only watches the login form, it can miss the part of the attack that matters most to the business.&lt;/p&gt;
&lt;p&gt;A successful credential stuffing attempt does not always look dramatic. The attacker may have valid credentials. They may come through residential proxy infrastructure. They may spread attempts across many IP addresses. They may slow the attack down to stay below simple thresholds. If the site treats a valid username and password as the end of the risk decision, the attacker inherits whatever the account can do.&lt;/p&gt;
&lt;p&gt;That is why &lt;a href="/solutions/use-case/prevent-account-takeovers/"&gt;account takeover prevention&lt;/a&gt; needs to cover account actions, not just authentication.&lt;/p&gt;
&lt;h2&gt;The Attack Continues After the Password Works&lt;/h2&gt;
&lt;p&gt;Once an attacker is inside an account, they usually want persistence, value, or both.&lt;/p&gt;
&lt;p&gt;A password reset or password change can lock the real customer out. An email change can move alerts, receipts, and recovery messages away from the owner. A phone number change can weaken later verification. A new shipping address can redirect physical goods. Stored payment methods can turn account access into immediate fraud. Gift cards, store credits, loyalty points, and refunds can be easier to monetise than a card transaction.&lt;/p&gt;
&lt;p&gt;Checkout is often where the compromise becomes visible, but the risk builds earlier. A login from unfamiliar infrastructure followed by a profile change, then a saved-card purchase, is different from a returning customer browsing previous orders. A dormant account that suddenly redeems gift cards, changes email, and ships to a new address deserves more scrutiny than an ordinary login.&lt;/p&gt;
&lt;p&gt;These flows are also common in APIs. Mobile apps, single-page applications, partner integrations, and checkout backends expose account actions through endpoints that may not share the same controls as the web login page. Attackers do not care whether the valuable step is behind &lt;code&gt;/login&lt;/code&gt;, &lt;code&gt;/api/account/email&lt;/code&gt;, or &lt;code&gt;/checkout/payment&lt;/code&gt;. They follow the path that works.&lt;/p&gt;
&lt;h2&gt;Breached Credentials Are a Risk Signal&lt;/h2&gt;
&lt;p&gt;&lt;a href="/products/breached-credentials/"&gt;Breached credential&lt;/a&gt; checks are useful because they add context before the account is fully trusted. If a credential pair is known to have appeared in a breach, the site can treat the session differently from the start.&lt;/p&gt;
&lt;p&gt;That does not mean every breached credential attempt should be handled the same way. A user may be genuinely logging in with a reused password. An attacker may be testing a combo list. A customer may be returning after a long period away. The point is to make the risk visible and carry it through the session.&lt;/p&gt;
&lt;p&gt;Peakhour has written before about &lt;a href="/blog/breached-credentials-protection-application-security-platform/"&gt;managing breached credential usage&lt;/a&gt;. The practical lesson is that credential risk should feed the wider account protection decision. A breached credential signal should be considered alongside client evidence, network context, request rate, route sensitivity, behaviour, and the action being attempted.&lt;/p&gt;
&lt;p&gt;A low-risk page view and a stored-card checkout should not inherit the same confidence just because both follow a successful login.&lt;/p&gt;
&lt;h2&gt;MFA Helps, But It Does Not Close Every Path&lt;/h2&gt;
&lt;p&gt;Multi-factor authentication remains useful. It can stop many direct account takeover attempts and raise the cost of abuse. But &lt;a href="/blog/why-mfa-is-an-incomplete-defence/"&gt;MFA is not a complete defence&lt;/a&gt; when attackers use social engineering, session theft, weak recovery flows, trusted devices, or post-login actions that do not require step-up verification.&lt;/p&gt;
&lt;p&gt;The better pattern is adaptive control. Let the login succeed when the evidence is low risk. Step up when the action matters. Ask for stronger verification before changing the email address, adding a new payout method, redeeming a stored balance, or checking out with saved payment details from an unfamiliar context.&lt;/p&gt;
&lt;p&gt;This is not about adding friction everywhere. It is about reserving friction for the points where compromise turns into loss.&lt;/p&gt;
&lt;h2&gt;What to Monitor After Login&lt;/h2&gt;
&lt;p&gt;The useful signals are operational and specific:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Credential risk at login, including known breached username and password pairs.&lt;/li&gt;
&lt;li&gt;New client, browser, or network evidence on an existing account.&lt;/li&gt;
&lt;li&gt;Password reset, password change, email change, and phone change attempts.&lt;/li&gt;
&lt;li&gt;New shipping addresses, payment method changes, stored-card use, gift card redemption, and loyalty balance activity.&lt;/li&gt;
&lt;li&gt;Sudden changes in behaviour, such as rapid checkout after login or repeated account recovery attempts.&lt;/li&gt;
&lt;li&gt;API routes that perform sensitive account actions without the same scrutiny as browser flows.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The response should match the confidence and consequence. Some events only need logging. Some need tighter rate limits. Some need a browser challenge, MFA step-up, temporary hold, customer notification, or review.&lt;/p&gt;
&lt;p&gt;Credential stuffing defence is not finished when a password works or fails. The more useful question is: what does this session try to do next, and does the evidence justify trusting it?&lt;/p&gt;
&lt;p&gt;For account protection, that is the line that matters.&lt;/p&gt;</content><category term="API Security"></category><category term="API Security"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Bot Management"></category><category term="Breached Credentials"></category><category term="Fraud Prevention"></category></entry><entry><title>Fingerprints Are Evidence, Not Identity</title><link href="https://www.peakhour.io/blog/fingerprints-are-evidence-not-identity/" rel="alternate"></link><published>2026-06-19T00:00:00+10:00</published><updated>2026-06-19T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-06-19:/blog/fingerprints-are-evidence-not-identity/</id><summary type="html">&lt;p&gt;Browser and network fingerprints are useful security evidence, but they should not be treated as proof of a person's identity.&lt;/p&gt;</summary><content type="html">&lt;p&gt;The word "fingerprint" can create the wrong expectation.&lt;/p&gt;
&lt;p&gt;In security, a browser or network fingerprint is not the same as a human fingerprint. It does not prove who a person is. It does not remove uncertainty. It should not be treated as a permanent identity for a customer.&lt;/p&gt;
&lt;p&gt;A fingerprint is evidence. Sometimes it is strong evidence. Sometimes it is weak, common, stale, or deliberately manipulated. Its value comes from how it is combined with route, behaviour, account state, network context, credential risk, and the action being requested.&lt;/p&gt;
&lt;p&gt;That distinction is more than wording. It affects how security teams design controls, explain decisions, and avoid overblocking legitimate users.&lt;/p&gt;
&lt;h2&gt;What Network Fingerprints Can Tell You&lt;/h2&gt;
&lt;p&gt;&lt;a href="/learning/fingerprinting/what-is-network-fingerprinting/"&gt;Network fingerprinting&lt;/a&gt; compares connection and protocol evidence. TCP behaviour, TLS handshakes, JA3 or JA4-style representations, HTTP/2 settings, header shape, MTU, proxy indicators, ASN, and path characteristics can all help classify the client or infrastructure behind a request.&lt;/p&gt;
&lt;p&gt;That can be useful during credential stuffing, scraping, scanning, API abuse, or Layer 7 attack pressure. Attackers may rotate IP addresses, but parts of the client stack or automation framework can remain consistent. Grouping requests by network evidence can make rate limiting, bot detection, and investigation more precise than IP-only rules.&lt;/p&gt;
&lt;p&gt;But the fingerprint is still not identity.&lt;/p&gt;
&lt;p&gt;Common browsers can share similar network shapes. Mobile networks and carrier-grade NAT can make unrelated users appear close together. VPNs and residential proxies can distort source context. Browser and library updates can change fingerprints overnight. Hashing can make signals portable while hiding useful detail. Attack tools can also try to imitate normal clients.&lt;/p&gt;
&lt;p&gt;The right conclusion from a suspicious network fingerprint is not "we know who this is". It is "this request deserves a different level of confidence".&lt;/p&gt;
&lt;h2&gt;What Browser Fingerprints Can Add&lt;/h2&gt;
&lt;p&gt;&lt;a href="/learning/fingerprinting/what-is-browser-fingerprinting/"&gt;Browser fingerprinting&lt;/a&gt; adds evidence from the application layer and, where appropriate, browser-side checks. Headers, client hints, JavaScript-visible properties, rendering behaviour, storage behaviour, timezone, language, permissions, and API availability can help decide whether a request looks like the browser it claims to be.&lt;/p&gt;
&lt;p&gt;This matters because many attacks try to borrow the appearance of ordinary browser traffic. Automation frameworks, emulators, headless browsers, anti-detect browsers, and scripted API clients can all present a user-agent string that looks plausible. Browser evidence helps compare the claim with the rest of the request.&lt;/p&gt;
&lt;p&gt;Again, the useful output is confidence, not identity. A browser fingerprint might support a challenge. It might support a lower rate limit. It might explain why a session changing an email address needs step-up verification. It might help &lt;a href="/products/bot-management/"&gt;bot management&lt;/a&gt; separate obvious automation from normal traffic.&lt;/p&gt;
&lt;p&gt;It should not become a claim that one technical pattern equals one person.&lt;/p&gt;
&lt;h2&gt;The Comparison Matters&lt;/h2&gt;
&lt;p&gt;Peakhour's page on &lt;a href="/learning/fingerprinting/browser-fingerprinting-vs-network-fingerprinting/"&gt;browser fingerprinting vs network fingerprinting&lt;/a&gt; makes the operational split clear. Network fingerprints usually come from passive connection and protocol evidence. Browser fingerprints often involve request and browser-side evidence. They answer related but different questions.&lt;/p&gt;
&lt;p&gt;A strong decision often needs both.&lt;/p&gt;
&lt;p&gt;A request claiming to be a normal browser should look broadly consistent across TLS, HTTP/2, headers, JavaScript-visible browser properties, proxy context, route behaviour, and account history. If the browser looks normal but the network path resembles a known automation cluster, that is useful. If the network path looks ordinary but the browser evidence is inconsistent or missing on a sensitive route, that is useful too.&lt;/p&gt;
&lt;p&gt;The mismatch is the signal. The response still depends on consequence.&lt;/p&gt;
&lt;p&gt;A suspicious request to a public asset route might only need logging. The same evidence on login, password reset, stored-card checkout, account email change, admin access, or an expensive API route may justify a challenge, tighter limit, temporary hold, or review.&lt;/p&gt;
&lt;h2&gt;How to Use Fingerprints Responsibly&lt;/h2&gt;
&lt;p&gt;Fingerprints work best when they are attached to an explainable decision. A security event should show the route, account or token context where relevant, source network evidence, browser evidence, policy action, response code, and review outcome. That gives operators a way to understand and correct decisions.&lt;/p&gt;
&lt;p&gt;Peakhour's guide to &lt;a href="/learning/fingerprinting/network-fingerprint-signals-and-security-decisions/"&gt;network fingerprint signals and security decisions&lt;/a&gt; frames the choices properly: allow, log, challenge, rate limit, block, or review. A fingerprint should help choose among those actions. It should not replace judgement.&lt;/p&gt;
&lt;p&gt;Responsible use also means accepting uncertainty. Fingerprints collide. They drift. They can be spoofed. Some privacy tools intentionally reduce or alter browser signals. Some legitimate users have unusual configurations. Some high-risk requests have only partial evidence.&lt;/p&gt;
&lt;p&gt;That uncertainty does not make fingerprints useless. It means they should be one layer in a wider control set.&lt;/p&gt;
&lt;p&gt;For account and API security, the practical question is not "can this fingerprint identify a person?" It is "does this evidence change the confidence we should place in this request?"&lt;/p&gt;
&lt;p&gt;If the answer is yes, use it carefully. Increase scrutiny on sensitive actions. Reduce friction where evidence is clean. Preserve enough context for review. Avoid pretending that a technical fingerprint is a human identity.&lt;/p&gt;
&lt;p&gt;That is the more accurate model, and it leads to better security decisions.&lt;/p&gt;</content><category term="API Security"></category><category term="API Security"></category><category term="Fingerprinting"></category><category term="Bot Management"></category><category term="Account Protection"></category><category term="Network Fingerprinting"></category><category term="Browser Fingerprinting"></category></entry><entry><title>Account Security Without Tracking People</title><link href="https://www.peakhour.io/blog/privacy-respecting-account-security-risk-signals/" rel="alternate"></link><published>2026-06-19T00:00:00+10:00</published><updated>2026-06-19T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-06-19:/blog/privacy-respecting-account-security-risk-signals/</id><summary type="html">&lt;p&gt;Safer logins do not require treating people as products. Account defence should use minimised, purpose-bound risk signals and proportionate decisions.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Account security needs evidence. A login request is not just a username and password; it has a route, client context, browser behaviour, network path, timing, session history, credential risk, and follow-on actions. Without some of that context, defenders are left with blunt controls: block too much, challenge everyone, or trust too easily.&lt;/p&gt;
&lt;p&gt;The privacy problem starts when security teams confuse evidence with identity.&lt;/p&gt;
&lt;p&gt;A risk signal should help answer a narrow operational question: should this login, password reset, email change, API call, or checkout step be allowed, challenged, rate limited, blocked, logged, or reviewed? It should not become a general-purpose profile of a person.&lt;/p&gt;
&lt;p&gt;That distinction matters. Good &lt;a href="/solutions/use-case/contextual-security/"&gt;contextual security&lt;/a&gt; is not surveillance dressed up as account protection. It is purpose-bound telemetry used to make proportionate security decisions.&lt;/p&gt;
&lt;h2&gt;Minimise the Signal Set&lt;/h2&gt;
&lt;p&gt;Security teams should start with the action they are protecting.&lt;/p&gt;
&lt;p&gt;A login attempt may need credential risk, source network context, browser consistency, known client status, failed-attempt history, and session age. A password reset may need different evidence. A checkout using stored payment details may need another set again. There is rarely a good reason to collect every possible signal for every route.&lt;/p&gt;
&lt;p&gt;This is especially important with browser and device evidence. &lt;a href="/learning/fingerprinting/what-is-browser-fingerprinting/"&gt;Browser fingerprinting&lt;/a&gt; can include headers, client hints, JavaScript-visible properties, rendering behaviour, storage behaviour, timezone, language, and other consistency checks. Those signals can be useful for detecting automation, anti-detect browsers, session abuse, and high-risk account changes. They can also be privacy-sensitive if collected broadly or retained without a clear purpose.&lt;/p&gt;
&lt;p&gt;The practical standard should be simple: collect what is needed for the account defence decision, attach it to that decision, and avoid turning uniqueness into the goal.&lt;/p&gt;
&lt;h2&gt;Use Evidence Over Identity&lt;/h2&gt;
&lt;p&gt;A security system does not need to know who a person "really" is to make a better login decision. It often only needs to know whether the request looks consistent with the account, route, browser, network path, and recent behaviour.&lt;/p&gt;
&lt;p&gt;That is where &lt;a href="/solutions/use-case/verified-browser-trust/"&gt;verified browser trust&lt;/a&gt; fits. The point is not to label a human being. The point is to decide whether a browser-like request has returned enough trustworthy evidence to proceed on a sensitive path. If the evidence is weak, the system can choose a proportionate response: log, challenge, rate limit, step up authentication, or send the event for review.&lt;/p&gt;
&lt;p&gt;Network evidence should be handled the same way. &lt;a href="/learning/fingerprinting/network-fingerprint-signals-and-security-decisions/"&gt;Network fingerprint signals&lt;/a&gt; can help distinguish ordinary browser traffic from automation, proxy paths, unusual client stacks, or inconsistent request shapes. But a network signal is not a person. It is one piece of evidence attached to a request.&lt;/p&gt;
&lt;p&gt;That framing reduces overreach. It also improves operations because decisions remain reviewable. If a customer is challenged, support and security teams should be able to see the route, risk signals, and policy reason without needing a vague black-box identity claim.&lt;/p&gt;
&lt;h2&gt;Be Careful With Behavioural Analytics&lt;/h2&gt;
&lt;p&gt;Behavioural analytics can help detect account compromise, especially when a session changes sharply from normal account usage. A customer who normally logs in from one region and browses slowly may deserve extra scrutiny if the same account suddenly logs in from unfamiliar infrastructure, changes email, redeems stored value, and checks out quickly.&lt;/p&gt;
&lt;p&gt;But behavioural systems have limits.&lt;/p&gt;
&lt;p&gt;Some users are sporadic. Some travel. Some use privacy tools. Some share devices. Some change browsers or phones. Some only visit when there is a problem. If there is not enough history, the system should admit that uncertainty rather than pretending the baseline is stronger than it is.&lt;/p&gt;
&lt;p&gt;That is where adaptive security is useful. Low-confidence evidence does not always justify a hard block. It might justify logging, a lower rate limit, a step-up challenge on a sensitive action, or a temporary hold on a risky change.&lt;/p&gt;
&lt;p&gt;The aim is not perfect recognition. It is better decision-making under uncertainty.&lt;/p&gt;
&lt;h2&gt;Make Retention and Purpose Part of the Design&lt;/h2&gt;
&lt;p&gt;Privacy-respecting account security is not only about which signals are collected. It is also about how long they are kept, where they are used, and who can inspect them.&lt;/p&gt;
&lt;p&gt;Useful practices include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Tie telemetry to account defence purposes such as login risk, bot detection, account recovery, checkout abuse, and API misuse.&lt;/li&gt;
&lt;li&gt;Prefer route-specific evidence over broad user profiling.&lt;/li&gt;
&lt;li&gt;Keep raw signals only where they are needed for detection, audit, or investigation.&lt;/li&gt;
&lt;li&gt;Store decision evidence in a way operators can review.&lt;/li&gt;
&lt;li&gt;Avoid using security telemetry for unrelated marketing or behavioural targeting.&lt;/li&gt;
&lt;li&gt;Tune controls so low-risk users are not repeatedly challenged without cause.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Peakhour should not pretend that account security can happen with no fingerprints, no telemetry, and no judgement. Modern attacks abuse valid credentials, residential proxy paths, automation frameworks, API routes, and post-login workflows. Defenders need evidence.&lt;/p&gt;
&lt;p&gt;The privacy-respecting position is narrower and stronger: collect the right evidence for the security decision, minimise it, keep it purpose-bound, and treat fingerprints as confidence signals rather than personal identity.&lt;/p&gt;
&lt;p&gt;That is how account security can become safer without turning every login into tracking for its own sake.&lt;/p&gt;</content><category term="API Security"></category><category term="API Security"></category><category term="Account Protection"></category><category term="Contextual Security"></category><category term="Privacy"></category><category term="Fingerprinting"></category><category term="Risk-Based Authentication"></category></entry><entry><title>How Residential Proxies Changed API and Account Abuse</title><link href="https://www.peakhour.io/blog/residential-proxies-api-account-abuse/" rel="alternate"></link><published>2026-06-19T00:00:00+10:00</published><updated>2026-06-19T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-06-19:/blog/residential-proxies-api-account-abuse/</id><summary type="html">&lt;p&gt;Residential proxies have changed account abuse from obvious bursts into distributed, low-noise workflows across login, account, and API routes. Treat proxy use as a risk signal, not a blunt block rule.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Residential proxies have changed the shape of API and account abuse. The old picture was easier to reason about: too many failed logins from one IP, a known hosting provider range, an obvious bot user agent, or a burst that crossed a threshold quickly enough to trip a rule.&lt;/p&gt;
&lt;p&gt;That still happens, but it is not the harder problem.&lt;/p&gt;
&lt;p&gt;The harder problem is the attempt that arrives through ordinary consumer networks, spreads itself across many addresses, and behaves just slowly enough to avoid looking like an incident. One login attempt here. A password reset probe there. A token refresh pattern that is unusual only when it is seen beside the route, the client, the ASN, the credential history, and the account event.&lt;/p&gt;
&lt;p&gt;That is why &lt;a href="/products/residential-proxy-detection/"&gt;residential proxy detection&lt;/a&gt; should be treated as part of the account and API decision path, not as a standalone allow/block list.&lt;/p&gt;
&lt;h2&gt;The Account Workflow Is Now a Distributed Target&lt;/h2&gt;
&lt;p&gt;Attackers do not need to break the whole application at once. They can work through the account surface in pieces:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Login attempts against known usernames.&lt;/li&gt;
&lt;li&gt;Password reset initiation and verification.&lt;/li&gt;
&lt;li&gt;New account registration.&lt;/li&gt;
&lt;li&gt;Token issue and refresh routes.&lt;/li&gt;
&lt;li&gt;Payment, address, profile, and email changes.&lt;/li&gt;
&lt;li&gt;Loyalty, wallet, checkout, or stored-value workflows.&lt;/li&gt;
&lt;li&gt;API calls that reveal whether an account or credential is valid.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Each route may look acceptable in isolation. The risk appears when the pattern is joined together.&lt;/p&gt;
&lt;p&gt;A residential proxy network helps the attacker keep that pattern quiet. Requests rotate through many residential-looking exits. IP-based rate limits see different sources. A reputation feed may not have labelled a fresh or private proxy network yet. Geo checks can look plausible enough. The traffic does not necessarily arrive as a clean burst.&lt;/p&gt;
&lt;p&gt;This is where static thinking breaks down. If the only question is "is this IP bad?", the answer will often arrive too late or be too blunt to use safely.&lt;/p&gt;
&lt;h2&gt;Fresh and Private Proxy Networks Create a Timing Problem&lt;/h2&gt;
&lt;p&gt;Many teams think about proxy detection as a database problem: look up the IP, see whether it is a proxy, then block it. That works for some traffic, especially known data centre proxies and commodity infrastructure.&lt;/p&gt;
&lt;p&gt;Residential proxy abuse is less tidy. Fresh networks can appear before public datasets have a confident label. Private networks may not show up in broad feeds at all. Some exit points are shared with legitimate users. Some sit behind carrier-grade NAT or normal household connections. Blocking the address outright can create customer pain, while allowing it without context leaves the account flow exposed.&lt;/p&gt;
&lt;p&gt;This is the practical reason Peakhour talks about residential proxy use as a signal. The signal matters, but it has to sit beside &lt;a href="/products/ip-intelligence/"&gt;IP intelligence&lt;/a&gt;, connection characteristics, client history, request behaviour, account state, and route sensitivity.&lt;/p&gt;
&lt;p&gt;A residential proxy on a marketing page may only need logging. The same proxy signal on a login route with recent failures may justify a challenge. On a password reset or high-value account change, it may justify step-up authentication, throttling, or blocking depending on the rest of the evidence.&lt;/p&gt;
&lt;p&gt;The control should match the risk of the action.&lt;/p&gt;
&lt;h2&gt;Low-and-Slow Behaviour Is Still Automation&lt;/h2&gt;
&lt;p&gt;Low-and-slow abuse is uncomfortable because it avoids the easy operational story. There is no dramatic spike. There may be no single IP worth banning. The application may not be overloaded. Support may only see a few confused users, a few locked accounts, or a gradual rise in reset attempts.&lt;/p&gt;
&lt;p&gt;For API and account workflows, this is still automation. It just looks less like a flood and more like a background process.&lt;/p&gt;
&lt;p&gt;Useful signals include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Repeated failed authentication across a shared fingerprint or client pattern.&lt;/li&gt;
&lt;li&gt;Many accounts touched by similar request timing.&lt;/li&gt;
&lt;li&gt;Token or reset routes used out of sequence.&lt;/li&gt;
&lt;li&gt;Browser characteristics that do not match the claimed client.&lt;/li&gt;
&lt;li&gt;Residential proxy use on sensitive account routes.&lt;/li&gt;
&lt;li&gt;Fresh IP or ASN patterns appearing around account events.&lt;/li&gt;
&lt;li&gt;Similar request shapes distributed across unrelated accounts.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;None of these signals has to prove abuse by itself. The point is to combine them early enough that the application does not have to make the decision alone.&lt;/p&gt;
&lt;p&gt;Peakhour's view is that proxy detection belongs in the same operating model as bot management, rate limiting, account risk scoring, and event evidence. The useful question is not "can we block every residential proxy?" It is "what should this route do when proxy use appears with this account, this client, this credential pattern, and this recent behaviour?"&lt;/p&gt;
&lt;h2&gt;API Routes Need the Same Treatment as Browser Flows&lt;/h2&gt;
&lt;p&gt;A common gap is protecting the visible login page while leaving API routes with weaker controls. Browser-side checks can help on web flows, but many account actions now happen through mobile apps, single-page applications, partner integrations, and backend APIs.&lt;/p&gt;
&lt;p&gt;Those routes still need context. They need request-level validation, route-aware thresholds, proxy and IP signals, token checks, and evidence that can be reviewed later. A login API, a reset API, and a profile-change API should not all receive the same action just because the source address has the same reputation.&lt;/p&gt;
&lt;p&gt;This is also why rate limiting has to move beyond source IP. A rule can key on a token, header, fingerprint, account identifier, route, response code, or a combination of signals. That makes it possible to slow failed login behaviour without punishing every legitimate user behind the same network.&lt;/p&gt;
&lt;p&gt;The background reading on &lt;a href="/blog/proxy-detection-challenges-existing-solutions/"&gt;proxy detection challenges&lt;/a&gt; and &lt;a href="/blog/residential-proxy-detection-quantifying-hidden-threat/"&gt;quantifying residential proxy risk&lt;/a&gt; covers the broader detection problem. For API and account teams, the immediate step is more operational: find the routes where a residential proxy signal should change the action.&lt;/p&gt;
&lt;h2&gt;The Right Outcome Is Controlled Friction&lt;/h2&gt;
&lt;p&gt;Residential proxy detection is not a magic verdict. It is a way to make the account decision more honest.&lt;/p&gt;
&lt;p&gt;Some traffic should pass. Some should be logged. Some should be rate limited. Some should be challenged. Some should be blocked. The difference should come from route sensitivity, request context, and observed behaviour, not from a single IP label.&lt;/p&gt;
&lt;p&gt;A practical policy might look like this:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Monitor proxy use across all account and API routes.&lt;/li&gt;
&lt;li&gt;Apply tighter thresholds on login, reset, token, and account-change routes.&lt;/li&gt;
&lt;li&gt;Combine proxy use with credential, client, rate, and behaviour signals.&lt;/li&gt;
&lt;li&gt;Preserve decision records so security and support can explain what happened.&lt;/li&gt;
&lt;li&gt;Move from monitor to enforce only after reviewing false positives and customer impact.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;That model gives teams a way to respond to residential proxy abuse without turning every shared residential network into a casualty.&lt;/p&gt;
&lt;p&gt;For a grounding definition, see &lt;a href="/learning/threat-detection/what-is-residential-proxy-detection/"&gt;What is Residential Proxy Detection?&lt;/a&gt;. For the product control, see &lt;a href="/products/residential-proxy-detection/"&gt;Residential Proxy Detection&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;The important shift is simple: residential proxies are not just a network category. In account and API protection, they are context for deciding how much trust a request deserves.&lt;/p&gt;</content><category term="API Security"></category><category term="API Security"></category><category term="Account Protection"></category><category term="Residential Proxies"></category><category term="Bot Management"></category><category term="Rate Limiting"></category><category term="Threat Detection"></category></entry><entry><title>Shadow APIs Are Account-Abuse Paths</title><link href="https://www.peakhour.io/blog/shadow-apis-account-abuse/" rel="alternate"></link><published>2026-06-19T00:00:00+10:00</published><updated>2026-06-19T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-06-19:/blog/shadow-apis-account-abuse/</id><summary type="html">&lt;p&gt;Shadow APIs matter because attackers do not care whether a route is documented. Mobile, partner, browser-backed, and legacy APIs can all become account-abuse paths when they remain outside normal controls.&lt;/p&gt;</summary><content type="html">&lt;p&gt;A shadow API is not dangerous because it has a mysterious name. It is dangerous because it still accepts requests.&lt;/p&gt;
&lt;p&gt;If an endpoint can reset a password, refresh a token, check an account, change a delivery address, apply a discount, validate a stored payment method, or expose customer data, it is part of the account-abuse surface. Whether it appears in the current OpenAPI file is secondary.&lt;/p&gt;
&lt;p&gt;Attackers do not need your API catalogue to be tidy. They need one working route that your normal controls do not understand.&lt;/p&gt;
&lt;h2&gt;The Forgotten Paths Are Often Real Paths&lt;/h2&gt;
&lt;p&gt;Most organisations have more API surface than they think.&lt;/p&gt;
&lt;p&gt;Mobile apps leave behind old versions. Partner integrations get built for a campaign and then stay online. Browser-backed APIs are treated as internal because they are called by the front end, even though anyone can inspect and replay the requests. Legacy account endpoints remain active because turning them off might break an unknown client.&lt;/p&gt;
&lt;p&gt;None of this is unusual. It is how real systems evolve.&lt;/p&gt;
&lt;p&gt;The risk appears when those routes keep accepting production traffic without the same security treatment as the visible application. A current login page may have bot detection, adaptive prompts, and tuned rate limits. An older mobile endpoint may only check whether the credentials are valid. A partner route may trust an API key that has not been rotated. A browser API may return more account state than the front end displays.&lt;/p&gt;
&lt;p&gt;That gap is where account abuse gets practical.&lt;/p&gt;
&lt;h2&gt;Unknown Does Not Mean Unused&lt;/h2&gt;
&lt;p&gt;Security teams sometimes talk about discovery as if the main outcome is a cleaner inventory. Inventory matters, but the more useful question is: what can this route do?&lt;/p&gt;
&lt;p&gt;A shadow API that serves public catalogue data has one risk profile. A shadow API that changes account details has another. A forgotten token endpoint is different again. A mobile route that accepts username and password combinations is a credential stuffing target, even if the public login page has already been hardened.&lt;/p&gt;
&lt;p&gt;This is why &lt;a href="/products/api-security/"&gt;API security&lt;/a&gt; has to stay connected to account context. Route discovery is only the start. The protection model needs to know method, schema, authentication state, response pattern, user journey, and business sensitivity.&lt;/p&gt;
&lt;p&gt;A &lt;code&gt;POST&lt;/code&gt; request to an account recovery endpoint deserves different treatment from a &lt;code&gt;GET&lt;/code&gt; request to a static content API. A password reset route used by a first-seen client through rotating proxy infrastructure is not the same as the same route used by a known customer session.&lt;/p&gt;
&lt;p&gt;The route matters because the account outcome matters.&lt;/p&gt;
&lt;h2&gt;Browser-Backed APIs Are Still APIs&lt;/h2&gt;
&lt;p&gt;A common blind spot is the API behind the web application.&lt;/p&gt;
&lt;p&gt;The front end might make a neat request to &lt;code&gt;/api/account/profile&lt;/code&gt;, &lt;code&gt;/api/cart/apply-coupon&lt;/code&gt;, or &lt;code&gt;/api/session/refresh&lt;/code&gt;. Because the route was designed for the browser, teams may assume the browser is the control. It is not.&lt;/p&gt;
&lt;p&gt;Requests can be replayed outside the page. Headers can be copied. Tokens can be stolen. User agents can be faked. Automation can follow the same sequence as the application, only faster and at scale.&lt;/p&gt;
&lt;p&gt;The right response is not to treat every browser-backed API as hostile. The right response is to attach evidence. Is this a known browser session? Is the TLS and HTTP behaviour consistent? Is the request sequence normal for the journey? Is the session suddenly moving from login to sensitive account changes? Does the schema match what the route expects?&lt;/p&gt;
&lt;p&gt;Those questions sit between basic definitions of &lt;a href="/learning/application-security/what-is-api-security/"&gt;what API security is&lt;/a&gt; and the operational work of stopping abuse.&lt;/p&gt;
&lt;h2&gt;Mobile and Partner APIs Need Ownership&lt;/h2&gt;
&lt;p&gt;Mobile and partner APIs create a slightly different problem. They often have legitimate non-browser clients, so crude controls can break real use.&lt;/p&gt;
&lt;p&gt;A mobile app may have older versions in the field. A partner may send traffic from fixed infrastructure, or from changing cloud infrastructure. A service client may authenticate with an API key rather than an interactive user session. Some requests will look less browser-like because they are not meant to be browsers.&lt;/p&gt;
&lt;p&gt;That makes ownership important.&lt;/p&gt;
&lt;p&gt;Each route should have an owner, expected clients, authentication model, rate expectation, schema expectation, and deprecation plan. API keys should be treated as credentials, not configuration strings. OAuth and JWT use should include short-lived access, appropriate scopes, and validation at the endpoint. Legacy flows should not survive indefinitely just because nobody is sure what they support.&lt;/p&gt;
&lt;p&gt;For REST services, that discipline includes the basics covered in &lt;a href="/learning/api-protection/what-is-rest-api-security/"&gt;REST API security&lt;/a&gt;: method control, status-code handling, input validation, token handling, rate limiting, and useful logging. The account-abuse angle is narrower and more operational: which of these controls tells us whether this request can harm a customer account?&lt;/p&gt;
&lt;h2&gt;Discovery Has to Feed Enforcement&lt;/h2&gt;
&lt;p&gt;A report listing unknown endpoints is useful for a week. A discovery process that feeds policy is useful every day.&lt;/p&gt;
&lt;p&gt;When a new route appears, the security question should be concrete:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Who owns it?&lt;/li&gt;
&lt;li&gt;Is it authenticated?&lt;/li&gt;
&lt;li&gt;Does it match a known schema?&lt;/li&gt;
&lt;li&gt;Does it touch account state?&lt;/li&gt;
&lt;li&gt;Can it reset trust, change value, or expose customer data?&lt;/li&gt;
&lt;li&gt;What rate and behaviour patterns are normal?&lt;/li&gt;
&lt;li&gt;Which action should apply when it is abused?&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;That is where &lt;a href="/solutions/use-case/api-security/"&gt;API protection use cases&lt;/a&gt; become more than documentation. The goal is not to produce a perfect catalogue for its own sake. The goal is to reduce the number of unknown request paths that can be used for account abuse.&lt;/p&gt;
&lt;p&gt;Shadow APIs are not a separate class of attack. They are normal APIs without enough operational visibility.&lt;/p&gt;
&lt;p&gt;And when they sit on account journeys, they become a direct path from unknown surface to customer harm.&lt;/p&gt;</content><category term="API Security"></category><category term="API Security"></category><category term="Shadow APIs"></category><category term="Account Protection"></category><category term="Bot Management"></category><category term="Threat Detection"></category><category term="DevSecOps"></category></entry><entry><title>Price Transparency Is Now a Data Access Problem</title><link href="https://www.peakhour.io/blog/price-transparency-apis-grey-zone-automation/" rel="alternate"></link><published>2026-05-18T00:00:00+10:00</published><updated>2026-05-18T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2026-05-18:/blog/price-transparency-apis-grey-zone-automation/</id><summary type="html">&lt;p&gt;Price comparison increasingly depends on current web and API data. Retailers need bot and API controls that can distinguish intended automated access from uncontrolled extraction.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Australia's supermarket pricing debate can look like a consumer pricing story.&lt;/p&gt;
&lt;p&gt;For digital teams, it is also a bot and API protection story.&lt;/p&gt;
&lt;p&gt;The &lt;a href="https://www.accc.gov.au/media-release/accc-recommends-supermarket-reforms-to-provide-better-outcomes-for-consumers-and-suppliers"&gt;ACCC's final supermarket inquiry&lt;/a&gt; recommended that ALDI, Coles, and Woolworths publish prices on their websites. It also recommended that Coles and Woolworths make dynamic price APIs available for third-party comparison tools.&lt;/p&gt;
&lt;p&gt;Then, on 18 May 2026, &lt;a href="https://www.theguardian.com/business/2026/may/18/toothbrushes-ice-cream-and-frozen-pizza-data-reveals-how-coles-and-woolworths-switch-promotions-in-sync"&gt;Guardian Australia reported&lt;/a&gt; on CW Scanner data about Coles and Woolworths promotion patterns. For digital teams, the operational detail is this: the report said CW Scanner's operator stated the service was not scraping, and instead used the supermarkets' website application programming interfaces.&lt;/p&gt;
&lt;p&gt;That does not settle questions about permission, terms of use, supermarket approval, or the status of any specific API. It does make the practical problem sharper.&lt;/p&gt;
&lt;p&gt;Price transparency increasingly depends on automated access to current data.&lt;/p&gt;
&lt;p&gt;Every automated request still needs a decision.&lt;/p&gt;
&lt;h2&gt;APIs do not remove the bot problem&lt;/h2&gt;
&lt;p&gt;It is tempting to treat an API as the clean alternative to scraping. Sometimes it is cleaner. A documented API can make access more predictable, auditable, and easier to govern than repeated extraction from product pages.&lt;/p&gt;
&lt;p&gt;But an API is still an automation surface.&lt;/p&gt;
&lt;p&gt;The same retailer or marketplace may need to support:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;public product pages;&lt;/li&gt;
&lt;li&gt;price, promotion, search, listing, catalogue, and inventory routes;&lt;/li&gt;
&lt;li&gt;browser-backed application calls;&lt;/li&gt;
&lt;li&gt;documented APIs and partner feeds;&lt;/li&gt;
&lt;li&gt;comparison tools and public-interest services;&lt;/li&gt;
&lt;li&gt;search engines, monitoring systems, and accessibility tooling;&lt;/li&gt;
&lt;li&gt;unknown collectors rebuilding price, inventory, availability, or ticketing datasets outside the intended access model.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Some of that traffic is useful. Some is commercially necessary. Some is abusive. Much of it will not identify itself honestly.&lt;/p&gt;
&lt;p&gt;So the question is not "should bots be blocked?"&lt;/p&gt;
&lt;p&gt;The question is: can you tell intended automated access from uncontrolled extraction?&lt;/p&gt;
&lt;h2&gt;The decision needs evidence&lt;/h2&gt;
&lt;p&gt;A blanket "block all automation" position can break comparison services, partner integrations, search visibility, monitoring, accessibility tooling, and APIs that were built to be automated.&lt;/p&gt;
&lt;p&gt;A blanket "allow everything" position can expose pricing, product, inventory, account, checkout, ticketing, and API paths to extraction and abuse.&lt;/p&gt;
&lt;p&gt;The practical middle ground is governed automation:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;publish the access you want to support;&lt;/li&gt;
&lt;li&gt;recognise the clients and behaviours you expect;&lt;/li&gt;
&lt;li&gt;validate API route, schema, method, authentication, and client context;&lt;/li&gt;
&lt;li&gt;detect traffic that has drifted from the intended use;&lt;/li&gt;
&lt;li&gt;keep decision logs so security, legal, product, and commercial teams can review what happened;&lt;/li&gt;
&lt;li&gt;respond proportionately with allow, log, rate-limit, challenge, block, or review decisions.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;That is where bot protection becomes more than a yes-or-no control.&lt;/p&gt;
&lt;p&gt;It supplies the evidence behind each access decision.&lt;/p&gt;
&lt;h2&gt;Where Peakhour fits&lt;/h2&gt;
&lt;p&gt;&lt;a href="/solutions/use-case/prevent-site-scraping/"&gt;Scraping protection&lt;/a&gt; should identify repeated extraction across product, price, search, listing, catalogue, article, inventory, and availability routes. The goal is not to stop every non-human request. It is to separate expected access from collectors rebuilding data outside the site's control.&lt;/p&gt;
&lt;p&gt;&lt;a href="/solutions/use-case/api-bot-protection/"&gt;API bot protection&lt;/a&gt; applies the same discipline to automated API clients. APIs exist to be automated. The risk comes from unknown clients, unexpected route combinations, credential abuse, endpoint enumeration, excessive request volume, and business-logic abuse that generic perimeter controls cannot explain.&lt;/p&gt;
&lt;p&gt;&lt;a href="/products/bot-management/"&gt;Bot management&lt;/a&gt; turns request evidence into a decision: allow trusted traffic, log expected automated access, rate-limit noisy collectors, challenge uncertain sessions, block confirmed abuse, or send edge cases to review.&lt;/p&gt;
&lt;p&gt;&lt;a href="/solutions/use-case/verified-browser-trust/"&gt;Verified browser trust&lt;/a&gt; adds a useful signal when browser-backed journeys are being automated or replayed. Headers and cookies can be copied, proxy networks can rotate, and automation can mimic ordinary navigation. Peakhour can challenge the browser path, verify that the expected evidence came back, and attach that witness to the wider decision record.&lt;/p&gt;
&lt;p&gt;That browser signal does not, by itself, prove the user, device, or account is trustworthy. It helps the risk engine decide what to do alongside route, proxy, device, behaviour, credential, and API context.&lt;/p&gt;
&lt;h2&gt;Why this matters beyond supermarkets&lt;/h2&gt;
&lt;p&gt;The ACCC's 2024 proceedings against Coles and Woolworths were about alleged false or misleading price statements, not supermarket price regulation, collusion, or anti-competitive conduct. The &lt;a href="https://www.accc.gov.au/media-release/court-finds-that-coles-misled-customers-over-down-down-claims"&gt;ACCC announced on 14 May 2026&lt;/a&gt; that the Federal Court found Coles made false or misleading representations in 13 of 14 agreed sample "Down Down" tickets, with penalties and other orders still to be determined. For Woolworths, the separate "Prices Dropped" proceeding was awaiting judgment at publication.&lt;/p&gt;
&lt;p&gt;Those legal details matter, but they are not the Peakhour point.&lt;/p&gt;
&lt;p&gt;The Peakhour point is operational: when transparency, comparison, availability, or fairness depends on current digital data, organisations need a control plane that can support the access they intend and limit the extraction they do not.&lt;/p&gt;
&lt;p&gt;That pattern shows up in retail, marketplaces, ticketing, travel, financial services, media, and any platform where public pages, browser-backed calls, and APIs expose commercially valuable data. It also shows up in adjacent problems like account abuse, checkout abuse, ticket scalping, product scraping, distorted analytics, and inventory harvesting.&lt;/p&gt;
&lt;p&gt;The organisations that handle this well will not treat every automated request as the same.&lt;/p&gt;
&lt;p&gt;They will be the ones that know what access they intend to allow, what behaviour they intend to stop, and why.&lt;/p&gt;</content><category term="API Security"></category><category term="API Security"></category><category term="Bot Management"></category><category term="Scraping Protection"></category><category term="Price Transparency"></category><category term="Automation"></category><category term="E-commerce"></category></entry><entry><title>Agentic AI vs. Your API</title><link href="https://www.peakhour.io/blog/agentic-ai-vs-your-api/" rel="alternate"></link><published>2025-09-01T00:00:00+10:00</published><updated>2025-09-01T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-09-01:/blog/agentic-ai-vs-your-api/</id><summary type="html">&lt;p&gt;Understand the shift from scripted bots to reasoning AI agents and how to adapt your security strategy for this new reality.&lt;/p&gt;</summary><content type="html">&lt;p&gt;For years, "bots" mostly meant simple, scripted programs. They followed rigid, predefined rules: if you see X, do Y. They were predictable. They could still do damage in attacks like credential stuffing, but their lack of intelligence made them relatively easy to detect. Their patterns were repetitive and clearly different from the complex, often messy, behaviour of human users.&lt;/p&gt;
&lt;p&gt;That model is no longer reliable. The emergence of open and powerful reasoning models like &lt;a href="/blog/agentic-ai-deepseek-changes-everything/"&gt;DeepSeek&lt;/a&gt; has given rise to a new class of automation: &lt;strong&gt;agentic AI&lt;/strong&gt;. These are not just scripts. They are autonomous agents that can reason, plan, and adapt their behaviour in real time. They don't need a human to write a script for every possibility. Give them a goal and they can work out the steps themselves. That changes the nature of automated threats, and security controls need to change with it.&lt;/p&gt;
&lt;h2&gt;The New API Consumer&lt;/h2&gt;
&lt;p&gt;Historically, APIs were consumed by two main groups: human users via a front-end application, and scripted bots following predictable patterns. Agentic AI introduces a third consumer, and one likely to become dominant. These AI agents are becoming primary users of web APIs, and they interact with them in materially different ways.&lt;/p&gt;
&lt;p&gt;An AI agent can analyse an entire API surface in seconds, understand the relationships between different endpoints, and generate complex interaction patterns that a human developer would rarely attempt. They don't just follow a linear path; they can explore, learn, and optimise their interactions to achieve their goals, whether that's finding the best price on a product, gathering data, or probing for security weaknesses.&lt;/p&gt;
&lt;h2&gt;New Security Challenges: The Self-Hacking AI&lt;/h2&gt;
&lt;p&gt;The reasoning capabilities of these agents introduce security challenges that static, rule-based systems are poorly equipped to handle. An agentic AI doesn't just throw known exploits at a system; it can probe its defences and invent new attacks as it goes.&lt;/p&gt;
&lt;p&gt;Consider a traditional Web Application Firewall (WAF) that relies on pattern-matching rules to block threats like SQL injection. An AI agent can send a series of carefully crafted requests, observe the WAF's responses, and systematically learn the structure of its rules. Once it understands the patterns the WAF is looking for, it can &lt;a href="/blog/ai-agents-custom-exploits/"&gt;generate a custom exploit&lt;/a&gt; designed to bypass those rules while still achieving its malicious objective.&lt;/p&gt;
&lt;p&gt;This isn't theoretical. Security teams are already reporting sophisticated attacks that adapt in real time, adjusting their tactics based on the system's defensive responses. These aren't simply pre-programmed behaviours; they are reasoning models at work.&lt;/p&gt;
&lt;h2&gt;A New Security Paradigm: From "Block Bots" to "Manage Agents"&lt;/h2&gt;
&lt;p&gt;The rise of agentic AI changes the security question. The old goal of "blocking all bots" is no longer viable or even desirable. AI agents will be used for both benign and malicious purposes. A customer's personal AI assistant booking a flight is useful automation; an attacker's AI agent trying to find vulnerabilities is not.&lt;/p&gt;
&lt;p&gt;Bot management cannot stop at trying to keep automation out. It needs the intelligence to &lt;strong&gt;safely identify and manage AI agents&lt;/strong&gt;. This requires moving away from static, signature-based detection and toward a more contextual, behavioural approach.&lt;/p&gt;
&lt;p&gt;The key questions will no longer be "Is this a human or a bot?" but rather:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;"What is the &lt;strong&gt;intent&lt;/strong&gt; of this automated agent?"&lt;/li&gt;
&lt;li&gt;"Is its behaviour consistent with a legitimate use case?"&lt;/li&gt;
&lt;li&gt;"Can we trust this agent?"&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This requires a new generation of security tools that can understand and adapt to agent behaviour, distinguishing between the legitimate AI assistants that will soon be a core part of our digital lives and the malicious ones that seek to exploit our systems. Organisations that fail to prepare for this shift risk having their defences systematically tested, mapped, and bypassed by the next wave of intelligent, automated threats.&lt;/p&gt;</content><category term="AI"></category><category term="Bot Management"></category><category term="API Security"></category><category term="Threat Detection"></category><category term="DevSecOps"></category><category term="Machine Learning"></category><category term="Credential Stuffing"></category></entry><entry><title>Beyond the IP Address</title><link href="https://www.peakhour.io/blog/beyond-the-ip-address-advanced-rate-limiting/" rel="alternate"></link><published>2025-09-01T00:00:00+10:00</published><updated>2025-09-01T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-09-01:/blog/beyond-the-ip-address-advanced-rate-limiting/</id><summary type="html">&lt;p&gt;Discover why traditional IP-based rate limiting is obsolete and how advanced techniques provide robust protection against modern distributed attacks.&lt;/p&gt;</summary><content type="html">&lt;p&gt;For years, &lt;a href="/learning/api-protection/what-is-api-rate-limiting/"&gt;rate limiting&lt;/a&gt; has been a standard control for protecting websites and APIs from abuse. The basic model is simple: limit the number of requests a single "user" can make in a given period. If a user exceeds the limit (e.g., 10 login attempts in a minute), they are temporarily blocked.&lt;/p&gt;
&lt;p&gt;The hard part has always been identifying that "user". Traditionally, the answer was the IP address. The assumption was that one IP address equaled one user. In the early days of the internet, this was a reasonable approximation. Today, that assumption no longer holds, and it leaves systems exposed to modern attacks.&lt;/p&gt;
&lt;p&gt;The IP address is no longer a reliable identifier for a single user or device. There are three common reasons:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Proxy Networks&lt;/strong&gt;: Attackers don't use a single IP address. They use large residential proxy networks to rotate requests through thousands or even millions of different IP addresses, making each request look like it comes from a new user.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Shared IPs (CGNAT)&lt;/strong&gt;: At the same time, a single IP address can represent thousands of legitimate users. Mobile carriers use Carrier-Grade NAT (CGNAT) to make many mobile devices share the same public IP. Similarly, an entire office building or university campus might appear to the internet as a single IP.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Distributed Attacks&lt;/strong&gt;: Modern automated attacks, like Layer 7 DDoS or credential stuffing, are inherently distributed. Attackers use botnets or proxy networks to spread their attack across a large number of IPs, so no single IP ever exceeds a traditional rate limit.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Blocking a shared IP because of one bad actor can cause collateral damage, denying access to thousands of legitimate users. On the other side, failing to see that thousands of IPs are part of a single coordinated attack means the attack succeeds. Traditional IP-based rate limiting is no longer enough.&lt;/p&gt;
&lt;h2&gt;The New Way: Advanced Rate Limiting&lt;/h2&gt;
&lt;p&gt;Advanced Rate Limiting addresses this by moving beyond the IP address. Instead of grouping requests by a single, unreliable identifier, it lets you count requests using more stable and meaningful characteristics of the connection or the software making it.&lt;/p&gt;
&lt;p&gt;This approach groups requests using identifiers like:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;TLS/HTTP2 Fingerprints&lt;/strong&gt;: Every client application (like a browser or a script) has a unique "fingerprint" based on how it initiates a secure connection (&lt;a href="/blog/tls-fingerprinting/"&gt;TLS&lt;/a&gt;) or communicates over HTTP/2. This fingerprint remains consistent even as an attacker rotates through thousands of IP addresses. By rate limiting based on the TLS fingerprint, you can track and block the underlying automation tool itself, not just the IPs it uses.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Device Characteristics&lt;/strong&gt;: A fingerprint can be constructed from a range of attributes, including the device's operating system, browser version, and more. This allows for the detection of repeated requests coming from the same class of device.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;A Combination of Headers&lt;/strong&gt;: For authenticated APIs, you can group requests by an Authorization header or API key, enforcing fair usage and preventing abuse by a single authenticated client.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Practical Use Cases&lt;/h2&gt;
&lt;p&gt;The value of advanced rate limiting is clearest when it is applied to real-world threats:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Mitigating Distributed Credential Stuffing&lt;/strong&gt;: An attacker using a tool like &lt;a href="/blog/the-rise-of-openbullet/"&gt;OpenBullet&lt;/a&gt; launches a credential stuffing attack against your login page, rotating through thousands of residential proxy IPs. Traditional rate limiting is ineffective here. However, the OpenBullet software has a consistent TLS fingerprint. By setting a rule to limit failed login attempts per TLS fingerprint, you can detect and block the entire distributed attack, regardless of how many IPs are involved.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Protecting APIs from Abuse&lt;/strong&gt;: A partner is abusing their API key, sending far too many requests and degrading service for other users. By rate limiting based on the &lt;code&gt;Authorization&lt;/code&gt; header, you can enforce usage limits on a per-client basis, keeping access fair without affecting other users.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Stopping Content Scrapers&lt;/strong&gt;: A scraper is hammering your e-commerce site to steal pricing data. They are using a botnet to distribute the requests across hundreds of IPs. However, the scraping script has a unique combination of a user-agent and a TLS fingerprint. Advanced rate limiting can count requests based on this combined signature and block the scraper, protecting your intellectual property.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;When attackers are distributed, your defences need to see the single actor behind the many IPs. Advanced rate limiting provides that visibility and should be part of a modern application security strategy.&lt;/p&gt;</content><category term="Rate Limiting"></category><category term="Rate Limiting"></category><category term="DDoS"></category><category term="API Security"></category><category term="Residential Proxies"></category><category term="Bot Management"></category><category term="Account Protection"></category></entry><entry><title>Key Considerations for Effective Bot Management</title><link href="https://www.peakhour.io/blog/key-considerations-effective-bot-management/" rel="alternate"></link><published>2025-09-01T00:00:00+10:00</published><updated>2025-09-01T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-09-01:/blog/key-considerations-effective-bot-management/</id><summary type="html">&lt;p&gt;With nearly half of all internet traffic being automated, a robust bot management strategy is essential. This article explores the key considerations for effective bot detection, classification, and response in the face of evolving threats.&lt;/p&gt;</summary><content type="html">&lt;h2&gt;Introduction&lt;/h2&gt;
&lt;p&gt;Bots account for a large share of web traffic. Recent studies estimate that nearly 50% of all internet traffic is generated by automated programs. Some bots are necessary for the web to function, such as search engine crawlers, but a significant portion are malicious. These "bad bots" are used for content scraping, credential stuffing, spam, and &lt;a href="/products/ddos-protection/"&gt;DDoS attacks&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;As bot operators become more sophisticated, &lt;a href="/learning/bots/bot-management/"&gt;bot management&lt;/a&gt; needs to cover detection, classification, and response. This article outlines the main considerations for security teams protecting intellectual property, online revenue, and user accounts.&lt;/p&gt;
&lt;h2&gt;The Goal: Accurate Bot Detection and Classification&lt;/h2&gt;
&lt;p&gt;The first step in effective bot management is separating legitimate users from automated threats. Identification is not enough on its own. Security teams also need accurate classification across good, bad, and "grey" bots.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Good Bots&lt;/strong&gt;: Support normal internet operations, such as search engine crawlers (Googlebot, Bingbot) and performance monitoring bots.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href="/blog/malicious-bot-threats-enterprise-application-security/"&gt;Bad Bots&lt;/a&gt;&lt;/strong&gt;: Carry out malicious activity such as content scraping, account takeover, and spamming.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Grey Bots&lt;/strong&gt;: Serve a legitimate purpose but can cause problems when they crawl too aggressively, such as SEO and marketing bots (Ahrefs, SEMrush).&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Effective detection usually needs more than basic signatures. A layered approach commonly includes:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Basic Protection&lt;/strong&gt;: Targets simple bots using user agent checks and IP reputation databases.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Intermediate Protection&lt;/strong&gt;: Uses JavaScript-based challenges and basic network fingerprinting, such as JA3/JA4, to detect less sophisticated bots.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Advanced Protection&lt;/strong&gt;: Combines comprehensive network fingerprinting, behavioural analysis, and machine learning to identify sophisticated bots that mimic human behaviour, use residential proxies, or rely on anti-detect browsers.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;a href="/learning/threat-detection/what-is-ml-security/"&gt;Machine learning&lt;/a&gt; models help in this context because they can learn from changing bot strategies and inspect incoming traffic for subtle signs of automation.&lt;/p&gt;
&lt;h2&gt;The Method: Continuously Adaptive Detection and Response&lt;/h2&gt;
&lt;p&gt;Bot behaviour changes quickly. Threat actors modify tooling, traffic patterns, and infrastructure to avoid detection, so static defence rules degrade over time. Organisations need detection and response that can adapt as the attack changes.&lt;/p&gt;
&lt;p&gt;That means correlating metadata with behavioural factors in real time, then applying the right response for the risk. When a bot attempts account takeover or data scraping, an adaptive response can act immediately to reduce the impact.&lt;/p&gt;
&lt;p&gt;Effective adaptive responses include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Advanced Rate Limiting&lt;/strong&gt;: Goes beyond simple IP-based limits by grouping requests with more stable identifiers, such as TLS/HTTP2 fingerprints or device characteristics. This helps stop distributed attacks from tools like &lt;a href="/blog/the-rise-of-openbullet/"&gt;OpenBullet&lt;/a&gt; that rotate through thousands of IP addresses.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Web Application Firewalls (WAF)&lt;/strong&gt;: Provide an important first line of defence by filtering harmful &lt;a href="/learning/security/layer-7-ddos"&gt;Layer 7&lt;/a&gt; traffic based on predefined rules.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Tarpitting&lt;/strong&gt;: Slows malicious connections to increase cost and resource consumption for attackers.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Challenges&lt;/strong&gt;: Traditional visible CAPTCHAs can harm user experience and are often solvable by modern bots. Invisible challenges can verify a legitimate browser environment with less friction.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Alternate Content Serving&lt;/strong&gt;: Misleads scraping bots by serving alternate or cached content with incorrect information (e.g., higher prices), making their scraped data useless.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The same response process should also feed learning loops, building a repository of bot attack patterns that can train machine learning models and improve accuracy over time.&lt;/p&gt;
&lt;h2&gt;The Expected Outcomes: A Resilient Security Posture&lt;/h2&gt;
&lt;p&gt;An adaptive bot management strategy should support several practical outcomes:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Risk Mitigation&lt;/strong&gt;: Reduce potential financial losses, service disruption, and data breaches associated with malicious bot activity such as credential stuffing, ad fraud, and inventory hoarding.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Improved User Experience&lt;/strong&gt;: Keep disruption low for genuine users by using invisible challenges and behavioural analysis instead of frustrating &lt;a href="/blog/the-negative-impact-of-captchas-on-ecommerce-conversions"&gt;CAPTCHAs, which can reduce conversions by up to 40%&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Intellectual Property Protection&lt;/strong&gt;: Protect valuable content, pricing data, and other intellectual property from unauthorised scraping.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Online Revenue Security&lt;/strong&gt;: Protect online revenue streams by preventing fraud, inventory scalping, and other malicious activity that targets e-commerce platforms.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Regulatory Compliance&lt;/strong&gt;: Help organisations meet data protection and privacy regulations with a proactive bot management approach.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Conclusion: Fortifying Against Sophisticated Bots&lt;/h2&gt;
&lt;p&gt;Modern bot defence depends on accurate detection, precise classification, and adaptive response. Machine learning, comprehensive network fingerprinting, and behavioural analysis all contribute, but they work best as part of a layered control set.&lt;/p&gt;
&lt;p&gt;With that approach, security teams can better protect intellectual property, online revenue, and user accounts from sophisticated bot activity.&lt;/p&gt;</content><category term="Bots"></category><category term="Bot Management"></category><category term="Threat Detection"></category><category term="API Security"></category><category term="Residential Proxies"></category><category term="Credential Stuffing"></category><category term="Account Protection"></category></entry><entry><title>The Bot Spectrum</title><link href="https://www.peakhour.io/blog/the-bot-spectrum-good-bad-grey-bots/" rel="alternate"></link><published>2025-09-01T00:00:00+10:00</published><updated>2025-09-01T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-09-01:/blog/the-bot-spectrum-good-bad-grey-bots/</id><summary type="html">&lt;p&gt;Learn to classify bots into good, bad, and grey categories and apply the right management strategy for each.&lt;/p&gt;</summary><content type="html">&lt;p&gt;The word "bot" is often used as shorthand for unwanted automation: scripts trying to break into accounts, scrape content, or overwhelm websites. A large share of internet traffic does come from &lt;a href="/learning/bots/bot-management/"&gt;bad bots&lt;/a&gt;, but automated traffic is not automatically harmful. Some bots are part of how the web is discovered, monitored, and kept usable.&lt;/p&gt;
&lt;p&gt;Effective &lt;a href="/blog/key-considerations-effective-bot-management/"&gt;bot management&lt;/a&gt; is not about blocking every automated request. It depends on accurate classification: separating good bots from bad bots, and recognising the "grey" bots that sit between them. That classification lets you apply controls that reduce risk without cutting off traffic that helps your site operate.&lt;/p&gt;
&lt;h2&gt;Good Bots: The Essential Workers of the Web&lt;/h2&gt;
&lt;p&gt;Good bots are automated programs that perform useful or necessary tasks. They are usually clear about who they are and respect the rules you set in your &lt;code&gt;robots.txt&lt;/code&gt; file. Blocking them can damage search visibility, monitoring, or other business workflows.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Examples of Good Bots:&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Search Engine Crawlers&lt;/strong&gt;: Bots like Googlebot and Bingbot are the best-known good bots. They crawl and index your website's content, which is how your pages appear in search engine results. Blocking them would make your site invisible on Google.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Performance Monitoring Bots&lt;/strong&gt;: These bots are used by services to check your website's uptime and performance from different locations around the world, and to alert you if your site goes down.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Copyright Bots&lt;/strong&gt;: These bots scan the web for plagiarised content, helping to protect your intellectual property.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;Management Strategy&lt;/strong&gt;: Good bots should be identified and &lt;strong&gt;allowed&lt;/strong&gt; to access your site freely. Verification techniques, such as reverse DNS lookups, can be used to confirm that a bot claiming to be Googlebot is actually coming from Google.&lt;/p&gt;
&lt;h2&gt;Bad Bots: The Malicious Actors&lt;/h2&gt;
&lt;p&gt;Bad bots are designed for malicious activity. They are a major reason bot management exists as a security function. These bots are deceptive, often hiding their identity and purpose, and they can be responsible for a wide range of costly and damaging activity.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Examples of Bad Bots:&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Credential Stuffers&lt;/strong&gt;: These bots use stolen usernames and passwords to carry out account takeover attacks.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Content and Price Scrapers&lt;/strong&gt;: These bots steal your valuable content, product listings, and pricing data, often for use by competitors.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Spam Bots&lt;/strong&gt;: These bots flood comment sections, forums, and contact forms with unwanted ads or malicious links.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Denial of Service (DDoS) Bots&lt;/strong&gt;: These bots are part of a botnet used to overwhelm a website with traffic, causing it to slow down or crash.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Inventory Hoarding Bots&lt;/strong&gt;: Common in e-commerce, these bots automatically add limited-edition products to shopping carts to prevent legitimate customers from buying them, often for resale at a higher price (scalping).&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;Management Strategy&lt;/strong&gt;: Bad bots need to be accurately identified and &lt;strong&gt;blocked&lt;/strong&gt; as quickly as possible, ideally at the network edge before they consume your server resources.&lt;/p&gt;
&lt;h2&gt;Grey Bots: The Nuanced Category&lt;/h2&gt;
&lt;p&gt;Grey bots are not inherently malicious, but their behaviour can still cause problems. They often serve a legitimate purpose, but become an issue when they crawl too aggressively, consume excessive bandwidth or server resources, and slow the site down for real users.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Examples of Grey Bots:&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Aggressive SEO Tools&lt;/strong&gt;: Bots from marketing tools like Ahrefs, SEMrush, and Majestic crawl websites to gather data for backlink analysis and competitive research. They can be useful, but their crawling can also be heavy.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Partner and Aggregator Bots&lt;/strong&gt;: These could be bots from partner companies or price comparison websites that need to access your data. The activity may be legitimate, but it still needs to be managed.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Feed Fetchers&lt;/strong&gt;: Bots that collect data for news aggregators or other applications fall into this category.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;Management Strategy&lt;/strong&gt;: Grey bots require more than a simple allow or block rule. The best strategy is often to &lt;strong&gt;rate-limit&lt;/strong&gt; or &lt;strong&gt;tarpit&lt;/strong&gt; them.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Rate-Limiting&lt;/strong&gt;: This allows the bot to continue accessing your site, but slows it to a manageable level so it does not overwhelm your servers.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Tarpitting&lt;/strong&gt;: This intentionally slows the connection for a specific bot, increasing the cost and time required to crawl your site and discouraging overly aggressive behaviour.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;By classifying incoming bot traffic and applying the right control for each category, organisations can block threats, manage resource consumption, and allow the useful automation the modern web depends on.&lt;/p&gt;</content><category term="Bots"></category><category term="Bot Management"></category><category term="API Security"></category><category term="Threat Detection"></category><category term="DDoS"></category><category term="Residential Proxies"></category><category term="Rate Limiting"></category></entry><entry><title>How to Use Bot Management for IAM Use Cases</title><link href="https://www.peakhour.io/blog/bot-management-for-iam-use-cases/" rel="alternate"></link><published>2025-08-20T00:00:00+10:00</published><updated>2025-08-20T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-08-20:/blog/bot-management-for-iam-use-cases/</id><summary type="html">&lt;p&gt;Bots are part of account takeover, fraud, scraping, and other abuse. Identity and access management leaders need a clear business case for bot management, or their organisations face avoidable account takeover losses and will be less prepared for the risks introduced when customers use AI agents.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Automated attacks against identity and access management (IAM) systems are now a routine account protection problem. Malicious bots drive account takeovers (ATO), credential stuffing, brute-force login attempts, and fake account creation. As these attacks adapt, traditional IAM controls such as password policies and even multi-factor authentication (MFA) are not enough on their own.&lt;/p&gt;
&lt;p&gt;Identity and access management leaders should treat &lt;a href="/products/bot-management/"&gt;bot management&lt;/a&gt; as part of the IAM control set, not a separate website security add-on. A dedicated capability helps reduce avoidable financial and reputational losses from account compromise. It also gives organisations a way to manage the risks created as AI agents become regular users of web applications and APIs.&lt;/p&gt;
&lt;h2&gt;Introduction&lt;/h2&gt;
&lt;p&gt;Some estimates suggest &lt;a href="/learning/bots/bot-traffic/"&gt;nearly half of all traffic is automated&lt;/a&gt;. That mix matters: useful crawlers and monitoring tools are part of normal internet traffic, but malicious automation is built to test web applications at scale. IAM systems, which control access to sensitive user accounts and data, are a primary target.&lt;/p&gt;
&lt;p&gt;The most common &lt;a href="/learning/bots/bot-attacks/"&gt;bot attacks&lt;/a&gt; targeting IAM include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href="/learning/bots/anatomy-of-credential-stuffing-attack/"&gt;Credential Stuffing&lt;/a&gt;&lt;/strong&gt;: Attackers use lists of stolen usernames and passwords from third-party data breaches to gain unauthorised access to user accounts. This attack vector is effective because password reuse is still common.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Brute-Force Attacks&lt;/strong&gt;: Automated scripts guess passwords for known usernames, often targeting login endpoints for platforms like WordPress and Magento.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Fake Account Creation&lt;/strong&gt;: Bots create fraudulent accounts at scale, which can be used for spam, malware distribution, or to abuse promotional offers.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Recent attacks on major Australian retailers like &lt;a href="/blog/account-takeover-fraud-theiconic/"&gt;The Iconic&lt;/a&gt; and Dan Murphy's show the practical impact. These incidents, driven by credential stuffing, resulted in reputational damage and financial loss, forcing the companies to issue refunds and publicly address security concerns.&lt;/p&gt;
&lt;h2&gt;Analysis&lt;/h2&gt;
&lt;p&gt;Defending IAM systems starts with why common controls fall short and where bot management adds useful signal.&lt;/p&gt;
&lt;h3&gt;Why Traditional IAM Defences Fail&lt;/h3&gt;
&lt;p&gt;Attackers have adapted their techniques to bypass legacy security controls. Simple IP-based rate limiting and reputation lists struggle against the combination of &lt;a href="/blog/bots-residential-proxies-anti-detect-browsers/"&gt;residential proxies and anti-detect browsers&lt;/a&gt;:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Residential Proxies&lt;/strong&gt;: Attackers route their traffic through large networks of IP addresses belonging to real residential internet connections. This makes malicious traffic appear legitimate and allows attackers to bypass IP-based blocking and geolocation restrictions. Our own tests show that even leading IP intelligence services &lt;a href="/blog/anti-fraud-residential-proxy-detection/"&gt;fail to detect the vast majority of residential proxy traffic&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Anti-Detect Browsers&lt;/strong&gt;: These specialised browsers allow attackers to spoof their digital fingerprints, mimicking legitimate user devices and browser configurations. This weakens many JavaScript-based challenges and fingerprinting techniques.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Used with automation suites like OpenBullet, these tools let attackers run "low and slow" distributed attacks that blend into normal traffic. For more information on these tools, see our guide to &lt;a href="/blog/enterprise-bot-management-application-security/"&gt;enterprise bot management&lt;/a&gt;.&lt;/p&gt;
&lt;h3&gt;The Flawed Logic of CAPTCHA&lt;/h3&gt;
&lt;p&gt;For years, &lt;a href="/learning/bots/captcha/"&gt;CAPTCHA&lt;/a&gt; has been the default way to distinguish humans from bots. It is now a weak control when used on its own. Our research shows that visible CAPTCHAs have a &lt;a href="/blog/the-negative-impact-of-captchas-on-ecommerce-conversions"&gt;severe negative impact on user experience and conversions&lt;/a&gt;. Studies have found that CAPTCHAs can reduce form conversions by up to 40%, as frustrated users abandon purchases or sign-ups.&lt;/p&gt;
&lt;p&gt;Modern bots can also &lt;a href="/blog/captcha-conundrum-frustrating-humans-easy-for-bots/"&gt;solve CAPTCHAs with high accuracy&lt;/a&gt;, often more effectively than humans, by using CAPTCHA-solving farm services. Relying on CAPTCHA alone creates friction for legitimate users while providing a false sense of security. Modern bot management uses invisible challenges and behavioural analysis to validate users without disrupting their session.&lt;/p&gt;
&lt;h3&gt;Modern Bot Management Capabilities for IAM&lt;/h3&gt;
&lt;p&gt;An &lt;a href="/blog/key-considerations-effective-bot-management/"&gt;effective bot management&lt;/a&gt; solution provides a multi-layered defence that goes beyond simple signatures. Key capabilities include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Advanced Rate Limiting&lt;/strong&gt;: Instead of relying on IP addresses, modern solutions group requests using more stable identifiers like TLS/HTTP2 fingerprints, device characteristics, or a combination of headers. This helps detect distributed attacks from a single malicious tool, even as it rotates through thousands of IPs.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href="/blog/mtu-fingerprinting-vpn-mobile-detection/"&gt;Network and Device Fingerprinting&lt;/a&gt;&lt;/strong&gt;: By analysing the unique characteristics of a client's TCP and TLS implementation, it is possible to identify the underlying software making the request, regardless of the user-agent header. This helps distinguish between real browsers and automated scripts.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Behavioural Analysis&lt;/strong&gt;: Systems can model normal user behaviour—such as mouse movements, typing speed, and page navigation—to identify anomalies that indicate automation.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href="/learning/threat-detection/what-is-residential-proxy-detection/"&gt;Residential Proxy Detection&lt;/a&gt;&lt;/strong&gt;: Specialised techniques are required to identify traffic coming from residential proxy networks, which is a strong indicator of malicious intent.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Breached Credential Integration&lt;/strong&gt;: By checking login attempts against databases of known breached credentials, security teams can apply additional scrutiny to high-risk authentication events.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Together, these controls give IAM teams more useful decision points than an IP address, a password check, or a CAPTCHA challenge alone.&lt;/p&gt;
&lt;h2&gt;The Next Frontier&lt;/h2&gt;
&lt;p&gt;The next major change in automated traffic is agentic AI. As reasoning models like &lt;a href="/blog/residential-proxies-deepseek/"&gt;DeepSeek become more accessible&lt;/a&gt;, we are entering an era where &lt;a href="/learning/bots/llm-web-scrapers/"&gt;AI agents are becoming primary consumers&lt;/a&gt; of APIs and web applications.&lt;/p&gt;
&lt;p&gt;These are not just the rigid scripts of the past. AI agents can reason, plan, and adapt their behaviour in real-time based on a system's responses. They can analyse an entire API surface in seconds and generate complex interaction patterns that human developers would be unlikely to try manually.&lt;/p&gt;
&lt;p&gt;This creates a harder IAM problem. Bot management has usually looked for patterns that differ from normal human behaviour. AI agents can make those patterns less reliable by imitating user behaviour while still operating at machine speed. The line between human and &lt;a href="/learning/bots/bot-management/"&gt;automated traffic&lt;/a&gt; blurs.&lt;/p&gt;
&lt;p&gt;IAM leaders need bot management solutions that can adapt to this shift. The future of bot management will not only be about blocking bots; it will also be about deciding which automated agents are acceptable, under what conditions, and with which controls. This requires a shift from static, rule-based security to contextual analysis that understands and adapts to agent behaviour, distinguishing between legitimate AI assistants and malicious ones. Organisations that wait until agent traffic is common will have less time to distinguish useful automation from AI-driven attacks.&lt;/p&gt;</content><category term="Security"></category><category term="Bot Management"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="API Security"></category><category term="Threat Detection"></category><category term="Fraud Prevention"></category></entry><entry><title>How AI Agents Are Writing Custom Exploits</title><link href="https://www.peakhour.io/blog/ai-agents-custom-exploits/" rel="alternate"></link><published>2025-02-17T14:00:00+11:00</published><updated>2025-02-17T14:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-02-17:/blog/ai-agents-custom-exploits/</id><summary type="html">&lt;p&gt;AI agents with reasoning capabilities like DeepSeek are revolutionizing exploit development, marking the end of traditional security approaches based on static rules and patterns.&lt;/p&gt;</summary><content type="html">&lt;p&gt;The trend is clear enough: AI agents can now craft exploits by analysing security responses in real time. That puts static security rules and traditional Web Application Firewalls (WAFs) under direct pressure. Here is why.&lt;/p&gt;
&lt;p&gt;Last week I examined an AI agent probing a test environment. It sent requests, observed the responses, then built bypasses for each security control in sequence. The agent identified pattern-based rules, learned their structure, and generated variations until it found gaps. It did this without human intervention.&lt;/p&gt;
&lt;p&gt;This kind of automated exploit development changes the operating conditions for defenders. Traditional defences rely on known patterns: regex rules, signature matching, IP reputation. Those approaches assume threats follow recognisable templates. That assumption is becoming much weaker.&lt;/p&gt;
&lt;p&gt;Consider a standard WAF rule blocking &lt;a href="/products/waf/"&gt;SQL injection&lt;/a&gt; through pattern matching. An AI agent examines the responses, determines the matching patterns, then generates unique variants designed to bypass those rules while maintaining the exploit's functionality. The variants evolve as the agent learns which approaches succeed.&lt;/p&gt;
&lt;p&gt;The same pattern applies beyond SQL injection. AI agents can probe XSS filters, access controls, and input validation in the same systematic way. Each static rule becomes something the agent can test, infer, and work around.&lt;/p&gt;
&lt;p&gt;By 2026, I estimate AI agents will drive over 50% of exploit attempts. The speed of this shift stems from three factors:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;AI agents operate continuously, testing and learning 24/7&lt;/li&gt;
&lt;li&gt;Successful exploits feed back into training data, improving future attempts&lt;/li&gt;
&lt;li&gt;Agents share knowledge, building collective intelligence about bypass techniques&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;This is the practical limit of static security. Traditional WAFs that rely on fixed rules and signatures struggle to keep pace with AI-generated exploits. Each rule loses value as agents discover new bypasses.&lt;/p&gt;
&lt;p&gt;The path forward requires a different security architecture. Organisations need context-aware systems that analyse intent, not just patterns. These systems use behavioural AI to distinguish between legitimate requests and exploit attempts, even when the request structure changes.&lt;/p&gt;
&lt;p&gt;Key elements of this new approach include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Intent analysis through deep inspection of request sequences&lt;/li&gt;
&lt;li&gt;Behavioural modelling of normal vs malicious patterns&lt;/li&gt;
&lt;li&gt;Real-time adaptation as new exploit techniques emerge&lt;/li&gt;
&lt;li&gt;Proactive identification of potential vulnerabilities&lt;/li&gt;
&lt;li&gt;Integration of threat intelligence across systems&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The challenge intensifies when AI agents leverage &lt;a href="/products/residential-proxy-detection/"&gt;residential proxies&lt;/a&gt;. These proxies route traffic through real consumer IP addresses, bypassing location-based blocks. An AI agent operating through residential proxies can probe defences while appearing to come from legitimate users worldwide.&lt;/p&gt;
&lt;p&gt;This combination of AI-driven exploit generation and residential proxy networks makes traditional controls much less reliable. Organisations that continue to rely on static rules face a growing risk of compromise.&lt;/p&gt;
&lt;p&gt;Security teams should respond now:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Audit existing WAF rules to identify pattern-based weaknesses&lt;/li&gt;
&lt;li&gt;Deploy behavioural analysis capabilities to detect malicious intent&lt;/li&gt;
&lt;li&gt;Implement adaptive security controls that evolve with threats&lt;/li&gt;
&lt;li&gt;Monitor for AI-driven probing attempts&lt;/li&gt;
&lt;li&gt;Build detection for residential proxy traffic&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Teams that wait risk watching their defences get mapped and bypassed by automated agents. Static rules alone are not enough for this level of probing.&lt;/p&gt;
&lt;p&gt;This also requires a shift in how we approach security. Rather than only blocking specific patterns, we need to understand and control the broader context of system interactions. The goal moves from "preventing known attacks" to "identifying and blocking malicious behaviour, regardless of its specific form."&lt;/p&gt;
&lt;p&gt;Adaptive security systems need to reason about traffic in the same context-aware way as the agents probing them. Static rules still have a role, but they cannot be the centre of the defence.&lt;/p&gt;
&lt;p&gt;Security strategy needs to account for this now, because AI-driven probing is no longer hypothetical.&lt;/p&gt;
&lt;h2&gt;The Reasoning Model Revolution&lt;/h2&gt;
&lt;p&gt;The emergence of open &lt;a href="/blog/agentic-ai-deepseek-changes-everything/"&gt;reasoning models&lt;/a&gt; like DeepSeek pushes this further. Unlike traditional AI that follows programmed patterns, reasoning models understand context and adapt strategies dynamically. That creates harder security problems.&lt;/p&gt;
&lt;p&gt;Consider how a reasoning model approaches security testing. Rather than simply probing for weaknesses, it builds a conceptual model of the system's defences. It understands the purpose of security controls and reasons about potential bypasses. That allows it to generate novel attack strategies that were not present in training data.&lt;/p&gt;
&lt;p&gt;DeepSeek demonstrates this shift. Within months of release, it showed capabilities matching established players at a fraction of the cost. This rapid progress comes from reasoning models' ability to understand and adapt, not just pattern match.&lt;/p&gt;
&lt;p&gt;For security teams, that is a material challenge. Reasoning models do not just find gaps in rules. They infer why rules exist, deduce the logic behind security controls, and generate attacks that exploit underlying assumptions.&lt;/p&gt;
&lt;p&gt;By 2027, I expect reasoning models to handle most security testing and exploit development. Their advantages prove too compelling:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;They understand system architecture and security principles&lt;/li&gt;
&lt;li&gt;They generate novel attack strategies through reasoning&lt;/li&gt;
&lt;li&gt;They adapt in real-time based on system responses&lt;/li&gt;
&lt;li&gt;They share and build upon successful approaches&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;This shift pushes traditional security approaches past their useful boundary faster than many teams expect. Pattern matching and rule-based systems cannot reliably counter an opponent that understands and reasons about their operating logic.&lt;/p&gt;
&lt;p&gt;The combination of reasoning models with residential proxies is especially difficult to defend against. Reasoning models devise sophisticated attacks while proxies mask their origin. Each successful breach feeds back into the model's understanding, improving future attempts.&lt;/p&gt;
&lt;p&gt;Security teams must embrace a new paradigm focused on:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Understanding attack narratives rather than patterns&lt;/li&gt;
&lt;li&gt;Detecting anomalous reasoning rather than known signatures&lt;/li&gt;
&lt;li&gt;Building systems that adapt to novel attack strategies&lt;/li&gt;
&lt;li&gt;Implementing security that reasons about intent&lt;/li&gt;
&lt;li&gt;Developing defences that evolve through adversarial learning&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Security systems need to reason about threats as effectively as the AI agents probing them. Traditional approaches will fail against opponents that understand the logic behind security controls and devise creative bypasses.&lt;/p&gt;
&lt;p&gt;The age of reasoning security has begun. Static rules and pattern matching are no longer enough on their own.&lt;/p&gt;
&lt;p&gt;The question is how quickly security teams can move from fixed patterns to adaptive, intent-aware defence.&lt;/p&gt;</content><category term="Security"></category><category term="Application Security"></category><category term="Threat Detection"></category><category term="DevSecOps"></category><category term="Bot Management"></category><category term="API Security"></category><category term="DDoS"></category></entry><entry><title>When Bots Are Your Primary Users</title><link href="https://www.peakhour.io/blog/future-of-apis-bot-primary-users/" rel="alternate"></link><published>2025-02-12T14:00:00+11:00</published><updated>2025-02-12T14:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-02-12:/blog/future-of-apis-bot-primary-users/</id><summary type="html">&lt;p&gt;An exploration of how AI agents are reshaping API design principles and why we must evolve our approach to serve both machine and human consumers.&lt;/p&gt;</summary><content type="html">&lt;p&gt;APIs have mostly been designed for human developers first. Reasoning models like DeepSeek make that assumption weaker. If an agent can inspect an API, plan a sequence of calls, and adapt as it goes, it becomes a different kind of consumer.&lt;/p&gt;
&lt;p&gt;That is the part worth paying attention to. Many APIs still assume a human-first model while AI agents become regular, and in some cases primary, users. These are not simple scraping bots or automation scripts. Modern AI agents can plan, reason, and change their behaviour. They interact with APIs in ways many teams did not account for when they wrote their OpenAPI specifications and documentation.&lt;/p&gt;
&lt;p&gt;A human developer reads documentation, tries a few calls, and works through errors. An AI agent can process the whole API surface in seconds, generate thousands of possible interaction patterns, and test them systematically. That difference changes both API design and API security.&lt;/p&gt;
&lt;p&gt;The issue is not limited to technical specifications. API logs already show traffic patterns that challenge older assumptions. AI agents do not follow typical "business hours" usage. They do not slow down because a workflow becomes cognitively heavy. They process responses at machine speed and chain API calls in ways human developers rarely attempt.&lt;/p&gt;
&lt;p&gt;This shift forces us to rethink several core aspects of API design:&lt;/p&gt;
&lt;h3&gt;Structure and Format&lt;/h3&gt;
&lt;p&gt;Human-readable formats still matter, but they are not the only target. JSON and REST endpoints work well for developers who need to read and understand responses. For AI agents, there may be room for more efficient formats that optimise for machine processing rather than human comprehension.&lt;/p&gt;
&lt;h3&gt;Rate Limiting and Quotas&lt;/h3&gt;
&lt;p&gt;Most rate limiting models still assume human consumption patterns. AI agents operate at machine speed and scale. New models need to account for that processing capacity while still preventing abuse. That may mean moving from simple request counts to complexity-based quotas.&lt;/p&gt;
&lt;h3&gt;Authentication and Security&lt;/h3&gt;
&lt;p&gt;Traditional API keys and OAuth flows centre on human developers. AI agents need security models that account for how they operate. The hard problem is verifying the identity and intentions of an AI agent without weakening the security controls around the API.&lt;/p&gt;
&lt;h3&gt;Documentation and Discovery&lt;/h3&gt;
&lt;p&gt;API documentation still focuses on human understanding. For AI agents, machine-readable specifications need to go beyond OpenAPI. They should describe what endpoints do, not just how to call them.&lt;/p&gt;
&lt;p&gt;This also changes how we monitor and maintain APIs. Traditional metrics like response time and error rates remain useful, but they do not explain AI agent behaviour on their own. How do we measure the "success" of an API when its primary users are machines that can adapt to problems and work around them?&lt;/p&gt;
&lt;p&gt;Performance optimisation changes as well. A human developer might tolerate occasional latency. An AI agent can make thousands of calls per second, which puts more pressure on caching, edge computing, and response optimisation.&lt;/p&gt;
&lt;p&gt;APIs are likely to split into two parallel tracks: human-oriented interfaces that prioritise developer experience, and machine-oriented interfaces optimised for AI consumption. This is not a choice between one audience and the other. It is recognition that they have different needs.&lt;/p&gt;
&lt;p&gt;The challenge extends to business models. How do we price APIs when consumers are AI agents that can process information at machine scale? Traditional per-request pricing may not make sense when an AI can make millions of optimised calls that would take a human developer years to replicate.&lt;/p&gt;
&lt;p&gt;Residential proxies add another layer of complexity. They allow AI agents to appear as regular users, making it harder to distinguish between human and machine traffic. That pushes API access control beyond IP-based rate limiting.&lt;/p&gt;
&lt;p&gt;The ethical questions also matter. As APIs become primarily consumed by AI agents, teams need frameworks for responsible use. That includes asking how an API might be used inside AI systems, and what guardrails should sit around that access.&lt;/p&gt;
&lt;p&gt;This is not about replacing human developers. It is about recognising AI agents as a new class of API consumer, with their own needs and capabilities. API design, security, and management all need to account for that.&lt;/p&gt;
&lt;p&gt;The APIs we build today will sit under tomorrow's AI-driven systems. They need to be designed for both human and AI consumers, with clear decisions about discovery, access, rate limits, authentication, monitoring, and abuse controls.&lt;/p&gt;
&lt;p&gt;The shift to AI-first API design is already under way. The practical question is how quickly API practices can catch up.&lt;/p&gt;
&lt;p&gt;Our APIs have to evolve with their users.&lt;/p&gt;</content><category term="Security"></category><category term="Bot Management"></category><category term="API Security"></category><category term="Machine Learning"></category></entry><entry><title>Data-Driven Risk Management</title><link href="https://www.peakhour.io/blog/data-driven-risk-management-contextual-security/" rel="alternate"></link><published>2025-02-07T00:00:00+11:00</published><updated>2025-02-07T00:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-02-07:/blog/data-driven-risk-management-contextual-security/</id><summary type="html">&lt;p&gt;How Peakhour's contextual security aligns with Visa's data-driven risk management approach in the 2025-2028 Security Roadmap.&lt;/p&gt;</summary><content type="html">&lt;p&gt;After our examination of &lt;a href="/blog/visa-security-roadmap-2025-overview/"&gt;Visa's Security Roadmap&lt;/a&gt;, this article looks at how Peakhour's contextual
security approach supports Visa's third key focus area: shifting to a data-driven, risk-based approach.&lt;/p&gt;
&lt;h2&gt;The Evolution of Risk Management&lt;/h2&gt;
&lt;p&gt;Traditional security controls often rely on static rules and fixed thresholds. Visa's Security Roadmap 2025-2028 emphasises the need for dynamic, data-driven risk management that adapts to emerging threats while keeping operations efficient. That shift is important for attacks like &lt;a href="/blog/credential-stuffing-threat-australian-businesses/"&gt;credential stuffing&lt;/a&gt; and &lt;a href="/blog/preventing-enumeration-attacks-visa-roadmap/"&gt;enumeration
attacks&lt;/a&gt;, which exploit weak points in static defences.&lt;/p&gt;
&lt;h2&gt;Understanding Contextual Security&lt;/h2&gt;
&lt;p&gt;Contextual security moves beyond fixed rules by using real-time data analysis to assess risk and choose a proportionate response. It starts by collecting a broad set of signals for each interaction, including user behaviour patterns, device characteristics, network indicators like &lt;a href="/blog/tls-fingerprinting/"&gt;TLS fingerprints&lt;/a&gt;, geographic patterns, and historical trends.&lt;/p&gt;
&lt;p&gt;Those signals feed a dynamic risk assessment engine with continuous monitoring and adaptive thresholds. Using techniques such as behavioural analysis and &lt;a href="/blog/advanced-anomaly-detection-rrcf-application-security/"&gt;anomaly detection&lt;/a&gt;, the system can identify subtle deviations from normal activity that may signal a threat. The result is a response matched to the risk: triggering risk-based authentication, applying adaptive security measures, or initiating an automated threat response with customised rules.&lt;/p&gt;
&lt;h2&gt;How Peakhour Aligns with Visa's Vision&lt;/h2&gt;
&lt;p&gt;Our &lt;a href="/solutions/use-case/contextual-security/"&gt;Contextual Security&lt;/a&gt; platform supports Visa's data-driven approach by combining multiple layers of defence. At the core is edge intelligence, which uses a global network to process data in real time, close to the user. This supports rapid identification of emerging threats, sharing threat intelligence across the network, and responding to attacks as they happen.&lt;/p&gt;
&lt;p&gt;This is backed by advanced analytics that use machine learning models, behavioural analysis, pattern recognition, and anomaly detection. These tools are essential for identifying sophisticated threats, such as bots using residential proxies or &lt;a href="/blog/anti-detect-browsers-application-security-threat/"&gt;anti-detect browsers&lt;/a&gt;. By analysing connection-level data, we can distinguish malicious automation from legitimate user traffic, a task traditional IP-based methods often fail.&lt;/p&gt;
&lt;p&gt;This analysis supports risk-based decision-making. Instead of applying one-size-fits-all rules, our platform implements dynamic security measures. This includes adaptive authentication, contextual access controls, risk-based policies, and automated responses like advanced rate limiting, which can help stop distributed attacks.&lt;/p&gt;
&lt;h2&gt;Key Benefits of a Data-Driven Approach&lt;/h2&gt;
&lt;p&gt;Adopting a data-driven, contextual security model gives organisations practical advantages. It improves security through earlier threat detection and a reduction in false positives. The broader coverage protects against a wider range of attacks, from automated bots to manual fraud attempts.&lt;/p&gt;
&lt;p&gt;At the same time, it can improve the user experience. By assessing risk more accurately, the system can reduce friction for legitimate users, support faster transactions, and make authentication less intrusive. This personalised security approach strengthens trust without sacrificing usability, a necessary balance for modern businesses.&lt;/p&gt;
&lt;p&gt;Finally, this strategy improves operational efficiency. Automated responses reduce the need for manual review and intervention, optimising resource allocation. The scalable nature of the platform ensures that security can keep pace with business growth, providing a more sustainable way to manage risk.&lt;/p&gt;
&lt;h2&gt;Implementing Contextual Security&lt;/h2&gt;
&lt;p&gt;Organisations can implement contextual security by assessing their current state: reviewing existing controls, identifying data sources, and evaluating current capabilities. A planning phase then defines objectives, selects appropriate solutions, and establishes key performance metrics. Deployment follows, with systems installed, rules configured, staff trained, and performance monitored continuously.&lt;/p&gt;
&lt;p&gt;To maximise effectiveness, teams need high-quality, real-time data collection while maintaining user privacy. They also need a robust analysis framework: well-defined risk models, adaptive thresholds, and clear policies for automation. Finally, response mechanisms should be practical to operate, with automated workflows and controls that can be monitored and refined over time.&lt;/p&gt;
&lt;h2&gt;Real-World Applications and Future Considerations&lt;/h2&gt;
&lt;p&gt;In practice, contextual security applies across several security workflows. For authentication, it enables risk-based multi-factor authentication and adaptive policies. In transaction monitoring, it allows for real-time analysis and fraud prevention. For access control, it supports dynamic permissions based on context-aware rules.&lt;/p&gt;
&lt;p&gt;Looking ahead, organisations should prepare for the increasing role of advanced analytics, including AI and predictive analytics. Integration with other systems through APIs will be important, as will adapting to evolving regulatory requirements and new threat vectors.&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;The shift to data-driven risk management is an important change in security strategy. Peakhour's contextual security solutions help organisations align with Visa's vision while improving security, efficiency, and user experience. Moving beyond static rules to an adaptive defence gives businesses a better way to protect themselves and their customers in a more complex digital environment.&lt;/p&gt;
&lt;p&gt;--&lt;/p&gt;
&lt;p&gt;&lt;em&gt;Learn how Peakhour's contextual security solutions can help your organisation implement data-driven risk management aligned with Visa's Security Roadmap 2025-2028. &lt;a href="/contact-sales/"&gt;Contact our team&lt;/a&gt; to improve your security posture.&lt;/em&gt;&lt;/p&gt;</content><category term="Account Protection"></category><category term="Account Protection"></category><category term="Application Security"></category><category term="Credential Stuffing"></category><category term="API Security"></category><category term="Threat Detection"></category><category term="PCI DSS"></category></entry><entry><title>Did Residential Proxies enable a $600 Billion loss?</title><link href="https://www.peakhour.io/blog/residential-proxies-deepseek/" rel="alternate"></link><published>2025-01-31T00:00:00+11:00</published><updated>2025-01-31T00:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-01-31:/blog/residential-proxies-deepseek/</id><summary type="html">&lt;p&gt;How residential proxy networks may have enabled DeepSeek to bypass AI platform protections, leading to Nvidia's historic market value loss&lt;/p&gt;</summary><content type="html">&lt;p&gt;The DeepSeek story puts &lt;a href="/learning/threat-detection/what-is-residential-proxy-detection/"&gt;residential proxy&lt;/a&gt; networks under scrutiny as a possible factor in
AI's latest market disruption. In January 2025, the Chinese startup's emergence erased $600 billion from Nvidia's market
value by demonstrating AI capabilities that match industry leaders at a fraction of the cost.&lt;/p&gt;
&lt;p&gt;The path to this capability raises a practical security question for AI platforms. Leading platforms protect their APIs with multiple security layers -
rate limiting to prevent mass data extraction, bot detection
to block automated requests, and geoblocking to restrict access from certain regions. These measures are meant to prevent the systematic collection of training data.&lt;/p&gt;
&lt;p&gt;Residential &lt;a href="/products/residential-proxy-detection/"&gt;proxy networks&lt;/a&gt; create a route around those protections. These networks route traffic through
household IP addresses, so requests appear to originate from homes in permitted regions.
A request from a restricted location could look like legitimate traffic from Sydney, Melbourne, or Perth.&lt;/p&gt;
&lt;p&gt;The circumstances suggest this approach is plausible. By distributing requests across millions of residential IPs worldwide,
each IP could maintain human-like patterns while staying below rate limits. The aggregate data could form a substantial
training set without triggering security alerts.&lt;/p&gt;
&lt;p&gt;Meta's lawsuit against Bright Data strengthens this possibility. The case exposed how proxy providers monetise residential
IPs, often without homeowners' knowledge. That model creates a global network capable of bypassing traditional security
measures - exactly the type of infrastructure needed for large-scale data collection.&lt;/p&gt;
&lt;p&gt;The residential proxy industry threatens $600 billion in business value through data theft and security bypasses.
DeepSeek's impact on Nvidia's market capitalisation highlights the real-world impact of residential proxies.&lt;/p&gt;
&lt;p&gt;For AI platforms, the question is operational. How can platforms distinguish between legitimate users and well-crafted
requests through residential proxies? When geographical restrictions lose meaning, what security measures remain effective?
Traditional &lt;a href="/blog/anti-fraud-residential-proxy-detection/"&gt;IP Intelligence based proxy detection&lt;/a&gt; based on historical
usage is no longer effective; per-connection proxy detection is essential.&lt;/p&gt;
&lt;p&gt;DeepSeek's emergence suggests AI security teams need to revisit their assumptions. The potential use of residential proxy networks
to dissolve digital borders challenges current approaches to platform protection.&lt;/p&gt;</content><category term="Residential Proxies"></category><category term="Residential Proxies"></category><category term="CDN"></category><category term="Bot Management"></category><category term="Machine Learning"></category><category term="API Security"></category><category term="Threat Detection"></category></entry><entry><title>Preventing Enumeration Attacks</title><link href="https://www.peakhour.io/blog/preventing-enumeration-attacks-visa-roadmap/" rel="alternate"></link><published>2025-01-24T00:00:00+11:00</published><updated>2025-01-24T00:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2025-01-24:/blog/preventing-enumeration-attacks-visa-roadmap/</id><summary type="html">&lt;p&gt;An analysis of how Peakhour's solutions help prevent enumeration attacks, aligning with Visa's Security Roadmap 2025-2028 priorities.&lt;/p&gt;</summary><content type="html">&lt;p&gt;After our &lt;a href="/blog/visa-security-roadmap-2025-overview/"&gt;overview of Visa's Security Roadmap 2025-2028&lt;/a&gt;, this article looks at the first focus area: preventing enumeration attacks. Visa reports a 40% increase in enumeration attacks in the first six months of 2023 compared with the previous period, and more than US$1.1 billion in global fraud losses from these attacks over the year to 30 September 2023.&lt;/p&gt;
&lt;p&gt;Visa defines enumeration and account testing as criminal practices where fraudsters use automation to test and guess payment credentials, which can then be used for fraudulent transactions. In card-testing campaigns, attackers send large numbers of low-value authorisation attempts to validate a primary account number, expiry date, or CVV2. They tend to target online merchants with weaker fraud controls because the merchant site becomes the testing ground while issuers, acquirers, and cardholders absorb the downstream damage.&lt;/p&gt;
&lt;p&gt;The volume share can look small. Visa notes that these attacks contribute to less than 1% of global card-not-present volume. That can make the risk easy to underweight until the business sees the operating cost: processor scrutiny, chargeback pressure, support load, infrastructure spikes, blocked genuine customers, and fraud teams trying to reconstruct what happened after the card data has already been validated somewhere else.&lt;/p&gt;
&lt;h2&gt;The Risk Is Operational Before It Is Regulatory&lt;/h2&gt;
&lt;p&gt;Enumeration is not only a payment fraud pattern. It is a production traffic problem. The attack arrives as normal-looking checkout or payment API requests, often distributed across many IPs, accounts, devices, cards, and merchants. If the only defence is a fixed IP threshold, the attacker can slow down, rotate infrastructure, or push attempts through residential proxy networks that look closer to consumer traffic.&lt;/p&gt;
&lt;p&gt;That is why Visa's roadmap points to authentication controls, anomaly detection, real-time monitoring, velocity thresholds, CVV2 for unsecure transactions, and retries with different values as indicators of account testing behaviour. The common thread is evidence. Teams need to see the pattern across attempts, not just one failed authorisation at a time.&lt;/p&gt;
&lt;p&gt;For merchants and acquirers, the first decision is scope. Which routes can submit payment credentials? Which APIs can create checkout sessions, payment intents, or tokenisation requests? Which responses tell an attacker whether the credential is likely valid? Which logs show retries with changed values? Which controls can act before the traffic reaches the processor?&lt;/p&gt;
&lt;h2&gt;VAMP Raises the Need for Cleaner Evidence&lt;/h2&gt;
&lt;p&gt;Visa's updated Visa Acquirer Monitoring Program (VAMP) is effective 1 April 2025. In the roadmap, Visa says VAMP brings more aligned fraud thresholds for domestic and cross-border card-not-present transactions and incorporates new enumeration criteria based on the number of enumerated authorisation transactions and the enumeration rate identified by the VAAI Score.&lt;/p&gt;
&lt;p&gt;That does not mean every merchant needs the same control design. It does mean acquirers and merchants need better visibility into whether a burst of payment activity is genuine demand, a broken integration, friendly fraud, or enumeration. When traffic is distributed, the evidence needs to include more than source IP. Useful signals include route, account state, card-attempt cadence, response codes, device or browser consistency, proxy likelihood, country and ASN changes, header and TLS patterns, and whether retries are changing only the values an attacker is trying to validate.&lt;/p&gt;
&lt;p&gt;Peakhour's role is at the web and API edge. &lt;a href="/products/bot-management/"&gt;Bot Management&lt;/a&gt;, &lt;a href="/products/advanced-rate-limiting/"&gt;Advanced Rate Limiting&lt;/a&gt;, &lt;a href="/products/residential-proxy-detection/"&gt;Residential Proxy Detection&lt;/a&gt;, WAF, and log forwarding can help teams detect automated payment attempts, slow or block abusive routes, identify proxy-backed traffic, and retain decision evidence. Those controls support a payment security program; they do not determine VAMP standing, replace acquirer guidance, or provide legal advice.&lt;/p&gt;
&lt;h2&gt;Rate Limits Need to Follow the Attack Shape&lt;/h2&gt;
&lt;p&gt;Simple rate limits still help, but card testing rarely follows one neat source. A useful rate limit strategy looks at multiple keys: route, payment action, account, session, token, card fingerprint where appropriate, device signal, IP, ASN, country, response result, and time window. The limits should also distinguish between customer actions. A checkout page, card add route, refund path, gift card purchase, and payment authorisation API should not all share one generic threshold.&lt;/p&gt;
&lt;p&gt;Teams also need to decide what the control does. Some traffic should be blocked. Some should be slowed. Some should be challenged before payment. Some should be logged and reviewed because false positives would create more harm than the risk being reduced. The right action depends on business context, fraud exposure, customer value, and the confidence of the signals.&lt;/p&gt;
&lt;p&gt;Residential proxy abuse is a good example. A residential IP does not prove fraud. Many genuine users sit behind shared or mobile networks. But residential proxy use combined with high-cardinality card attempts, changed CVV2 values, first-seen devices, failed authorisations, and unusual checkout cadence is a stronger signal. The value is correlation, not a single magic indicator.&lt;/p&gt;
&lt;h2&gt;A Practical Review Path&lt;/h2&gt;
&lt;p&gt;Teams preparing for enumeration risk should start with the payment routes rather than with a vendor checklist.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Map every route that can create, submit, modify, or retry a payment attempt.&lt;/li&gt;
&lt;li&gt;Review response messages and status codes for accidental validation clues.&lt;/li&gt;
&lt;li&gt;Check whether logs can show velocity, retries with changed values, and route-level concentration without storing sensitive card data.&lt;/li&gt;
&lt;li&gt;Apply route-aware rate limits and bot controls before processor calls where possible.&lt;/li&gt;
&lt;li&gt;Add proxy, device, session, and behaviour signals to separate normal checkout friction from testing behaviour.&lt;/li&gt;
&lt;li&gt;Keep evidence of policy version, action, route, and signal set so fraud and compliance teams can review outcomes.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;The caution is important: do not turn payment logging into a second store of cardholder data. Enumeration defence needs enough evidence to detect and investigate abuse, but PCI DSS and privacy expectations still require careful handling of cardholder data, tokens, logs, and support exports.&lt;/p&gt;
&lt;h2&gt;What This Means for Peakhour Customers&lt;/h2&gt;
&lt;p&gt;Enumeration prevention is not a single feature. It is a control path around payment routes: classify the request, evaluate the signals, act proportionately, and keep evidence. Peakhour can help by applying those decisions at the edge before abusive traffic reaches the origin or payment integration.&lt;/p&gt;
&lt;p&gt;The business value is not only fewer bad requests. It is cleaner payment telemetry, faster fraud review, fewer avoidable processor calls, and a better basis for conversations with acquirers when suspicious activity appears. Visa's roadmap makes that direction clear: payment security is moving toward data-driven, evidence-backed controls that can recognise automation abuse without blocking genuine customers by default.&lt;/p&gt;</content><category term="Security"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="PCI DSS"></category><category term="API Security"></category><category term="Fraud Prevention"></category><category term="Threat Detection"></category></entry><entry><title>Managing Bots For Application Security</title><link href="https://www.peakhour.io/blog/enterprise-bot-management-application-security/" rel="alternate"></link><published>2024-09-15T00:00:00+10:00</published><updated>2024-09-15T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2024-09-15:/blog/enterprise-bot-management-application-security/</id><summary type="html">&lt;p&gt;Comprehensive guide to enterprise bot management for modern application security platforms. Learn how to protect applications and APIs from sophisticated bot threats including anti-detect browsers, credential stuffing, and automated attacks targeting DevOps environments.&lt;/p&gt;</summary><content type="html">&lt;p&gt;This guide separates &lt;a href="/products/bot-management/"&gt;bot management&lt;/a&gt; into three maturity levels: basic, intermediate, and advanced. The point is not to rank feature lists. It is to understand what kind of bot decision each level can safely make on the request path.&lt;/p&gt;
&lt;p&gt;Bots now target revenue, data, accounts, inventory, APIs, and origin capacity. Some are obvious crawlers. Others run credential stuffing, account creation, scraping, inventory hoarding, click fraud, or Layer 7 pressure through traffic that looks close to normal. A useful bot control has to decide whether to allow, challenge, rate limit, block, log, or review a request without punishing legitimate users who happen to share a network or device pattern.&lt;/p&gt;
&lt;p&gt;For more on account impact, read our article on the &lt;a href="/blog/credential-stuffing-business-impact/"&gt;Business Impact of Credential Stuffing&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Basic Protection&lt;/h2&gt;
&lt;p&gt;Basic bot management is built around visible signals: user-agent checks, simple IP reputation, known bot signatures, and broad rate limits. These controls still have a job. They can manage well-behaved crawlers, block obvious automation, and stop a single noisy source from hammering a site.&lt;/p&gt;
&lt;p&gt;The limitation is that basic controls assume the source or header tells most of the story. That breaks down when automation behaves like a browser, rotates infrastructure, or spreads requests across residential and shared networks. A flat IP limit may slow one scraper and still miss a credential attack distributed across many exits. It may also catch real users behind a busy office, mobile carrier, or public Wi-Fi network.&lt;/p&gt;
&lt;p&gt;Basic protection is suitable when the risk is low, the main concern is crawler hygiene, and the business can tolerate coarse controls. It is not enough for account protection, high-value scraping targets, or API workflows where abuse can arrive through valid requests.&lt;/p&gt;
&lt;h2&gt;Intermediate Protection&lt;/h2&gt;
&lt;p&gt;Intermediate bot management adds more request and client evidence. JavaScript signals, header consistency, cookie behaviour, basic network fingerprints such as &lt;a href="/blog/tls-fingerprinting/"&gt;TLS fingerprinting&lt;/a&gt;, and route-level observations make the decision less dependent on the IP address alone. This level can catch automation that fails to behave like a normal browser or that exposes inconsistencies across requests.&lt;/p&gt;
&lt;p&gt;It is a meaningful step up, but it still has limits. Anti-detect browsers and modern automation can keep browser signals plausible for long enough to run a campaign. Residential proxy networks can make source reputation noisy. API requests may not run browser-side checks at all. If the bot system treats browser, route, credential, and API context as separate problems, operators end up tuning several partial controls rather than one decision.&lt;/p&gt;
&lt;p&gt;Intermediate protection works for general scraping, noisy automation, and non-persistent abuse. It starts to struggle when attackers adapt, slow down, distribute requests, or target sensitive routes where a small number of requests can cause business harm.&lt;/p&gt;
&lt;h2&gt;Advanced Protection&lt;/h2&gt;
&lt;p&gt;Advanced bot management is combined signal decisioning. The difference is not "more techniques" in a checklist. The difference is that IP intelligence, residential proxy status, network and browser fingerprints, route-specific rates, behaviour, credential risk, API context, WAF/WAAP findings, DDoS pressure, and logs feed the same action model.&lt;/p&gt;
&lt;p&gt;That context changes the decision. A high request rate on a public image route is not the same as repeated failed logins. A suspicious proxy signal on a cached page is not the same as the same signal on account recovery. A browser fingerprint mismatch may be logged on a low-risk page but challenged when paired with exposed credentials and rapid account switching.&lt;/p&gt;
&lt;p&gt;Advanced protection is designed for persistent abuse: credential stuffing, account takeover attempts, scraping at scale, inventory hoarding, fake account creation, API bot traffic, and bot-driven Layer 7 floods. It should support web, mobile, and API traffic, and it should preserve evidence so security, platform, and support teams can see which signal drove an action.&lt;/p&gt;
&lt;h2&gt;Choosing the Right Level&lt;/h2&gt;
&lt;p&gt;The right level depends on what the bot can damage. A brochure site may only need crawler management and basic rate limits. An ecommerce site needs protection for search, product, checkout, promotion, and account routes. A marketplace, bank, gaming platform, ticketing site, or API-heavy business usually needs route-aware decisions that combine proxy, fingerprint, credential, account, and behaviour context.&lt;/p&gt;
&lt;p&gt;The false-positive risk matters just as much as the attack risk. Shared networks, carrier-grade NAT, privacy tools, corporate egress, and normal browser drift can all make a simple signal look suspicious. A mature bot programme does not block every unusual request. It uses uncertainty to pick safer actions: log, challenge, rate limit, or review before escalating to a block.&lt;/p&gt;
&lt;h2&gt;Peakhour's View&lt;/h2&gt;
&lt;p&gt;Peakhour's &lt;a href="/products/bot-management/"&gt;Bot Management&lt;/a&gt; connects bot decisions to the rest of the application security path. &lt;a href="/products/residential-proxy-detection/"&gt;Residential Proxy Detection&lt;/a&gt;, &lt;a href="/products/ip-intelligence/"&gt;IP Intelligence&lt;/a&gt;, &lt;a href="/products/advanced-rate-limiting/"&gt;Advanced Rate Limiting&lt;/a&gt;, &lt;a href="/products/api-security/"&gt;API Security&lt;/a&gt;, &lt;a href="/products/waf/"&gt;WAAP/WAF controls&lt;/a&gt;, and &lt;a href="/products/log-forwarding/"&gt;Log Forwarding&lt;/a&gt; all support the same request outcome: allow, challenge, rate limit, block, log, or review with evidence.&lt;/p&gt;
&lt;p&gt;That is the practical maturity model. Basic controls handle obvious bots. Intermediate controls add client and request evidence. Advanced controls combine signals into decisions that match the route, risk, and business impact.&lt;/p&gt;</content><category term="Bots"></category><category term="Bot Management"></category><category term="API Security"></category><category term="Credential Stuffing"></category><category term="Account Protection"></category><category term="DevSecOps"></category><category term="Application Security"></category></entry><entry><title>The Challenge of Proxy Detection</title><link href="https://www.peakhour.io/blog/proxy-detection-challenges-existing-solutions/" rel="alternate"></link><published>2024-07-19T10:00:00+10:00</published><updated>2024-07-19T10:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2024-07-19:/blog/proxy-detection-challenges-existing-solutions/</id><summary type="html">&lt;p&gt;Examine why current security solutions fail to detect and mitigate threats from residential proxies, and the need for comprehensive protection strategies.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Our &lt;a href="/blog/credential-stuffing-and-account-takeover-survey-2024"&gt;recent survey&lt;/a&gt; found that only 15% of Australian organisations use residential proxy detection. That leaves many teams relying on controls that were not built for current proxy traffic, especially where CGNAT and NAT make IP-level decisions unreliable.&lt;/p&gt;
&lt;h2&gt;The Shortcomings of Traditional Methods&lt;/h2&gt;
&lt;p&gt;Legacy bot protection providers often combine &lt;a href="/products/ip-intelligence/"&gt;IP reputation&lt;/a&gt;, network characteristics, header analysis, and JavaScript-based checks to identify proxy usage. These methods struggle against well-run &lt;a href="/learning/security/datacenter-vs-residential-proxies/"&gt;residential proxies&lt;/a&gt;:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;IP and ASN categorisation: Ages quickly as new proxy networks emerge.&lt;/li&gt;
&lt;li&gt;Network-level checks: Well-configured proxies can work around them.&lt;/li&gt;
&lt;li&gt;Header analysis: Proxies can alter HTTP headers to mimic legitimate traffic.&lt;/li&gt;
&lt;li&gt;JavaScript-based detection: Struggles against headless browsers and leaves API endpoints vulnerable.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;The CGNAT and NAT Challenge&lt;/h2&gt;
&lt;p&gt;A practical limit of traditional methods is their inability to distinguish legitimate traffic from proxy traffic when both originate from the same IP address. Carrier-Grade NAT (CGNAT) and Network Address Translation (NAT) make this common:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;CGNAT: Used by ISPs to conserve IPv4 addresses, resulting in multiple users sharing a single public IP.&lt;/li&gt;
&lt;li&gt;NAT: Commonly used in home and business networks, allowing multiple devices to use one public IP address.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;As a result, legitimate users and residential proxy traffic can appear to come from the same IP address. IP reputation and geolocation alone cannot separate these traffic types.&lt;/p&gt;
&lt;p&gt;This creates a difficult tradeoff:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Blocking suspicious IPs risks denying service to legitimate users.&lt;/li&gt;
&lt;li&gt;Allowing all traffic from these IPs opens the door to potential abuse via residential proxies.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Traditional methods cannot reliably pull apart these different types of traffic, so teams either block too much legitimate traffic or allow too much proxy traffic through.&lt;/p&gt;
&lt;h2&gt;The Need for Sophisticated Network Fingerprinting&lt;/h2&gt;
&lt;p&gt;To detect and mitigate residential proxy threats while allowing legitimate traffic from shared IPs, detection needs to move beyond IP identity. Network fingerprinting addresses the limits of traditional methods:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Deep packet inspection: Analyses traffic patterns and characteristics beyond basic IP or header indicators.&lt;/li&gt;
&lt;li&gt;Protocol behaviour analysis: Identifies subtle anomalies in how network protocols are implemented across the proxy chain.&lt;/li&gt;
&lt;li&gt;TLS fingerprinting: Examines unique characteristics of TLS handshakes to detect proxy usage.&lt;/li&gt;
&lt;li&gt;Timing analysis: Measures small differences in network latency that can indicate the presence of a proxy.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Used together, these techniques can detect proxy usage on a per-connection basis for both web traffic and API calls, even when traffic originates from shared IP addresses. This approach provides several advantages:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Improved accuracy: Significantly reduces false positives and negatives compared to traditional methods, including in CGNAT and NAT scenarios.&lt;/li&gt;
&lt;li&gt;API protection: Secures API endpoints, which are often overlooked by JavaScript-based solutions.&lt;/li&gt;
&lt;li&gt;Real-time detection: Allows for immediate action against detected proxy usage without impacting legitimate users.&lt;/li&gt;
&lt;li&gt;Adaptability: Can be updated to detect new proxy technologies as they emerge, regardless of IP sharing.&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;Implementing Effective Proxy Detection&lt;/h2&gt;
&lt;p&gt;To implement proxy detection that accounts for modern network complexity, organisations should consider the following:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Deploy solutions that use network fingerprinting techniques capable of distinguishing between different types of traffic from the same IP.&lt;/li&gt;
&lt;li&gt;Ensure protection covers both web applications and API endpoints, as both are vulnerable to proxy-based attacks.&lt;/li&gt;
&lt;li&gt;Implement real-time mitigation capabilities to respond swiftly to detected threats without impacting legitimate users.&lt;/li&gt;
&lt;li&gt;Regularly update and tune detection algorithms to keep pace with evolving proxy technologies and network architectures.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Together, these practices improve an organisation's ability to detect and mitigate residential proxy threats across credential stuffing, account takeover, and related activity, while keeping access available for legitimate users.&lt;/p&gt;
&lt;p&gt;Learn more about our &lt;a href="/products/residential-proxy-detection/"&gt;proxy detection&lt;/a&gt; solution, which uses network fingerprinting to address the challenges posed by CGNAT and NAT.&lt;/p&gt;
&lt;p&gt;For more detail, explore our learning resources:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Understanding Residential Proxies&lt;/li&gt;
&lt;li&gt;&lt;a href="/learning/fingerprinting/what-is-network-fingerprinting/"&gt;Network Fingerprinting Techniques&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="/blog/tls-fingerprinting/"&gt;In-Depth Review: TLS Fingerprinting&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;As proxy technologies and network architectures change, detection and mitigation need to change with them. Network fingerprinting gives organisations a more reliable way to identify residential proxy abuse without treating every shared IP as suspicious.&lt;/p&gt;</content><category term="Residential Proxies"></category><category term="Residential Proxies"></category><category term="Bot Management"></category><category term="Credential Stuffing"></category><category term="Account Protection"></category><category term="API Security"></category><category term="Threat Detection"></category></entry><entry><title>Account Protection and User Experience in Web Applications</title><link href="https://www.peakhour.io/blog/frictionless-customer-experiences/" rel="alternate"></link><published>2024-07-17T10:00:00+10:00</published><updated>2024-07-17T10:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2024-07-17:/blog/frictionless-customer-experiences/</id><summary type="html">&lt;p&gt;Explore strategies to enhance web application security without compromising user experience, focusing on contextual security and adaptive authentication measures.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Web applications face a wide range of security threats, but customer accounts are often the target. Our recent survey of
Australian businesses showed a need for stronger
&lt;a href="/solutions/use-case/contextual-security/"&gt;account protection&lt;/a&gt; measures. Those controls can add friction for users if they are applied too broadly. This article
looks at ways to balance security with &lt;a href="/learning/crux-chrome-user-experience/"&gt;user experience&lt;/a&gt; in web applications.&lt;/p&gt;
&lt;h2&gt;The Challenge: Compromised Credentials&lt;/h2&gt;
&lt;p&gt;Our survey found that 21% of organisations cited reputation loss as their main cybersecurity challenge. That
result points back to a practical security problem: compromised credentials.&lt;/p&gt;
&lt;p&gt;Causes of compromised logins include:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Phishing attacks&lt;/li&gt;
&lt;li&gt;Password reuse across multiple sites&lt;/li&gt;
&lt;li&gt;Data breaches exposing user credentials&lt;/li&gt;
&lt;li&gt;Credential stuffing attacks&lt;/li&gt;
&lt;li&gt;Keylogging malware&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;These risks make password-only authentication a weak control for customer account protection.&lt;/p&gt;
&lt;h2&gt;Moving Beyond Traditional Multi-Factor Authentication&lt;/h2&gt;
&lt;p&gt;Multi-Factor Authentication (MFA) adds a useful security layer, but it can also add friction. Our survey found that
only 40% of organisations implement bot protection, which leaves a clear gap around automated attacks.&lt;/p&gt;
&lt;p&gt;While 77% of surveyed businesses use MFA, that figure can hide other weaknesses. MFA alone doesn't
protect accounts from every attack path.&lt;/p&gt;
&lt;p&gt;&lt;a href="/blog/why-mfa-is-an-incomplete-defence/"&gt;Learn more about the limitations of traditional MFA&lt;/a&gt;&lt;/p&gt;
&lt;h2&gt;Contextual Security: A User-Focused Approach&lt;/h2&gt;
&lt;p&gt;Contextual security helps reduce that tradeoff between protection and user experience. It assesses the risk of each
login attempt using factors including:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Location of the login attempt&lt;/li&gt;
&lt;li&gt;Time of day&lt;/li&gt;
&lt;li&gt;Device used&lt;/li&gt;
&lt;li&gt;User behaviour patterns&lt;/li&gt;
&lt;li&gt;IP address reputation&lt;/li&gt;
&lt;li&gt;Network characteristics&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;By analysing these contextual factors, web applications can apply adaptive authentication without
asking every user to complete an extra step every time.&lt;/p&gt;
&lt;!-- ![Contextual Security Factors](/api/placeholder/600/400) --&gt;

&lt;p&gt;&lt;em&gt;Figure 1: Key factors considered in contextual security&lt;/em&gt;&lt;/p&gt;
&lt;h2&gt;Implementing Contextual Security in Web Applications&lt;/h2&gt;
&lt;p&gt;To improve account protection without adding unnecessary friction, consider these controls:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Real-time monitoring&lt;/strong&gt;: Track user activity and detect anomalies.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Adaptive authentication&lt;/strong&gt;: Adjust security requirements based on the risk level of each login attempt.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Behavioural analysis&lt;/strong&gt;: Use machine learning to understand user behaviour and flag suspicious activity.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Transparent security measures&lt;/strong&gt;: Apply checks that don't require additional user actions for low-risk scenarios.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Risk-based access controls&lt;/strong&gt;: Apply stricter security measures for high-risk actions or sensitive data access.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Bot protection&lt;/strong&gt;: Detect and mitigate automated attacks.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;API security&lt;/strong&gt;: Protect APIs from abuse and unauthorised access.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Residential proxy detection&lt;/strong&gt;: Identify and mitigate threats from residential proxy networks.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;For web applications, the goal is targeted control rather than blanket friction.&lt;/p&gt;
&lt;h2&gt;The Role of User Education&lt;/h2&gt;
&lt;p&gt;User education still has a place in a security strategy. Training and awareness programs can help users understand:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The importance of strong, unique passwords&lt;/li&gt;
&lt;li&gt;How to identify phishing attempts&lt;/li&gt;
&lt;li&gt;The risks of password reuse across multiple sites&lt;/li&gt;
&lt;li&gt;The importance of keeping software and devices updated&lt;/li&gt;
&lt;li&gt;How to recognise and report suspicious activities&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;User education works best when it supports technical controls rather than carrying the whole burden.&lt;/p&gt;
&lt;h2&gt;Addressing Mobile Application Security&lt;/h2&gt;
&lt;p&gt;Our survey indicates a potential gap in mobile security strategies. As mobile apps take on operations like banking and e-commerce, they become part of the application attack surface.&lt;/p&gt;
&lt;p&gt;Only 30% of respondents implement &lt;a href="/solutions/use-case/traffic-control/"&gt;Web Application&lt;/a&gt; and API Protection (WAAP), indicating many businesses may not be ready to protect their mobile assets. That gap leaves mobile applications exposed to attacks, including API abuse and data exfiltration.&lt;/p&gt;
&lt;!-- [Discover best practices for securing mobile applications](/mobile-application-security-best-practices/) --&gt;

&lt;h2&gt;The Threat of Residential Proxies&lt;/h2&gt;
&lt;p&gt;Our survey found that only 15% of organisations use residential proxy detection. That low adoption rate leaves a weakness in many businesses' security postures.&lt;/p&gt;
&lt;p&gt;Residential proxies can threaten account security by:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Bypassing traditional IP-based rate limiting&lt;/li&gt;
&lt;li&gt;Evading geolocation-based restrictions&lt;/li&gt;
&lt;li&gt;Facilitating large-scale credential stuffing attacks&lt;/li&gt;
&lt;li&gt;Enabling undetected data scraping&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Businesses should consider security providers that can detect and mitigate residential proxy threats.&lt;/p&gt;
&lt;p&gt;Learn more about &lt;a href="/products/residential-proxy-detection/"&gt;residential proxy&lt;/a&gt; detection&lt;/p&gt;
&lt;h2&gt;Finding the Balance&lt;/h2&gt;
&lt;p&gt;Balancing account protection and user experience in web applications requires more than a single control. By implementing contextual security measures, organisations can:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Improve security without unnecessary impact on user experience&lt;/li&gt;
&lt;li&gt;Adapt to threats in real-time&lt;/li&gt;
&lt;li&gt;Reduce the risk of compromised credentials and account takeovers&lt;/li&gt;
&lt;li&gt;Protect against threats like residential proxies and mobile application vulnerabilities&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;As threats change, account protection needs to change with them. Contextual security gives organisations a practical way to protect users and their reputation.&lt;/p&gt;</content><category term="Account Protection"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Application Security"></category><category term="Fraud Prevention"></category><category term="API Security"></category><category term="Magento"></category></entry><entry><title>2024 Survey Insights</title><link href="https://www.peakhour.io/blog/credential-stuffing-and-account-takeover-survey-2024/" rel="alternate"></link><published>2024-07-16T10:00:00+10:00</published><updated>2024-07-16T10:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2024-07-16:/blog/credential-stuffing-and-account-takeover-survey-2024/</id><summary type="html">&lt;p&gt;Our 2024 survey of Australian CISOs and CTOs looks at how businesses are approaching account protection, particularly credential stuffing and residential proxies.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Our recent survey of Australian CISOs and CTOs looked at account protection controls, planned security measures, and how teams are responding to credential stuffing and residential proxies. Key findings:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Multi-Factor Authentication (MFA) Adoption&lt;/strong&gt;: 76.23% of Australian businesses use MFA, showing broad adoption of a baseline account security control.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Bot Protection&lt;/strong&gt;: Currently implemented by 39.34% of organisations, with an additional 34.65% planning to adopt it.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Bot Management Solutions&lt;/strong&gt;: Cloudflare is the most common bot management provider in the survey, used by 48.24% of respondents.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Residential Proxy (Resip) Detection&lt;/strong&gt;: Only 13.11% of organisations currently use this technology, although many plan to implement it to address residential proxy traffic.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Credential Stuffing Concerns&lt;/strong&gt;: Businesses are planning measures to reduce credential stuffing risk, including bot protection, MFA, and checking credentials against known breaches.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Mobile Security Gap&lt;/strong&gt;: Low adoption of Web Application and API Protection (WAAP) suggests gaps in mobile application security.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Executive vs. Engineer Priorities&lt;/strong&gt;: The survey showed different cybersecurity priorities between executives and engineers.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;These findings point to the need for &lt;a href="/solutions/use-case/prevent-account-takeovers/"&gt;account protection&lt;/a&gt; strategies that go beyond MFA and address automated traffic, breached credentials, and residential proxies.&lt;/p&gt;</content><category term="Account Protection"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Residential Proxies"></category><category term="API Security"></category><category term="Bot Management"></category><category term="DevSecOps"></category></entry><entry><title>2024 Survey Insights</title><link href="https://www.peakhour.io/blog/credential-stuffing-and-account-takeover-survey-2024-full/" rel="alternate"></link><published>2024-07-16T10:00:00+10:00</published><updated>2024-07-16T10:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2024-07-16:/blog/credential-stuffing-and-account-takeover-survey-2024-full/</id><summary type="html">&lt;p&gt;Survey data from Australian CISOs and CTOs shows broad MFA adoption, lower bot protection uptake, and early attention on residential proxy detection for credential stuffing and account takeover risk.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Recent &lt;a href="/blog/account-takeover-fraud-theiconic/"&gt;customer account takeovers&lt;/a&gt; have put account protection back on the agenda for Australian businesses. Our 2024 survey of Australian CISOs and CTOs shows how respondents are using MFA, bot protection, WAAP and residential proxy detection to manage credential stuffing and account takeover risk.&lt;/p&gt;
&lt;h2&gt;Account Protection: Current State and Future Plans&lt;/h2&gt;
&lt;p&gt;Our survey found 76.23% of Australian businesses use Multi-Factor Authentication (MFA). MFA is widely adopted, but it is not a complete account protection strategy on its own.&lt;/p&gt;
&lt;p&gt;&lt;img alt="Current Security Measures of Australian Businesses" src="/static/images/survey/current-security-measures.png"&gt;&lt;/p&gt;
&lt;p&gt;39.34% of organisations currently use bot protection. That matters because &lt;a href="/learning/bots/anatomy-of-credential-stuffing-attack/"&gt;credential stuffing&lt;/a&gt; is automated by design. Another 34.65% of businesses plan to implement bot protection in the future.&lt;/p&gt;
&lt;p&gt;&lt;img alt="Planned security measures" src="/static/images/survey/planned-security-measures.png"&gt;&lt;/p&gt;
&lt;p&gt;The pattern is clear: many organisations are treating MFA as a baseline and looking at additional controls around it.&lt;/p&gt;
&lt;h2&gt;Current Bot Management Solutions&lt;/h2&gt;
&lt;p&gt;The survey also asked which bot management solutions Australian businesses currently use. Cloudflare was the clear leader, with nearly half of respondents using its services.&lt;/p&gt;
&lt;p&gt;&lt;img alt="Current bot management solutions used by Australian businesses" src="/static/images/survey/bot-management-solutions-use.png"&gt;&lt;/p&gt;
&lt;p&gt;The breakdown of bot management solutions is as follows:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Cloudflare: 48.24%&lt;/li&gt;
&lt;li&gt;AWS WAF Bot Ruleset: 10.59%&lt;/li&gt;
&lt;li&gt;Other solutions make up the remaining percentage&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This distribution is concentrated around Cloudflare. Outside that, the remaining respondents are spread across other solutions rather than one clear alternative.&lt;/p&gt;
&lt;p&gt;Tooling matters here. Residential proxy traffic weakens IP reputation and simple rate limits, so detection capability, request grouping and response controls matter as much as vendor name. If residential proxies continue to feature in credential stuffing tooling, this mix may shift as teams look for more &lt;a href="/blog/proxy-detection-challenges-existing-solutions/"&gt;advanced protection measures&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;The Rising Threat of Residential Proxies&lt;/h2&gt;
&lt;p&gt;A key finding from our survey is the low adoption rate of &lt;a href="/products/residential-proxy-detection/"&gt;residential proxy&lt;/a&gt; (resip) detection, with only 13.11% of organisations currently using this technology. Planned adoption suggests teams are starting to account for the risk, but current coverage is still low.&lt;/p&gt;
&lt;p&gt;Resips are difficult for account security teams because malicious traffic can look like normal ISP traffic. They enable attackers to:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Bypass traditional IP-based rate limiting&lt;/li&gt;
&lt;li&gt;Evade geolocation-based restrictions&lt;/li&gt;
&lt;li&gt;Conduct large-scale credential stuffing attacks&lt;/li&gt;
&lt;li&gt;Scrape sensitive data undetected&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;The planned adoption of resip detection points to a shift in security strategies, away from simple IP-based controls and towards more specific network signals.&lt;/p&gt;
&lt;p&gt;&lt;a href="/blog/residential-proxies-unseen-challenges/"&gt;Learn more about the threat of residential proxies and how to detect them&lt;/a&gt;&lt;/p&gt;
&lt;h2&gt;Credential Stuffing: A Persistent and Growing Concern&lt;/h2&gt;
&lt;p&gt;Credential &lt;a href="/learning/security/credential-stuffing-defence/"&gt;stuffing attacks&lt;/a&gt; continue to be a major concern for businesses. These attacks exploit password reuse across multiple sites, allowing attackers to gain unauthorised access to user accounts.&lt;/p&gt;
&lt;p&gt;Respondents said they plan to implement several measures to reduce credential stuffing risk:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;34.65% plan to implement bot protection&lt;/li&gt;
&lt;li&gt;32.67% intend to add multi-factor authentication&lt;/li&gt;
&lt;li&gt;31.68% aim to check credentials against known breaches&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;These plans point to layered account protection rather than reliance on one control.&lt;/p&gt;
&lt;h2&gt;Mobile Applications: An Emerging Attack Surface&lt;/h2&gt;
&lt;p&gt;While mobile applications were not directly addressed in our survey, the data suggests a possible gap in mobile security strategies. The low adoption rate of Web &lt;a href="/learning/application-security/what-is-waap/"&gt;Application and&lt;/a&gt; API Protection (WAAP) - implemented by only 27.87% of respondents - indicates many businesses may be underprepared to protect their mobile assets.&lt;/p&gt;
&lt;p&gt;As mobile apps become primary interfaces for critical operations, this gap leaves businesses exposed to attacks that use the same automation and resip infrastructure seen on web login flows.&lt;/p&gt;
&lt;h2&gt;Balancing Security and User Experience&lt;/h2&gt;
&lt;p&gt;The operational problem is familiar: increase assurance without making login unusable. Key considerations for enhancing account protection while preserving usability include:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Expanding beyond MFA&lt;/li&gt;
&lt;li&gt;Implementing bot protection&lt;/li&gt;
&lt;li&gt;Adopting WAAP solutions&lt;/li&gt;
&lt;li&gt;Monitoring credential leaks&lt;/li&gt;
&lt;li&gt;Focusing on API security&lt;/li&gt;
&lt;li&gt;Implementing residential proxy detection&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;&lt;a href="/blog/frictionless-customer-experiences/"&gt;Explore strategies for balancing security and user experience&lt;/a&gt;&lt;/p&gt;
&lt;h2&gt;Executive vs Engineer Perspectives&lt;/h2&gt;
&lt;p&gt;Our survey found differences in cybersecurity priorities between executives and engineers:&lt;/p&gt;
&lt;p&gt;&lt;img alt="Executive vs Engineer Cybersecurity Priorities" src="/static/images/survey/planned-security-measures.png"&gt;&lt;/p&gt;
&lt;p&gt;&lt;em&gt;Figure 3: Comparison of cybersecurity priorities between executives and engineers&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;The gap matters because budget, architecture, and incident response are often owned by different teams. Account protection plans need to cover both executive risk concerns and engineering realities, including the threat from RESIPs.&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Our 2024 survey results point to a simple position: MFA is widely used, but it is not the whole account protection strategy. Bot protection, breached credential checks, WAAP and residential proxy detection are still unevenly adopted. That matters because credential stuffing does not depend on one weakness; it combines reused credentials, automation, proxy networks and weak response controls.&lt;/p&gt;
&lt;p&gt;Australian businesses do not need every control at once, but they need a layered plan that reflects how account takeover attacks are run now. For teams reviewing their controls, resip detection and mobile/API coverage are worth checking explicitly because both are easy to miss if the programme is still centred on MFA and IP reputation.&lt;/p&gt;</content><category term="Account Protection"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Residential Proxies"></category><category term="API Security"></category><category term="Fraud Prevention"></category><category term="Bot Management"></category></entry><entry><title>Application Security Beyond MFA</title><link href="https://www.peakhour.io/blog/why-mfa-is-an-incomplete-defence/" rel="alternate"></link><published>2024-07-15T10:00:00+10:00</published><updated>2024-07-15T10:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2024-07-15:/blog/why-mfa-is-an-incomplete-defence/</id><summary type="html">&lt;p&gt;MFA helps, but it does not stop social engineering, residential proxy abuse, credential stuffing, or session risk on its own.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Multi-factor authentication (MFA) remains a useful defence against &lt;a href="/learning/security/account-takeover-protection/"&gt;account takeovers&lt;/a&gt;, but it is not a complete control. Attackers increasingly work around MFA with social engineering, automation, and infrastructure that makes malicious traffic look ordinary.&lt;/p&gt;
&lt;p&gt;MFA answers one narrow question: can the user present a second factor at this point in the flow? That is valuable. It does not prove the password was safe, the session will remain safe, the device is trusted, or the person entering the code has not been manipulated. Account protection needs to cover the request path before MFA, around MFA, and after MFA.&lt;/p&gt;
&lt;h2&gt;OTP Bots Target the Human, Not the Cryptography&lt;/h2&gt;
&lt;p&gt;A &lt;a href="https://www.kaspersky.com/blog/when-two-factor-authentication-useless/51434/"&gt;Kaspersky article&lt;/a&gt; describes the rise of OTP bots: tools that call or message users and convince them to hand over one-time passwords. The attacker does not need to break the MFA system. They need the victim to read out a fresh code at the same moment the attacker is logging in.&lt;/p&gt;
&lt;p&gt;The usual flow is simple. The attacker obtains a working username and password from a breach, phishing kit, or credential stuffing result. They attempt a login, which triggers an OTP. The victim receives a call or message claiming to be from the bank, retailer, courier, or support team. The story is urgent enough to make the code feel like part of protecting the account, not compromising it.&lt;/p&gt;
&lt;p&gt;AI phone assistants such as &lt;a href="https://curiousthing.io/products/lucy-ai-phone-answering-agent"&gt;Lucy&lt;/a&gt; are built for legitimate business use, but similar conversational technology lowers the effort required to run more convincing criminal call flows. The security issue is not that AI magically defeats MFA. It is that a fluent, responsive call can make social engineering less scripted and harder for a user to dismiss.&lt;/p&gt;
&lt;p&gt;This is why "we have MFA" should not end the account protection conversation. MFA can stop many stolen-password logins, but it cannot reliably stop a user from being tricked in real time.&lt;/p&gt;
&lt;h2&gt;Residential Proxies Weaken the Surrounding Checks&lt;/h2&gt;
&lt;p&gt;Attackers also work to make the login itself look unremarkable. &lt;a href="/learning/security/datacenter-vs-residential-proxies/"&gt;Residential proxies&lt;/a&gt; route traffic through IP addresses assigned to ordinary home or mobile internet connections. That lets malicious traffic borrow the appearance of normal customer traffic.&lt;/p&gt;
&lt;p&gt;Traditional controls often lean too heavily on IP address, geolocation, and request volume. Residential proxy networks weaken all three. An attacker can rotate through many IPs, keep each source below a simple rate limit, and choose an exit location that roughly matches the victim's country or city. If the login looks local enough, the MFA challenge may be the only control left.&lt;/p&gt;
&lt;p&gt;That is a poor place to put all the risk. A login with a correct password, a plausible IP address, and a successful OTP can still be an account takeover. The system needs to keep evaluating the request: device and browser signals, network fingerprint, known breached credentials, velocity across accounts, and behaviour after login.&lt;/p&gt;
&lt;h2&gt;Automation Happens Before and After MFA&lt;/h2&gt;
&lt;p&gt;MFA is usually visible at the point of login, but account takeover campaigns are broader than one prompt. Bots test credential pairs across login forms and APIs. Tools such as OpenBullet and similar automation frameworks can replay login flows at scale. Breached credential lists give attackers a cheap starting point because password reuse remains common.&lt;/p&gt;
&lt;p&gt;Once an attacker gets through, the next actions matter. They may change the email address, add a device, disable notifications, alter delivery details, use stored payment methods, transfer value, or test what the account can access. If monitoring treats a successful MFA as the end of risk, those actions can happen inside a trusted session.&lt;/p&gt;
&lt;p&gt;The defence needs to be layered around the actual attack path:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Check credential risk before and during login, especially known breached username and password pairs.&lt;/li&gt;
&lt;li&gt;Use bot and browser signals to detect automation even when traffic is distributed.&lt;/li&gt;
&lt;li&gt;Rate limit on better keys than IP alone, such as TLS or HTTP/2 fingerprints, headers, routes, ASNs, countries, and account behaviour.&lt;/li&gt;
&lt;li&gt;Treat residential proxy evidence as a risk input, not just an allow-or-block label.&lt;/li&gt;
&lt;li&gt;Monitor session and account changes after MFA, then challenge, hold, revoke, or review when behaviour changes.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This does not mean every login needs more friction. It means the system should have more choices than "ask for MFA" or "allow". A low-risk login from a known device can keep moving. A login using breached credentials through proxy infrastructure can be slowed, challenged, or blocked before the user receives a confusing call. A successful login followed by high-risk account changes can trigger fresh verification or session invalidation.&lt;/p&gt;
&lt;h2&gt;Controls Around MFA&lt;/h2&gt;
&lt;p&gt;&lt;a href="https://www.peakhour.io/products/advanced-rate-limiting/"&gt;Peakhour's Advanced Rate Limiting&lt;/a&gt; helps reduce reliance on IP address by grouping and limiting requests using signals such as HTTP/2 and TLS fingerprints, ASNs, countries, request headers, and route context. That matters when credential stuffing is spread across residential proxies.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://www.peakhour.io/products/bot-management/"&gt;Peakhour's Bot Management&lt;/a&gt; adds another layer by looking for automation, browser inconsistency, suspicious device patterns, and residential proxy use. The aim is to identify the machinery behind the attack before it becomes a clean-looking login attempt.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://www.peakhour.io/solutions/use-case/prevent-account-takeovers/"&gt;Peakhour's Account Protection&lt;/a&gt; brings those signals closer to the account decision. Breached credential checks, bot evidence, rate limits, proxy context, custom rules, and monitoring should all feed the decision to allow, challenge, rate limit, block, log, or review.&lt;/p&gt;
&lt;p&gt;User education still has a place, especially around OTP sharing and unexpected calls. It should not be the main control. Users are asked to make security decisions at bad moments, often under pressure, with limited context. Technical controls should reduce the number of times an attacker can create that moment.&lt;/p&gt;
&lt;h2&gt;MFA Still Belongs in the Stack&lt;/h2&gt;
&lt;p&gt;The point is not to remove MFA. Strong MFA, especially phishing-resistant methods, raises the cost of account takeover and should remain part of the stack. The mistake is treating MFA as proof that the account is safe.&lt;/p&gt;
&lt;p&gt;Account protection works better when MFA is one decision point inside a wider system. The login attempt, credential history, network path, device, session, account changes, and transaction behaviour all carry evidence. MFA is useful evidence. It is not the whole case.&lt;/p&gt;</content><category term="Account Protection"></category><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Bot Management"></category><category term="API Security"></category><category term="Residential Proxies"></category><category term="Threat Detection"></category></entry><entry><title>Addressing Key Cloud Security Categories</title><link href="https://www.peakhour.io/blog/peakhour-cloud-security-post-wiz/" rel="alternate"></link><published>2024-05-01T10:00:00+10:00</published><updated>2024-05-01T10:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2024-05-01:/blog/peakhour-cloud-security-post-wiz/</id><summary type="html">&lt;p&gt;An analysis of Peakhour's role in addressing key cloud security categories identified in recent industry analysis, demonstrating its comprehensive approach to modern cloud security challenges.&lt;/p&gt;</summary><content type="html">&lt;p&gt;A recent &lt;a href="https://www.scalevp.com/insights/a-world-after-wiz-emerging-opportunities-in-cloud-security/"&gt;Scale Venture Partners analysis&lt;/a&gt; sets out emerging opportunities in cloud security after Wiz. Peakhour is a reverse proxy rather than a cloud control-plane product, but it addresses several of these categories and covers related security needs at the application edge.&lt;/p&gt;
&lt;h2&gt;Cloud Security Posture Management (CSPM)&lt;/h2&gt;
&lt;p&gt;The analysis identifies CSPM as a key category in cloud security. Peakhour is not a traditional CSPM, but it contributes to security posture management through:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Traffic Analysis: Peakhour analyses incoming traffic patterns to identify potential security risks.&lt;/li&gt;
&lt;li&gt;Configuration Recommendations: Peakhour recommends security configuration improvements based on observed traffic patterns.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Cloud Workload Protection Platform (CWPP)&lt;/h2&gt;
&lt;p&gt;The article notes that CWPP products provide granular protection for cloud workloads. Peakhour contributes to workload protection through:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Application-Layer Filtering: Peakhour filters traffic at the application layer to protect cloud workloads.&lt;/li&gt;
&lt;li&gt;Real-Time Threat Detection: Peakhour detects and blocks threats in real-time.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Cloud Detection &amp;amp; Response (CDR)&lt;/h2&gt;
&lt;p&gt;CDR focuses on detecting, investigating, and responding to incidents. Peakhour supports CDR work via:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Log Generation: Peakhour generates detailed logs of all traffic for incident investigation.&lt;/li&gt;
&lt;li&gt;Anomaly Detection: Peakhour detects anomalous traffic patterns that indicate security incidents.&lt;/li&gt;
&lt;li&gt;Automated Response: Peakhour responds to detected threats by blocking malicious traffic.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Cloud-Native Application Protection Platform (CNAPP)&lt;/h2&gt;
&lt;p&gt;The analysis defines CNAPP as a combination of CSPM, CWPP, and CDR. Peakhour aligns with that model through:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Integrated Security: Peakhour provides a single platform for traffic filtering, threat detection, and response.&lt;/li&gt;
&lt;li&gt;Application-Centric Protection: Peakhour's reverse proxy design protects cloud-native applications at the application edge.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Cloud Infrastructure Entitlement Management (CIEM)&lt;/h2&gt;
&lt;p&gt;Peakhour does not directly manage cloud infrastructure entitlements, but it complements CIEM efforts through:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Access Pattern Analysis: Peakhour analyses access patterns to applications, providing insights that can inform entitlement decisions.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Non-Human Identity (NHI)&lt;/h2&gt;
&lt;p&gt;The article highlights the growing importance of managing non-human identities. Peakhour contributes to this area by:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Service-to-Service Communication Monitoring: Peakhour monitors and controls service-to-service communication.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Remediation Ops (RemOps)&lt;/h2&gt;
&lt;p&gt;RemOps focuses on managing the growing volume of security alerts. Peakhour supports RemOps through:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Alert Aggregation: Peakhour aggregates security events from traffic analysis into usable alerts.&lt;/li&gt;
&lt;li&gt;Prioritisation: Peakhour prioritises alerts based on threat severity and potential impact.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Additional Peakhour Capabilities&lt;/h2&gt;
&lt;p&gt;Peakhour also addresses &lt;a href="/learning/cloud-security/introduction-to-cloud-security/"&gt;cloud security&lt;/a&gt; needs outside the categories covered in the Scale VP analysis:&lt;/p&gt;
&lt;h3&gt;DDoS Protection&lt;/h3&gt;
&lt;p&gt;Peakhour provides DDoS protection via:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Layer 7 Rate Limiting: Peakhour protects against application-layer DDoS attacks.&lt;/li&gt;
&lt;li&gt;Traffic Anomaly Detection: Peakhour identifies and mitigates DDoS attacks in real-time.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Content Delivery Network (CDN)&lt;/h3&gt;
&lt;p&gt;Peakhour's delivery and cache functionality reduces cloud load and traffic bills through:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Traffic Optimisation: Peakhour reduces load on origin servers and decreases traffic bills.&lt;/li&gt;
&lt;li&gt;Geographic Distribution: Peakhour serves content from geographically distributed nodes.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Bot Management&lt;/h3&gt;
&lt;p&gt;Peakhour manages bot traffic through:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Bot Detection: Peakhour identifies bot traffic.&lt;/li&gt;
&lt;li&gt;Policy Control: Peakhour implements policies for managing different types of bots.&lt;/li&gt;
&lt;li&gt;Automated Mitigation: Peakhour applies countermeasures against malicious bot activity.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Cloud Visibility&lt;/h3&gt;
&lt;p&gt;Peakhour addresses visibility gaps in modern cloud environments:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Traffic Insights: Peakhour provides detailed insights into front-end traffic patterns.&lt;/li&gt;
&lt;li&gt;Real-Time Analytics: Peakhour delivers real-time analytics on traffic, threats, and application behaviour.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Peakhour addresses several categories identified in the Scale VP analysis of emerging cloud security opportunities. It also covers adjacent needs at the application edge, where traffic, threats, bots, delivery, and visibility meet.&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;&lt;em&gt;See how Peakhour's Application Security Platform addresses key areas of modern cloud security. &lt;a href="/contact-sales/"&gt;Contact our team&lt;/a&gt; to strengthen your cloud security posture.&lt;/em&gt;&lt;/p&gt;</content><category term="Security"></category><category term="API Security"></category><category term="Threat Detection"></category><category term="Account Protection"></category><category term="DevSecOps"></category><category term="Application Security"></category><category term="CDN"></category></entry><entry><title>Managing Breached Credential Usage</title><link href="https://www.peakhour.io/blog/breached-credentials-protection-application-security-platform/" rel="alternate"></link><published>2024-03-15T00:00:00+11:00</published><updated>2024-03-15T00:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2024-03-15:/blog/breached-credentials-protection-application-security-platform/</id><summary type="html">&lt;p&gt;How breached credential checks and risk signals help detect credential stuffing without adding unnecessary login friction.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Credential &lt;a href="/learning/security/credential-stuffing-defence/"&gt;stuffing attacks&lt;/a&gt; remain a common way to take over accounts on applications and APIs. For DevOps, SRE, and DevSecOps teams, the problem is not just whether a password is correct. It is whether the login attempt carries signs of automation, credential reuse, or known compromise. Effective &lt;a href="/solutions/use-case/prevent-account-takeovers/"&gt;account protection&lt;/a&gt; needs breached credential checks alongside contextual risk analysis.&lt;/p&gt;
&lt;h2&gt;Breached Credential Databases and Risk Profiling&lt;/h2&gt;
&lt;p&gt;Modern Application Security Platforms can use breached credential intelligence containing billions of leaked username and password combinations from historical data breaches. Used at login time, this gives security teams an immediate signal that an account may be at higher risk, even before there is confirmed account takeover activity.&lt;/p&gt;
&lt;h3&gt;Enterprise Credential Intelligence&lt;/h3&gt;
&lt;p&gt;Peakhour's Application Security Platform includes &lt;a href="/products/breached-credentials"&gt;Breached Credentials&lt;/a&gt; protection designed to work with existing authentication systems. The platform provides:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Real-Time Credential Checking&lt;/strong&gt;: Validation against breached credential data during login attempts&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;API-Native Integration&lt;/strong&gt;: Integration with authentication services and identity providers&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Privacy-Preserving Verification&lt;/strong&gt;: Hashing mechanisms that protect user privacy whilst enabling threat detection&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;DevSecOps Compatibility&lt;/strong&gt;: RESTful APIs for security automation and CI/CD workflows&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Building Statistical Models&lt;/h2&gt;
&lt;p&gt;To detect &lt;a href="/learning/bots/anatomy-of-credential-stuffing-attack/"&gt;credential stuffing&lt;/a&gt;, organisations need a baseline for normal breached credential use. This typically involves:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Collecting data from API and login endpoint attempts&lt;/li&gt;
&lt;li&gt;Aggregating data using device fingerprints&lt;/li&gt;
&lt;li&gt;Analysing login patterns and credential use frequency&lt;/li&gt;
&lt;li&gt;Establishing baselines for typical user behaviour&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;These models show how often breached credentials appear in normal login traffic, and when the pattern starts to look like automated testing rather than ordinary user behaviour.&lt;/p&gt;
&lt;h2&gt;Application Security Platform Integration&lt;/h2&gt;
&lt;p&gt;Breached credential checks are most useful when they feed into the rest of the application security stack:&lt;/p&gt;
&lt;h3&gt;Multi-Layer Defence Strategy&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Edge Processing&lt;/strong&gt;: Credential validation at the CDN edge&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;API Protection&lt;/strong&gt;: Coverage for both web applications and mobile APIs&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Bot Management Integration&lt;/strong&gt;: Correlation with bot detection systems to identify automated credential testing&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Rate Limiting Coordination&lt;/strong&gt;: Rate limits adjusted by credential risk&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;DevSecOps Operational Excellence&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Security Automation&lt;/strong&gt;: Response workflows for high-risk credential attempts&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Compliance Reporting&lt;/strong&gt;: Audit logging and monitoring for security reviews&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Threat Intelligence Feeds&lt;/strong&gt;: Updates from breach monitoring&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Custom Rule Engine&lt;/strong&gt;: Policy configuration for organisation-specific requirements&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;Breached credential protection is one part of account takeover defence. On its own, it can show that a password has appeared in a breach. It should sit alongside broader controls such as bot management, rate limiting, API protection, and DDoS mitigation, while still giving teams a clear basis for deciding whether to block, challenge, or monitor a login attempt.&lt;/p&gt;
&lt;p&gt;The practical goal is to make credential risk visible at the point of authentication without treating every user as suspicious. That requires breached credential checking to be part of the login flow, not a separate report reviewed after the attack has already run.&lt;/p&gt;</content><category term="Account Protection"></category><category term="Credential Stuffing"></category><category term="Account Protection"></category><category term="DevSecOps"></category><category term="Application Security"></category><category term="Threat Detection"></category><category term="API Security"></category></entry><entry><title>Rate Limiting for API Security</title><link href="https://www.peakhour.io/blog/introducing-advanced-rate-limiting/" rel="alternate"></link><published>2024-01-24T13:00:00+11:00</published><updated>2024-01-24T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2024-01-24:/blog/introducing-advanced-rate-limiting/</id><summary type="html">&lt;p&gt;How advanced rate limiting protects modern applications and APIs from sophisticated threats including proxy networks, distributed attacks, and automated abuse in enterprise security environments.&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;a href="/blog/rate-limiting/"&gt;Rate limiting&lt;/a&gt; prevents servers from being overwhelmed by too many requests in a short period of time. Typically,
rate limiting is configured using rules made up of a filter, for example a path like /login, and a limit on the number
of requests a user can make in a given time, such as 10 requests in a minute. If a user exceeds this limit, they are usually
blocked for a timeout period.&lt;/p&gt;
&lt;p&gt;But how do you identify a user? Traditionally rate limiting has used the IP address for grouping requests, assuming
that requests from the same IP address will be the same user. That assumption is now weak. IP addresses are rarely static
and are often shared. For example, an office network might have hundreds of individual computers in it but present a single
IP address for all those computers to the internet. Mobile operators commonly use carrier-grade network address translation
(CGNAT) to share the same IP across
thousands of devices or users. Bot networks, seeking to avoid security controls like rate limiting, will rotate
their requests through thousands of different IP addresses. This makes rate limiting based on IP addresses a poor choice
from both a functional and a security perspective.&lt;/p&gt;
&lt;h2&gt;Introducing Advanced Rate Limiting&lt;/h2&gt;
&lt;p&gt;Peakhour's &lt;a href="/products/advanced-rate-limiting/"&gt;Advanced Rate Limiting&lt;/a&gt; service lets you create
filters using any HTTP request characteristic, for example URI, request method, headers, cookies, country,
network fingerprints and more. You can also use response headers and response codes, so a rule can count
failed login attempts, repeated 404s from a scraper, or traffic that crosses an API threshold.&lt;/p&gt;
&lt;p&gt;For counting requests you can use the following fields for grouping:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;IP Address&lt;/li&gt;
&lt;li&gt;ASN&lt;/li&gt;
&lt;li&gt;Country Code&lt;/li&gt;
&lt;li&gt;HTTP/2 Fingerprint&lt;/li&gt;
&lt;li&gt;TLS Fingerprint&lt;/li&gt;
&lt;li&gt;Any combination of Request Headers&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;You can use one of those fields, or a combination of them, to identify users with more control than IP address alone.&lt;/p&gt;
&lt;p&gt;You can also separate the filter and mitigation expression. For example excessive attempts to /login can be blocked on
the entire site.&lt;/p&gt;
&lt;p&gt;This matters because rate limiting is not just a request counter. In Peakhour it sits beside bot management, WAF,
DDoS protection, traffic controls, and origin shielding on the same managed edge path. That gives operators a practical
way to set different thresholds for verified crawlers, suspicious automation, authenticated API clients, and normal
visitors without pushing every policy change into the application. It also gives them allowed, blocked, and
threshold-hit evidence to tune the rule after it is deployed, whether Peakhour is the active edge or adding controls
beside an existing CDN or cloud edge.&lt;/p&gt;
&lt;h2&gt;Putting it into action&lt;/h2&gt;
&lt;p&gt;Advanced Rate Limiting can help protect applications from attacks like
&lt;a href="/products/ddos-protection/"&gt;Layer 7 DDoS&lt;/a&gt;,
Account Takeovers, Credential Stuffing, and more. Here are some real
world examples you can configure using our dashboard
and API.&lt;/p&gt;
&lt;h3&gt;Protect against general site abuse&lt;/h3&gt;
&lt;p&gt;Our example website is a medium-sized ecommerce store that has page URLs ending in /. It serves Australian clients and typically
sees around 100 page requests a minute from non-search-engine traffic during peak traffic times. With that baseline,
we can set up rate limiting to prevent general site abuse and protect against
layer 7 DDoS attacks.&lt;/p&gt;
&lt;p&gt;Peakhour rate limiting starts with zones. You specify your request limits in these zones.&lt;/p&gt;
&lt;div class="text-center" style="padding: 20px 0px"&gt;
&lt;img src="/static/images/blog/advanced-rate-limit-zone.jpg" alt="rate limit zone"/&gt;
&lt;/div&gt;

&lt;p&gt;Here we've specified a maximum of 45 requests in 1 minute. We're going to apply this limit to page loads only. Since our
typical maximum for all users on this website is 100 in a minute,
it seems reasonable that a real user is not going to view 40 pages in 1 minute. We could also specify a value for error
responses in a minute. An error could be a 404, which a scraper might typically get when looking for removed URLs.&lt;/p&gt;
&lt;p&gt;Now let's define our filter and our counter. For our filter we mentioned that pages end in /, so we'll use that, but
exclude verified bots to make sure they're not restricted when crawling the site. A verified bot is a crawler like
Google or Bing, that Peakhour has verified as legitimate by using reverse DNS to confirm
they are who they say they are.&lt;/p&gt;
&lt;p&gt;Attackers, scrapers, and others looking to abuse a site will launch an attack using a particular piece of software. That piece of
software will have a &lt;a href="/blog/tls-fingerprinting/"&gt;TLS fingerprint&lt;/a&gt;
(like JA3) that remains the same, even as the attacker rotates
their user-agent, IP address, and other characteristics, so we'll use the TLS fingerprint as our request counter.&lt;/p&gt;
&lt;div class="text-center" style="padding: 20px 0px"&gt;
&lt;img src="/static/images/blog/advanced-rate-limiting-rule.jpg" alt="rate limit rule"/&gt;
&lt;/div&gt;

&lt;h3&gt;Rate Limit authenticated API Users&lt;/h3&gt;
&lt;p&gt;It is common for APIs to require an Authorization header as part of the request to authenticate access. By grouping
requests on the value of this header, we can rate limit a specific API client even if it uses multiple applications,
or if its credentials are stolen.&lt;/p&gt;
&lt;div class="text-center" style="padding: 20px 0px"&gt;
&lt;img src="/static/images/blog/advanced-rate-limiting-header.jpg" alt="rate limit rule"/&gt;
&lt;/div&gt;

&lt;h3&gt;Protecting from Account Takeovers&lt;/h3&gt;
&lt;p&gt;Account Takeover attacks have been in the news recently, with several high-profile
websites being victims. Credential Stuffing and
Brute Force attacks rely on attempting lots of logins to identify valid credentials.
Along with lots of attempts come lots of failures. Attackers will rely on software like &lt;a href="/blog/the-rise-of-openbullet/"&gt;openbullet&lt;/a&gt;
to carry out their attacks, using proxy networks to constantly rotate IP addresses and defeat traditional rate limiting.&lt;/p&gt;
&lt;p&gt;The program the attacker is using will present a consistent TLS fingerprint. We can make a special
rule for our login form that tracks failed login attempts by TLS Fingerprint, effectively tracking the attacker as
they rotate IP address.&lt;/p&gt;
&lt;p&gt;If the attack is low and slow, we can track failed attempts over a longer timeframe by using the response
from the server when adding to our counting zone.&lt;/p&gt;
&lt;div class="text-center" style="padding: 20px 0px"&gt;
&lt;img src="/static/images/blog/rate-limit-failed-logins.jpg" alt="failed logins rate limit rule"/&gt;
&lt;/div&gt;

&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Advanced rate limiting is a practical response to the limits of IP-based controls. IP address rotation is the standard
amongst attackers and scrapers, rendering the traditional approach obsolete. Useful protection now needs to identify
the actor behind the requests, protect the origin before expensive application work is triggered, and give teams enough
evidence to adjust the policy without guesswork. Counting requests against a combination of network fingerprints,
request fields, response signals, and bot context is how you stop abuse from scrapers, SEO spiders, and layer 7
attackers without treating every visitor the same.&lt;/p&gt;</content><category term="Application Security"></category><category term="Rate Limiting"></category><category term="API Security"></category><category term="DDoS"></category><category term="Residential Proxies"></category><category term="Bot Management"></category><category term="Threat Detection"></category></entry><entry><title>HTTP Security Headers</title><link href="https://www.peakhour.io/blog/http-security-headers-web-application-protection/" rel="alternate"></link><published>2023-11-28T14:00:00+11:00</published><updated>2023-11-28T14:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-11-28:/blog/http-security-headers-web-application-protection/</id><summary type="html">&lt;p&gt;Comprehensive guide to HTTP security headers for protecting web applications from client-side attacks. Learn essential browser security configurations for modern application security platforms and DevSecOps workflows.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Traditionally, web security has focused on the server side: protecting the application itself from attack. That work is
necessary, but it often leaves the client side under-specified. Client-side attacks move the exposure point into the
user's browser, where the business impact can be serious.&lt;/p&gt;
&lt;p&gt;Magecart attacks are a clear example. Attackers inject skimming scripts into websites to steal sensitive customer
information, such as credit card details, directly from the user's browser. Session hijacking and Cross-Site Scripting
(XSS) attacks also exploit browser vulnerabilities, leading to unauthorised access and data breaches. These attacks
don't just risk user data; they can erode trust, damage reputations, and result in significant financial and legal
repercussions for businesses.&lt;/p&gt;
&lt;p&gt;HTTP security headers are practical controls for these types of attacks. Properly implemented, they instruct browsers
on how to handle website content and interactions safely.&lt;/p&gt;
&lt;h2&gt;Key HTTP Security Headers&lt;/h2&gt;
&lt;h3&gt;Content-Security-Policy (CSP)&lt;/h3&gt;
&lt;p&gt;&lt;strong&gt;Purpose&lt;/strong&gt;: CSP prevents Cross-Site Scripting (XSS) attacks by specifying which sources browsers should allow when
loading scripts, images, and other resources. It can also prevent MageCart-style attacks by restricting the host names
that an injected script can communicate with.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="nt"&gt;Content-Security-Policy&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;script-src&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;self&amp;#39;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;https&lt;/span&gt;&lt;span class="o"&gt;://&lt;/span&gt;&lt;span class="nt"&gt;apis&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;google&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;com&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;This example allows scripts to load only from the site's own domain ('self') and https://apis.google.com.&lt;/p&gt;
&lt;h3&gt;X-Frame-Options&lt;/h3&gt;
&lt;p&gt;&lt;strong&gt;Purpose&lt;/strong&gt;: This header protects against clickjacking attacks by controlling whether a browser allows a page to
be rendered in a &lt;code&gt;&amp;lt;frame&amp;gt;&lt;/code&gt;, &lt;code&gt;&amp;lt;iframe&amp;gt;&lt;/code&gt;, &lt;code&gt;&amp;lt;embed&amp;gt;&lt;/code&gt;, or &lt;code&gt;&amp;lt;object&amp;gt;&lt;/code&gt;.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;X-Frame-Options: DENY
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;This setting prevents any domain from framing the content. Another option is &lt;code&gt;SAMEORIGIN&lt;/code&gt;, which only allows framing by
the same site.&lt;/p&gt;
&lt;h3&gt;X-Content-Type-Options&lt;/h3&gt;
&lt;p&gt;&lt;strong&gt;Purpose&lt;/strong&gt;: This header prevents MIME-sniffing, where a browser might incorrectly interpret the content type of a
resource, leading to security vulnerabilities.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;X-Content-Type-Options: nosniff
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;This instructs the browser to follow the content type declared in the HTTP headers.&lt;/p&gt;
&lt;h3&gt;X-XSS-Protection&lt;/h3&gt;
&lt;p&gt;&lt;strong&gt;Purpose&lt;/strong&gt;: This enables the browser's inbuilt XSS protection features. However, this header is largely deprecated in
favour of CSP.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="nt"&gt;X-XSS-Protection&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;1&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;mode&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nt"&gt;block&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;This configuration enables the protection and tells the browser to block the page if an XSS attack is detected.&lt;/p&gt;
&lt;h3&gt;Strict-Transport-Security (HSTS)&lt;/h3&gt;
&lt;p&gt;&lt;strong&gt;Purpose&lt;/strong&gt;: HSTS forces the browser to use HTTPS over HTTP, ensuring encrypted communication and protecting against
man-in-the-middle attacks. Alternatively, you can automatically redirect all requests to HTTPS on your web server or at
your EDGE provider. For example, Peakhour allows you to set up EDGE redirects to force all traffic to HTTPS.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="nt"&gt;Strict-Transport-Security&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;max-age&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nt"&gt;31536000&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;includeSubDomains&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;This example tells the browser to use HTTPS for all subdomains for one year.&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;Implementing the correct HTTP security headers is a straightforward way to improve web application security. These
headers form part of the first line of defence against many common security vulnerabilities. As threats evolve, keeping
security headers current and properly configured helps safeguard your users and your brand.&lt;/p&gt;</content><category term="Security"></category><category term="Application Security"></category><category term="Account Protection"></category><category term="API Security"></category><category term="Credential Stuffing"></category><category term="Drupal"></category><category term="DDoS"></category></entry><entry><title>Google Chrome's "IP Protection" vs Apple Private Relay</title><link href="https://www.peakhour.io/blog/apple-private-relay-vs-google-ip-protection/" rel="alternate"></link><published>2023-10-25T13:00:00+11:00</published><updated>2023-10-25T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-10-25:/blog/apple-private-relay-vs-google-ip-protection/</id><summary type="html">&lt;p&gt;An exploration of Google Chrome's new "IP Protection" feature and a comparison with Apple's iCloud Private Relay.&lt;/p&gt;</summary><content type="html">&lt;h2&gt;Google Chrome's "IP Protection" vs. Apple's iCloud Private Relay&lt;/h2&gt;
&lt;p&gt;Google and Apple are both pushing browser-level privacy features that reduce how much a website can infer from a user's
IP address. Google's recent announcement of its "IP Protection" feature for Chrome follows Apple's iCloud Private Relay,
but the two approaches are not the same.&lt;/p&gt;
&lt;h2&gt;Apple's iCloud Private Relay: A Closer Look&lt;/h2&gt;
&lt;p&gt;In 2021, Apple introduced iCloud Private Relay for paid iCloud+ subscribers. The feature encrypts traffic from the user's
device and routes internet requests through two separate relays. The intention is to stop any single party, including
Apple, from building a comprehensive user profile from IP address, location, and browsing activity.&lt;/p&gt;
&lt;p&gt;However, this feature is specific to Apple's Safari browser. It is not a full VPN; it is a browser-centric service that
protects Safari traffic on iOS, iPadOS, and macOS. The user's internet requests are routed first through an Apple server,
then through a partner network like Akamai, Cloudflare, or Fastly, before reaching the intended destination. This dual-hop
design means neither party has a complete view of both the user's IP address and the browsing destination.&lt;/p&gt;
&lt;h2&gt;Google's "IP Protection": Playing Catch-up?&lt;/h2&gt;
&lt;p&gt;Google's "IP Protection" for Chrome appears to be an answer to Apple's initiative. By masking users' IP addresses using
proxy servers, Google aims to preserve user privacy while keeping essential web functions working. Unlike Apple's
solution, which is limited to Safari, Google's feature potentially has wider application within the Chrome ecosystem.&lt;/p&gt;
&lt;p&gt;However, Google's solution is still early, with phased implementation and limited domain application. Apple has already
integrated and offered iCloud Private Relay to its users; Google is still testing its feature.&lt;/p&gt;
&lt;h2&gt;Can Apple Allow Google's Feature on Chrome?&lt;/h2&gt;
&lt;p&gt;Given the competitive nature of the technology industry, it remains uncertain whether Apple will allow Google's IP
Protection feature on Chrome for Apple devices. With iCloud Private Relay already in place, Apple may see Google's
feature as redundant or conflicting with its privacy objectives.&lt;/p&gt;
&lt;h2&gt;The Bigger Picture: Ad Tracking and Platform Control&lt;/h2&gt;
&lt;p&gt;Both companies present these changes as privacy improvements, but the platform context matters. Hiding IP addresses does
not remove ad tracking, and privacy features can also reinforce platform control. By making privacy protections part of
their own browsers and ecosystems, Google and Apple can reduce some third-party visibility while keeping users inside
platforms they operate and measure.&lt;/p&gt;
&lt;p&gt;Apple's iCloud Private Relay and Google's "IP Protection" both improve some aspects of user privacy, with different
approaches and coverage. As Google plays catch-up to Apple in this area, users should understand what these features do
and what they leave in place. The goal should be genuine online privacy, and as we've discussed in our article on &lt;a href="https://www.peakhour.xyz/blog/tls-fingerprinting/"&gt;TLS fingerprinting&lt;/a&gt;, network-based fingerprinting
is becoming increasingly important for protecting services in this changing environment.&lt;/p&gt;</content><category term="Security"></category><category term="Residential Proxies"></category><category term="API Security"></category><category term="Account Protection"></category><category term="GDPR"></category><category term="Fingerprinting"></category><category term="Bot Management"></category></entry><entry><title>Google Chrome's "IP Protection" and Online Privacy</title><link href="https://www.peakhour.io/blog/google-chrome-ip-protection-and-online-privacy/" rel="alternate"></link><published>2023-10-24T13:00:00+11:00</published><updated>2023-10-24T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-10-24:/blog/google-chrome-ip-protection-and-online-privacy/</id><summary type="html">&lt;p&gt;An exploration of Google Chrome's new "IP Protection" feature, its promise of enhanced privacy.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Google plans to introduce an "IP Protection" feature in Chrome. The feature is intended to improve privacy by masking IP
addresses through proxy servers. It may also affect ad tracking and who controls access to online platforms.&lt;/p&gt;
&lt;h2&gt;Understanding IP Addresses and Google's Strategy&lt;/h2&gt;
&lt;p&gt;IP addresses can let websites follow user activity across platforms. Over time, that can build detailed profiles and
create real privacy concerns. Google's "IP Protection" is designed to reduce that signal by sending third-party traffic
through proxies, hiding user IPs. The feature will start as optional, then focus on domains thought to track users.&lt;/p&gt;
&lt;p&gt;At first, Google will use a dedicated proxy for its own domains. As testing continues, the system may change. Google is
also considering a 2-hop proxy system for better privacy, with an outside CDN handling the second proxy.&lt;/p&gt;
&lt;p&gt;Google wants to use proxy connection IPs to give users broad locations, not exact ones. It will test this on platforms
like Gmail and AdServices, in Chrome versions 119 to 225.&lt;/p&gt;
&lt;h2&gt;VPN Growth and Other Browsers&lt;/h2&gt;
&lt;p&gt;The growth of VPN use points to demand for online privacy. VPNs, like Google's IP Protection, hide user IP addresses.
Firefox and Opera have added VPN features to their browsers. Apple, known for user privacy, has worked with CDN
companies on similar privacy improvements.&lt;/p&gt;
&lt;p&gt;This change has trade-offs. Sending traffic through Google's, or others', servers can make it harder for security teams
to handle threats. Google has suggested fixes like checking users with the proxy and rate-limiting to tackle these
problems.&lt;/p&gt;
&lt;h2&gt;What It Means&lt;/h2&gt;
&lt;p&gt;Traditional safety tools like IP reputation and GeoIP methods are becoming less reliable. This change highlights the
role of network-based fingerprinting now. For more on this, read our article
on &lt;a href="https://www-staging.peakhour.xyz/blog/tls-fingerprinting/"&gt;TLS fingerprinting&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;While firms talk about hiding IP addresses, ad tracking is still common. These changes might also push users to certain
platforms. Even if users think they're safe, big tech's tracking tools can still watch them. That can give users a false
sense of safety. Real privacy still needs practical tools and clear public understanding.&lt;/p&gt;</content><category term="Security"></category><category term="Residential Proxies"></category><category term="Account Protection"></category><category term="API Security"></category><category term="DDoS"></category><category term="Fingerprinting"></category><category term="Bot Management"></category></entry><entry><title>ModSecurity’s End-of-Life</title><link href="https://www.peakhour.io/blog/modsecurity-eol-modern-application-security-platforms/" rel="alternate"></link><published>2023-10-16T13:00:00+11:00</published><updated>2023-10-16T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-10-16:/blog/modsecurity-eol-modern-application-security-platforms/</id><summary type="html">&lt;p&gt;ModSecurity's end-of-life marks a pivotal moment in application security evolution. Discover how modern Application Security Platforms are advancing beyond traditional WAF approaches to provide comprehensive protection for web applications and APIs at the edge.&lt;/p&gt;</summary><content type="html">&lt;p&gt;The end-of-life of ModSecurity on 1 July 2024 marks a practical turning point for application security teams. For DevOps, SRE, and &lt;a href="/learning/devsecops/what-is-devsecops/"&gt;DevSecOps&lt;/a&gt; professionals, it reinforces a wider shift towards Application Security Platforms that go beyond traditional Web Application Firewall (WAF) capabilities.&lt;/p&gt;
&lt;p&gt;Modern Application Security Platforms use Web &lt;a href="/learning/application-security/what-is-waap/"&gt;Application and&lt;/a&gt; API Protection (WAAP) as a core part of edge security. Peakhour's Application Security Platform extends traditional WAF protection with bot management, API security, DDoS mitigation, and account protection, backed by Peakhour Edge delivery infrastructure.&lt;/p&gt;
&lt;p&gt;The bedrock of a WAF lies in two main components:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;WAF Engine&lt;/strong&gt;: Inspects and assesses web traffic.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;WAF Rules&lt;/strong&gt;: Guidelines that tell the engine what to inspect and how to respond.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Peakhour's Application Security Platform has used ModSecurity as part of our WAAP solution, integrating it with threat detection, behavioural analysis, and the proven OWASP ModSecurity Core Rule Set (CRS) for application protection.&lt;/p&gt;
&lt;p&gt;For two decades, ModSecurity has been a fixture in web security. Its acquisition by Trustwave led
to a sunset announcement in 2021, with the EOL set for July 2024.&lt;/p&gt;
&lt;h2&gt;Deciphering the EOL for ModSecurity&lt;/h2&gt;
&lt;p&gt;With the EOL, Trustwave will cease commercial support and updates for ModSecurity. That does not make
ModSecurity irrelevant. It has been in 'maintenance mode', with Trustwave channelling its efforts
towards bug fixes and security patches.&lt;/p&gt;
&lt;p&gt;Despite this change, ModSecurity still has active community support. Tutorials and
discussions centred around ModSecurity and CRS continue to appear each month. Entities like Atomicorp have pledged to extend their support
to ModSecurity beyond its EOL, helping maintain its presence in the market.&lt;/p&gt;
&lt;p&gt;Other WAF engines are emerging as potential contenders. The &lt;a href="https://github.com/corazawaf/coraza"&gt;Coraza&lt;/a&gt; WAF engine, written in
Go, is gaining a place in the market. The &lt;a href="https://github.com/microsoft/ModSecurity"&gt;public Azure repository&lt;/a&gt; hosts
Microsoft's ModSecurity fork, while the Edg.IO repository highlights &lt;a href="https://github.com/edgio/waflz"&gt;Waflz&lt;/a&gt;, showing its role
in the WAF ecosystem.&lt;/p&gt;
&lt;p&gt;Recent players, such as &lt;a href="https://github.com/openappsec/openappsec"&gt;OpenAppSec&lt;/a&gt; by Checkpoint, are also entering the scene.
Positioned as an open-source ML-based WAF, OpenAppSec has publicly advised businesses to start their migration strategies
and views itself as a viable migration path.&lt;/p&gt;
&lt;h2&gt;Peakhour's Application Security Platform Evolution&lt;/h2&gt;
&lt;p&gt;The ModSecurity transition fits with Peakhour's move towards a broader Application Security Platform. Our approach covers:&lt;/p&gt;
&lt;h3&gt;Immediate Continuity&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Operational Continuity&lt;/strong&gt;: ModSecurity continues to function within our platform, supported by active community development&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;No Service Interruption&lt;/strong&gt;: Customers experience no service interruption as we implement next-generation capabilities&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Tighter Integration&lt;/strong&gt;: Existing ModSecurity capabilities are strengthened through integration with our threat detection systems&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Advanced Platform Development&lt;/h3&gt;
&lt;p&gt;Peakhour is implementing security technologies that extend beyond traditional WAF capabilities:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Machine Learning Integration&lt;/strong&gt;: AI-powered threat detection that adapts to emerging attack patterns&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Behavioural Analysis&lt;/strong&gt;: Algorithms that identify sophisticated threats including residential proxy attacks and anti-detect browser usage&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;API-Native Security&lt;/strong&gt;: Protection designed for modern API-first architectures&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Real-Time Threat Intelligence&lt;/strong&gt;: Dynamic rule updates based on global threat landscape analysis&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Future-Ready Architecture&lt;/h3&gt;
&lt;p&gt;Our Application Security Platform roadmap includes:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Multi-Engine Approach&lt;/strong&gt;: Evaluation of next-generation engines including Coraza, Waflz, and custom ML-based solutions&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Request-Path Protection&lt;/strong&gt;: Security processing at Peakhour Edge locations for performance&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href="/learning/devsecops/what-is-devsecops/"&gt;DevSecOps Integration&lt;/a&gt;&lt;/strong&gt;: API-first architecture enabling integration with CI/CD pipelines and security automation&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Comprehensive WAAP&lt;/strong&gt;: Integration of WAF, API protection, bot management, and DDoS mitigation in a unified platform&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;The Future of Application Security&lt;/h2&gt;
&lt;p&gt;ModSecurity's end-of-life is more than a technical transition. It reflects the move from traditional point solutions to broader Application Security Platforms. For DevOps, SRE, and &lt;a href="/learning/devsecops/what-is-devsecops/"&gt;DevSecOps&lt;/a&gt; teams, this shift enables:&lt;/p&gt;
&lt;h3&gt;Enhanced Security Posture&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Unified Threat Protection&lt;/strong&gt;: Comprehensive WAAP capabilities that protect applications, APIs, and users through a single platform&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Advanced Threat Detection&lt;/strong&gt;: Machine learning and behavioural analysis that identify sophisticated attack vectors&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Real-Time Adaptation&lt;/strong&gt;: Dynamic security policies that evolve with the threat landscape&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Operational Excellence&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Performance Integration&lt;/strong&gt;: Security processing at the edge provides protection without compromising application performance&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;&lt;a href="/learning/devsecops/what-is-devsecops/"&gt;DevSecOps&lt;/a&gt; Compatibility&lt;/strong&gt;: API-first architecture supports security automation and CI/CD integration&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Global Scalability&lt;/strong&gt;: Distributed protection that scales with application growth and user distribution&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Strategic Advantages&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Long-Term Investment&lt;/strong&gt;: Platform approach that evolves with emerging threats and technologies&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Comprehensive Coverage&lt;/strong&gt;: Single-pane-of-glass management for application security, performance, and availability&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Compliance Alignment&lt;/strong&gt;: Built-in reporting and monitoring capabilities that support regulatory requirements&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The transition from ModSecurity gives organisations a clear point to review and modernise their application security posture. By adopting Application Security Platforms, teams can improve protection whilst maintaining the performance and scalability required for modern applications.&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;&lt;em&gt;Peakhour's Application Security Platform protects web applications and APIs with WAAP capabilities, delivery performance, bot management, and real-time threat intelligence. &lt;a href="/contact-sales/"&gt;Contact our security team&lt;/a&gt; to learn how we can support your application security posture whilst maintaining performance.&lt;/em&gt;&lt;/p&gt;</content><category term="Security"></category><category term="Application Security"></category><category term="DevSecOps"></category><category term="API Security"></category><category term="DDoS"></category><category term="Threat Detection"></category><category term="SOC 2"></category></entry><entry><title>Understanding the HTTP/2 Rapid Reset Attack</title><link href="https://www.peakhour.io/blog/http-rapid-reset-attack/" rel="alternate"></link><published>2023-10-11T00:00:00+11:00</published><updated>2023-10-11T00:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-10-11:/blog/http-rapid-reset-attack/</id><summary type="html">&lt;p&gt;A comprehensive breakdown of the HTTP/2 Rapid Reset flaw and guidance on bolstering defences against potential DDoS attacks.&lt;/p&gt;</summary><content type="html">&lt;p&gt;The discovery of the HTTP/2 Rapid Reset flaw exposed a serious weakness in a widely used version of the HTTP protocol.
When exploited, it can be used to generate large Distributed Denial of Service (DDoS) attacks against HTTP/2 services.
This post explains how the attack works and what operators can do to strengthen their defences.&lt;/p&gt;
&lt;h2&gt;A Deep Dive into the HTTP/2 Rapid Reset Flaw&lt;/h2&gt;
&lt;p&gt;HTTP/2 is widely deployed, so a flaw in how implementations handle rapid stream resets can have a large operational
impact. To take advantage of the issue, a malicious actor sends a request and immediately cancels it, then repeats that
pattern over the same HTTP/2 connection. By scaling this "request, cancel" behaviour thousands of times, an attacker can
overwhelm vulnerable HTTP/2 implementations. The result is &lt;a href="/products/ddos-protection/"&gt;DDoS attacks&lt;/a&gt; at the application layer, with
potential downtime and disruption.&lt;/p&gt;
&lt;p&gt;Major companies including Cloudflare and Google have dealt with this issue. Google, for example, mitigated a DDoS attack
reaching a peak of 398 million requests per second that relied on this technique. For scale, this two-minute-long attack
generated more requests than the total number of article views reported by Wikipedia in
September 2023.&lt;/p&gt;
&lt;h2&gt;Mitigating the Threat&lt;/h2&gt;
&lt;p&gt;Large infrastructure providers have led much of the work to understand the attack mechanics and develop mitigations:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Patching Systems:&lt;/strong&gt; Prompt patching is the primary control for the HTTP/2 Rapid Reset attack. Companies
   including Peakhour, Microsoft, and others have tested and patched their systems against this threat.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Rate Limiting:&lt;/strong&gt; Advanced rate limiting has been a recommended action. It provides an extra layer of protection,
   minimising the risk of massive request inflows.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Collaborative Efforts:&lt;/strong&gt; Google and Microsoft have both shared intelligence and collaborated with other cloud
   providers and software maintainers implementing the HTTP/2 protocol stack. This has resulted in patches and
   mitigation techniques now employed by numerous large infrastructure
   providers.&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;What's Next for Users and Enterprises?&lt;/h2&gt;
&lt;p&gt;If you serve an HTTP-based workload online, understand whether this attack affects your environment. Verify that servers
supporting HTTP/2 are either not vulnerable or have applied the necessary patches. Stay informed and consider reaching
out to your service providers or account representatives for configuration assistance and guidance.&lt;/p&gt;
&lt;p&gt;The HTTP/2 Rapid Reset flaw is a serious application-layer DDoS risk, but it is manageable with the right mitigations in
place. Apply the recommended patches and keep HTTP/2-facing services under active review.&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;&lt;em&gt;Discover how Peakhour's Application Security Platform protects against Layer 7 DDoS attacks, including the HTTP/2 Rapid Reset vulnerability. &lt;a href="/contact-sales/"&gt;Contact our team&lt;/a&gt; to secure your infrastructure.&lt;/em&gt;&lt;/p&gt;</content><category term="Security"></category><category term="DDoS"></category><category term="Rate Limiting"></category><category term="DNS"></category><category term="API Security"></category><category term="Bot Management"></category><category term="Threat Detection"></category></entry><entry><title>Headless Commerce Security</title><link href="https://www.peakhour.io/blog/headless-commerce-security-api-protection/" rel="alternate"></link><published>2023-06-28T00:00:00+10:00</published><updated>2023-06-28T00:00:00+10:00</updated><author><name>Dan</name></author><id>tag:www.peakhour.io,2023-06-28:/blog/headless-commerce-security-api-protection/</id><summary type="html">&lt;p&gt;Comprehensive analysis of security challenges in headless commerce and Single Page Applications. Learn how to protect modern e-commerce APIs and microservices architectures from scraping, fraud, and automated attacks.&lt;/p&gt;</summary><content type="html">&lt;p&gt;At Peakhour, we spend a lot of time looking at e-commerce architecture trends. Single Page Applications (SPAs) and
headless commerce keep coming up, with tools such as Nuxt.js, Strapi, Hydrogen, and Gatsby leading many builds. These
tools can make frontend work faster and more flexible, but they also put more e-commerce data behind APIs that scrapers
can target.&lt;/p&gt;
&lt;p&gt;Single Page Applications (SPAs) and headless e-commerce have changed how many retailers build their storefronts.
Frontend development tools like Nuxt.js and headless CMSs like Strapi are now common parts of that stack.&lt;/p&gt;
&lt;p&gt;The trade-off is exposure. Product information is often available as JSON data, which makes it easier for scrapers to
collect at scale. That raises a practical question: how do you secure data while still making it available through APIs?&lt;/p&gt;
&lt;h2&gt;Strategies for Data Protection&lt;/h2&gt;
&lt;p&gt;Data protection matters, but it is not a single control. These are the usual layers:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Rate Limiting&lt;/strong&gt;: Controls the number of client requests to your API within a set time frame.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Bot Detection&lt;/strong&gt;: Distinguishes between humans and bots based on behavioural patterns.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Page Load Authentication&lt;/strong&gt;: Secures the page load through bot detection and authenticates subsequent API calls.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;IP Threat Intelligence&lt;/strong&gt;: Blocks suspicious IP addresses from accessing your API.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;GeoIP Filtering&lt;/strong&gt;: Regulates requests based on geographical origin.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;As bots change, those controls need to change as well.&lt;/p&gt;
&lt;h2&gt;Facing the Challenge of Headless Scraping&lt;/h2&gt;
&lt;p&gt;Headless scraping uses browsers without a user interface to imitate normal browsing. It is difficult to detect, but
&lt;strong&gt;network fingerprinting&lt;/strong&gt; can help.&lt;/p&gt;
&lt;p&gt;Network fingerprinting examines network features like Transport Layer Security (TLS) settings and HTTP/2 (H2)
parameters. By analysing these, companies can detect and block bots, adding another security layer.&lt;/p&gt;
&lt;h2&gt;Client-side Security in SPAs&lt;/h2&gt;
&lt;p&gt;In SPAs, where much of the processing happens in the user's browser, the security concerns shift:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Data Exposure&lt;/strong&gt;: Protecting sensitive data from leakage or manipulation is critical.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Injection Attacks&lt;/strong&gt;: SPAs must guard against attacks like Cross-Site Scripting (XSS).&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Authentication and Session Management&lt;/strong&gt;: Properly handled, these prevent unauthorised access.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Insecure Direct Object References (IDORs)&lt;/strong&gt;: Proper authorisation stops attackers from accessing others' data.&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;Risks in JavaScript Packages&lt;/h2&gt;
&lt;p&gt;SPAs usually depend on JavaScript libraries and packages. They are useful, but they also add supply chain risk. Using
only essential packages, keeping them updated, and sourcing them from trusted providers reduces that risk. Supply chain
audit tools can help automate the work:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;a href="https://owasp.org/www-project-dependency-check/"&gt;OWASP Dependency-Check&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://securestack.com/"&gt;SecureStack&lt;/a&gt;&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Security audits need to be frequent because vulnerabilities can appear quickly. Tools like npm's npm audit or GitHub's
Dependabot, along with regular penetration testing, can help uncover potential weaknesses.&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;The move toward SPAs and headless commerce is a trade-off between development flexibility and security exposure. These
architectures can improve user experience and speed up delivery, but they also introduce new security issues.&lt;/p&gt;
&lt;p&gt;Client-side security in SPAs needs deliberate attention. Data exposure, injection attacks, and insecure direct object
references all need to be managed, and the convenience of JavaScript libraries brings its own vulnerabilities.&lt;/p&gt;
&lt;p&gt;Peakhour addresses these problems with rate limiting that manages request traffic and helps prevent attacks without
harming customer experience. Our Web &lt;a href="/learning/cloud-security/cloud-waf-vs-native-waf/"&gt;Application Firewall&lt;/a&gt; (WAF)
examines all payload data, adding another layer of protection.&lt;/p&gt;
&lt;p&gt;Frequent security audits still matter. They help e-commerce managers keep SPAs and headless commerce operations secure
without giving up the efficiency these architectures can provide.&lt;/p&gt;</content><category term="Security"></category><category term="API Security"></category><category term="Magento"></category><category term="Account Protection"></category><category term="Drupal"></category><category term="Application Security"></category><category term="Bot Management"></category></entry><entry><title>Enterprise DDoS Protection</title><link href="https://www.peakhour.io/blog/enterprise-ddos-protection-microsoft-365-application-security/" rel="alternate"></link><published>2023-06-19T00:00:00+10:00</published><updated>2023-06-19T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-06-19:/blog/enterprise-ddos-protection-microsoft-365-application-security/</id><summary type="html">&lt;p&gt;Analysis of the Microsoft 365 DDoS attack by Storm-1359 reveals critical lessons for enterprise application security platforms. Learn advanced Layer 7 DDoS protection strategies and rate limiting techniques for modern applications.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Cyber threats continue to grow in complexity and volume, and Layer 7 attacks remain especially difficult to defend
against&lt;sup id="fnref:1^"&gt;&lt;a class="footnote-ref" href="#fn:1^"&gt;1&lt;/a&gt;&lt;/sup&gt;. Each layer presents its own set of vulnerabilities for threat actors to exploit. The 7th layer, or
application layer, handles application-specific communications. That makes it a useful target because modern
applications are complex and varied.&lt;/p&gt;
&lt;p&gt;Defending against Layer 7 attacks requires continuous tuning and adaptation&lt;sup id="fnref2:1^"&gt;&lt;a class="footnote-ref" href="#fn:1^"&gt;1&lt;/a&gt;&lt;/sup&gt;. Microsoft highlighted the issue in
June 2023, when it reported a traffic surge that temporarily affected the availability of some of its services&lt;sup id="fnref3:1^"&gt;&lt;a class="footnote-ref" href="#fn:1^"&gt;1&lt;/a&gt;&lt;/sup&gt;.&lt;/p&gt;
&lt;h2&gt;Microsoft's Layer 7 DDoS Attacks&lt;/h2&gt;
&lt;p&gt;Microsoft's security team detected and tracked DDoS activity from a threat actor it called Storm-1359. The actor used a
mix of resources, including multiple virtual private servers (VPS), rented cloud infrastructure, open proxies,
and DDoS tools&lt;sup id="fnref4:1^"&gt;&lt;a class="footnote-ref" href="#fn:1^"&gt;1&lt;/a&gt;&lt;/sup&gt;.&lt;/p&gt;
&lt;p&gt;The activity did not target layers 3 or 4. It targeted layer 7, where requests can look like regular traffic and arrive
from source IPs distributed around the world.&lt;/p&gt;
&lt;h3&gt;The Attack Methods&lt;/h3&gt;
&lt;p&gt;Storm-1359 used several attack types, including:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;HTTP(S) Flood Attack&lt;/strong&gt;: The attacker aimed to exhaust system resources with a high load of SSL/TLS handshakes and HTTP(S) request processing. This attack led the application backend to run out of compute resources such as CPU and memory&lt;sup id="fnref8:1^"&gt;&lt;a class="footnote-ref" href="#fn:1^"&gt;1&lt;/a&gt;&lt;/sup&gt;.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Cache Bypass&lt;/strong&gt;: The attacker attempted to overload the origin servers by bypassing the CDN layer&lt;sup id="fnref9:1^"&gt;&lt;a class="footnote-ref" href="#fn:1^"&gt;1&lt;/a&gt;&lt;/sup&gt;.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Slowloris&lt;/strong&gt;: In this case, the client opens a connection to a web server, requests a resource, such as an image, but fails to acknowledge the download or accepts it slowly. This causes the web server to keep the connection open and hold the requested resource in memory&lt;sup id="fnref10:1^"&gt;&lt;a class="footnote-ref" href="#fn:1^"&gt;1&lt;/a&gt;&lt;/sup&gt;.
  Strengthening Layer 7 Protections&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Microsoft mitigated the majority of disruptions by hardening its Layer 7 protections. It fine-tuned Azure Web
&lt;a href="/learning/cloud-security/cloud-waf-vs-native-waf/"&gt;Application Firewall&lt;/a&gt; (WAF) to better defend customers from the impact of similar DDoS attacks&lt;sup id="fnref5:1^"&gt;&lt;a class="footnote-ref" href="#fn:1^"&gt;1&lt;/a&gt;&lt;/sup&gt;.&lt;/p&gt;
&lt;h3&gt;Azure Web Application Firewall, ModSecurity, and DDoS Attacks&lt;/h3&gt;
&lt;p&gt;Azure &lt;a href="/products/waf/"&gt;Web Application Firewall&lt;/a&gt; (WAF), part of Microsoft's security architecture, is built upon ModSecurity&lt;sup id="fnref:4^"&gt;&lt;a class="footnote-ref" href="#fn:4^"&gt;4&lt;/a&gt;&lt;/sup&gt;,
a well-established open-source Web Application Firewall (WAF) module&lt;sup id="fnref6:1^"&gt;&lt;a class="footnote-ref" href="#fn:1^"&gt;1&lt;/a&gt;&lt;/sup&gt;. The DDoS attack Microsoft faced highlighted
potential limitations in using ModSecurity, or any conventional WAF, as the primary defence mechanism against such
threats.&lt;/p&gt;
&lt;h3&gt;ModSecurity's Limitations in DDoS Defence&lt;/h3&gt;
&lt;p&gt;ModSecurity is effective against a variety of web application threats, but it has limitations when dealing with DDoS
attacks:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Lack of Scalability:&lt;/strong&gt; ModSecurity is not inherently scalable. It can struggle to handle the enormous traffic volume
  associated with DDoS attacks.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Delayed Response:&lt;/strong&gt; ModSecurity's rule-based approach can result in slower response times to evolving DDoS threats.
  While it can block threats based on established rules, it can take time to identify and create rules for new or
  uncommon attack patterns.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Operational Complexity:&lt;/strong&gt; ModSecurity requires substantial expertise and constant fine-tuning to remain effective,
  potentially slowing down response times during a fast-paced DDoS attack.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;These limitations were visible during the DDoS attack Microsoft experienced. Even though Microsoft utilised ModSecurity
via Azure WAF, the time it took for Azure to respond underlines the challenge of using traditional WAFs for this class
of attack&lt;sup id="fnref7:1^"&gt;&lt;a class="footnote-ref" href="#fn:1^"&gt;1&lt;/a&gt;&lt;/sup&gt;.&lt;/p&gt;
&lt;h3&gt;The Role of Residential Proxy Networks in Layer 7 DDoS Attacks&lt;/h3&gt;
&lt;p&gt;&lt;a href="/products/residential-proxy-detection/"&gt;Residential proxy&lt;/a&gt; networks create a specific problem in the defence against Layer 7 DDoS attacks&lt;sup id="fnref:3^"&gt;&lt;a class="footnote-ref" href="#fn:3^"&gt;3&lt;/a&gt;&lt;/sup&gt;. These
networks use IP addresses tied to physical locations, often originating from typical home or office internet
connections. That makes it harder to separate legitimate traffic from malicious traffic.&lt;/p&gt;
&lt;p&gt;Unlike traditional proxy or VPN networks, where traffic can be blocked or rate-limited based on their recognisable IP
ranges, residential proxy networks blend in with legitimate users. That complicates identifying and blocking malicious
requests, as any blocking or limiting measures could affect legitimate traffic from
residential IPs.&lt;/p&gt;
&lt;h3&gt;A Potential Solution&lt;/h3&gt;
&lt;p&gt;In this context, fingerprinting can help distinguish between legitimate clients and malicious actors. Fingerprinting
involves gathering data points from each client request, including user agent, IP address, headers, cookies, and more.
The combination of these data points creates a unique 'fingerprint' for each client.&lt;/p&gt;
&lt;p&gt;By analysing these fingerprints, it is possible to detect anomalous request patterns and potentially identify malicious
clients hidden behind residential IPs. Fingerprinting can improve the accuracy of identifying malicious traffic, but it
is not foolproof and should sit inside a broader, layered defence strategy.&lt;/p&gt;
&lt;p&gt;Implementing effective fingerprinting also requires substantial technical expertise and resources. The measures need to
avoid degrading user experience or breaching privacy regulations.&lt;/p&gt;
&lt;h3&gt;The Need for Specialised Rate Limiting Services&lt;/h3&gt;
&lt;p&gt;A specialised rate limiting service could have offered a faster and more effective response to the DDoS attack. Rate
limiting restricts the number of requests that an IP address can make within a specific time period&lt;sup id="fnref:2^"&gt;&lt;a class="footnote-ref" href="#fn:2^"&gt;2&lt;/a&gt;&lt;/sup&gt;.&lt;/p&gt;
&lt;p&gt;Such a service offers several advantages when defending against DDoS attacks:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Rapid Response:&lt;/strong&gt; Rate limiting can provide a quick initial defence against a DDoS attack by immediately limiting
  traffic from suspicious IP addresses.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Flexibility:&lt;/strong&gt; Rate limiting rules can be applied to factors such as IP addresses, URL, headers, response codes, and
  more, creating more granular defence mechanisms.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Reduced Load:&lt;/strong&gt; By limiting the rate of requests, these services can reduce the load on the server, preserving
  resources for legitimate traffic.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Advanced Rate Limiting and Custom Keys&lt;/h2&gt;
&lt;p&gt;One way to defend against these attacks is through &lt;a href="/blog/beyond-the-ip-address-advanced-rate-limiting/"&gt;advanced rate&lt;/a&gt; limiting&lt;sup id="fnref2:2^"&gt;&lt;a class="footnote-ref" href="#fn:2^"&gt;2&lt;/a&gt;&lt;/sup&gt;. Rate limiting restricts the number of
requests an IP address, URL, or another custom key can make in a set time period. This can stop a single actor from
flooding a network with traffic.&lt;/p&gt;
&lt;h3&gt;Criteria Used in Rate Limiting&lt;/h3&gt;
&lt;p&gt;Rate limits can be defined using different criteria:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;IP Address&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;URL&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Query String&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Headers&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Response Codes&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;GeoIP Information&lt;/strong&gt;: ASN or Country Code&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Parsed User Agent Information&lt;/strong&gt;: Different rules for search engines vs. generic 'bots'&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Fingerprints&lt;/strong&gt;: TCP, TLS or H2 fingerprints can uniquely identify the connecting software&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Meta Information&lt;/strong&gt;: From bot protection service&lt;sup id="fnref3:2^"&gt;&lt;a class="footnote-ref" href="#fn:2^"&gt;2&lt;/a&gt;&lt;/sup&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This allows rate limiting to 'bucket' requests using different criteria, effectively rate limiting a larger group of
connections.&lt;/p&gt;
&lt;h2&gt;The Role of Anomaly Detection&lt;/h2&gt;
&lt;p&gt;Anomaly detection is another useful tool against these attacks. It identifies patterns or events that deviate from the
norm and may indicate suspicious activity. Detecting those anomalies quickly can help teams respond faster, identify a
suitable rate limit key and stop the potential attack.&lt;/p&gt;
&lt;h2&gt;Caching as a Mitigation Strategy&lt;/h2&gt;
&lt;p&gt;Caching is an effective mitigation strategy for Layer 7 attacks. It stores static responses to requests, reducing load
on the server by serving those responses instead of processing each request individually. In a DDoS scenario, where a
flood of requests is sent to the server, caching can help maintain availability. Ignoring client-provided 'Cache
Control' headers such as 'max-age=0' or 'no-cache' can be effective because these headers are typically used to bypass
a CDN.&lt;/p&gt;
&lt;h2&gt;Recommendations for Defence Against Layer 7 Attacks&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;Use anomaly detection to identify an active attack.&lt;/li&gt;
&lt;li&gt;Use Layer 7 protection services, including rate limiting, with past 99th percentile hit rates as a starting point.&lt;/li&gt;
&lt;li&gt;Apply bot mitigation techniques, as most Layer 7 attacks originate from bots.&lt;/li&gt;
&lt;li&gt;Use IP reputation as an early warning sign, as many IPs have been involved in attacks before.&lt;/li&gt;
&lt;li&gt;Block, limit, or redirect traffic from outside a defined geographic region.&lt;/li&gt;
&lt;li&gt;Rate limit or block requests from data centre and hosting ASNs.&lt;/li&gt;
&lt;li&gt;Create custom WAF rules to automatically block and rate limit HTTP or HTTPS attacks with known signatures.&lt;/li&gt;
&lt;li&gt;Use effective CDN caching and ignore client-presented Cache-Control headers.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Defending against Layer 7 attacks requires several controls working together. Rate limiting, anomaly detection, and
effective caching all have a role.&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;&lt;em&gt;Peakhour's advanced rate limiting and DDoS mitigation strategies help protect applications from sophisticated Layer 7 attacks. &lt;a href="/contact-sales/"&gt;Contact our team&lt;/a&gt; to strengthen your defences.&lt;/em&gt;&lt;/p&gt;
&lt;div class="footnote"&gt;
&lt;hr&gt;
&lt;ol&gt;
&lt;li id="fn:1^"&gt;
&lt;p&gt;&lt;a href="https://msrc.microsoft.com/blog/2023/06/microsoft-response-to-layer-7-distributed-denial-of-service-ddos-attacks/"&gt;Microsoft Response to Layer 7 DDoS Attacks&lt;/a&gt;&amp;#160;&lt;a class="footnote-backref" href="#fnref:1^" title="Jump back to footnote 1 in the text"&gt;&amp;#8617;&lt;/a&gt;&lt;a class="footnote-backref" href="#fnref2:1^" title="Jump back to footnote 1 in the text"&gt;&amp;#8617;&lt;/a&gt;&lt;a class="footnote-backref" href="#fnref3:1^" title="Jump back to footnote 1 in the text"&gt;&amp;#8617;&lt;/a&gt;&lt;a class="footnote-backref" href="#fnref4:1^" title="Jump back to footnote 1 in the text"&gt;&amp;#8617;&lt;/a&gt;&lt;a class="footnote-backref" href="#fnref5:1^" title="Jump back to footnote 1 in the text"&gt;&amp;#8617;&lt;/a&gt;&lt;a class="footnote-backref" href="#fnref6:1^" title="Jump back to footnote 1 in the text"&gt;&amp;#8617;&lt;/a&gt;&lt;a class="footnote-backref" href="#fnref7:1^" title="Jump back to footnote 1 in the text"&gt;&amp;#8617;&lt;/a&gt;&lt;a class="footnote-backref" href="#fnref8:1^" title="Jump back to footnote 1 in the text"&gt;&amp;#8617;&lt;/a&gt;&lt;a class="footnote-backref" href="#fnref9:1^" title="Jump back to footnote 1 in the text"&gt;&amp;#8617;&lt;/a&gt;&lt;a class="footnote-backref" href="#fnref10:1^" title="Jump back to footnote 1 in the text"&gt;&amp;#8617;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li id="fn:2^"&gt;
&lt;p&gt;&lt;a href="https://www.peakhour.io/blog/rate-limiting/"&gt;Rate Limiting - Peakhour&lt;/a&gt;&amp;#160;&lt;a class="footnote-backref" href="#fnref:2^" title="Jump back to footnote 2 in the text"&gt;&amp;#8617;&lt;/a&gt;&lt;a class="footnote-backref" href="#fnref2:2^" title="Jump back to footnote 2 in the text"&gt;&amp;#8617;&lt;/a&gt;&lt;a class="footnote-backref" href="#fnref3:2^" title="Jump back to footnote 2 in the text"&gt;&amp;#8617;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li id="fn:3^"&gt;
&lt;p&gt;&lt;a href="https://www.peakhour.io/blog/residential-proxies-unseen-challenges/"&gt;Residential Proxies: Unseen Challenges - Peakhour&lt;/a&gt;&amp;#160;&lt;a class="footnote-backref" href="#fnref:3^" title="Jump back to footnote 3 in the text"&gt;&amp;#8617;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li id="fn:4^"&gt;
&lt;p&gt;&lt;a href="https://github.com/microsoft/ModSecurity"&gt;Microsoft - ModSecurity&lt;/a&gt;&amp;#160;&lt;a class="footnote-backref" href="#fnref:4^" title="Jump back to footnote 4 in the text"&gt;&amp;#8617;&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;/div&gt;</content><category term="DDoS"></category><category term="DDoS"></category><category term="Threat Detection"></category><category term="Rate Limiting"></category><category term="Application Security"></category><category term="Account Protection"></category><category term="API Security"></category></entry><entry><title>Chrome's TLS Extension Randomisation Experiment</title><link href="https://www.peakhour.io/blog/tls-extension-randomisation/" rel="alternate"></link><published>2023-02-02T13:00:00+11:00</published><updated>2023-02-02T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-02-02:/blog/tls-extension-randomisation/</id><summary type="html">&lt;p&gt;Does TLS extension randomisation assist in hiding Chrome?&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;a href="/blog/tls-fingerprinting/"&gt;Transport Layer Security (TLS) fingerprinting&lt;/a&gt; is a commonly used
technique for identifying client processes. To reduce the
risk of server and middlebox fingerprinting of Chrome's current
ClientHello and to make the TLS ecosystem more resilient to changes,
Google Chrome ran an experiment to randomise a portion of
the TLS fingerprint. This experiment was included in Chrome version 108,
which was released on December 8, 2022. You can read the status of the
current experiment on the &lt;a href="https://chromestatus.com/feature/5124606246518784"&gt;chrome status site&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;The aim of this experiment was to make it more difficult for server
implementers to fingerprint Chrome and assume specific implementation
behaviour from a fixed extension order. By randomly ordering
extensions (subject to the pre_shared_key constraint in the RFC),
Chrome hoped to reduce the risk of server and middlebox fixating on
details of its current ClientHello.&lt;/p&gt;
&lt;p&gt;&lt;img alt="unique-tls-fingerprints-over-time" src="/static/images/blog/tls-unsorted-extensions.png"&gt;&lt;/p&gt;
&lt;p&gt;&lt;em&gt;The above graph correlates to the Chrome experiment and subsequent
release of the feature. The number of unique TLS signatures dramatically
increased.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;From Peakhour data, we can see a large number of unique
fingerprints appearing since the date of the experiment, making it
very difficult to identify the Chrome network stack by a TLS
fingerprint alone. However, &lt;a href="https://hnull.org/2022/12/01/sorting-out-randomized-tls-fingerprints/"&gt;an analysis&lt;/a&gt; by
David McGrew,
a Cisco Fellow, cast doubt on the effectiveness of this experiment. In his
article, McGrew proposed a lexicographical sorting of TLS extensions and
found that 98.8% of signatures were unique after sorting. He argues that
the canonical ordering of the TLS extensions in the TLS fingerprint can
achieve nearly the same level of entropy as randomising them and still
be effective at client identification. Furthermore, he claims that the
RFC should be amended to state that extensions SHOULD be sent in an
ordered fashion in the ClientHello packet. McGrew also highlights the
potential dangers of allowing unordered extension lists, as it could
create a \"subliminal channel\" that could be used for tracking or
transmitting information. Let's now graph, over the same period, the number
of TLS signatures with TLS extension sorting.&lt;/p&gt;
&lt;p&gt;&lt;img alt="unique-tls-fingerprints-sorted-extensions-over-time" src="/static/images/blog/tls-sorted-extensions.png"&gt;&lt;/p&gt;
&lt;p&gt;&lt;em&gt;The above graph correlates to David's assertion that sorting TLS
extensions has minimal impact on TLS fingerprinting.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;It appears that David's assertion is correct: sorting TLS extensions has
minimal impact on the number of unique TLS fingerprints. Let's now look
at in-the-wild Chrome 109 data:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;&lt;strong&gt;Hashed sorted TLS Fingerprint&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;Unique unsorted TLS fingerprints&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;Browser&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;Version&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;% of clients&lt;/strong&gt;&lt;/th&gt;
&lt;th&gt;&lt;strong&gt;% of hits&lt;/strong&gt;&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;3241796329&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;Chrome Mobile WebView&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;6.14&lt;/td&gt;
&lt;td&gt;1.01&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3313291307&lt;/td&gt;
&lt;td&gt;8566&lt;/td&gt;
&lt;td&gt;Chrome&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;1.83&lt;/td&gt;
&lt;td&gt;1.54&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;1537819294&lt;/td&gt;
&lt;td&gt;26587&lt;/td&gt;
&lt;td&gt;Chrome Mobile&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;6.05&lt;/td&gt;
&lt;td&gt;4.64&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3944870384&lt;/td&gt;
&lt;td&gt;1&lt;/td&gt;
&lt;td&gt;Chrome Mobile iOS&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;4.31&lt;/td&gt;
&lt;td&gt;5.35&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3241796329&lt;/td&gt;
&lt;td&gt;51594&lt;/td&gt;
&lt;td&gt;Chrome Mobile&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;16.9&lt;/td&gt;
&lt;td&gt;14.43&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;1537819294&lt;/td&gt;
&lt;td&gt;121346&lt;/td&gt;
&lt;td&gt;Chrome&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;15.66&lt;/td&gt;
&lt;td&gt;20.7&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3241796329&lt;/td&gt;
&lt;td&gt;156405&lt;/td&gt;
&lt;td&gt;Chrome&lt;/td&gt;
&lt;td&gt;109&lt;/td&gt;
&lt;td&gt;35.52&lt;/td&gt;
&lt;td&gt;37.79&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;&lt;em&gt;It's interesting that the experiment does not run on WebView.&lt;/em&gt;&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;While Chrome's experiment may have reduced the risk of
server and middlebox fingerprinting of Chrome's current ClientHello, it
seems that randomising TLS extensions alone is not enough to
prevent TLS fingerprinting, and may be a useful indicator that
it is The Real Chrome.&lt;/p&gt;</content><category term="Security"></category><category term="TLS Fingerprinting"></category><category term="TLS"></category><category term="Browser Fingerprinting"></category><category term="Fingerprinting"></category><category term="API Security"></category></entry><entry><title>IP Threat Intelligence</title><link href="https://www.peakhour.io/blog/ip-threat-intelligence/" rel="alternate"></link><published>2022-07-15T13:00:00+10:00</published><updated>2022-07-15T13:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2022-07-15:/blog/ip-threat-intelligence/</id><summary type="html">&lt;p&gt;Comprehensive guide to IP threat intelligence for modern application security platforms. Learn how managed IP reputation lists and threat intelligence feeds protect applications from known malicious sources and emerging threats.&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;a href="/learning/threat-detection/how-to-use-threat-intelligence/"&gt;Threat intelligence&lt;/a&gt; helps organisations make earlier decisions about cyber attacks. One of the
most common forms of threat intelligence in cyber security is &lt;a href="/products/ip-intelligence/"&gt;IP reputation&lt;/a&gt; lists. For example, a given
IP address might have a poor reputation for spam, &lt;a href="/products/ddos-protection/"&gt;ddos attacks&lt;/a&gt;, malware, and several other categories. IP reputation
lists often form a front line of defence in Web Application Firewalls and cyber security solutions.&lt;/p&gt;
&lt;h2&gt;How Peakhour uses IP threat intelligence&lt;/h2&gt;
&lt;p&gt;Peakhour supports threat intelligence across more than 20 categories, including:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Active DDoS attacks&lt;/li&gt;
&lt;li&gt;Brute forcing&lt;/li&gt;
&lt;li&gt;Active attackers&lt;/li&gt;
&lt;li&gt;Computers infected with malware&lt;/li&gt;
&lt;li&gt;Anonymous Proxies&lt;/li&gt;
&lt;li&gt;Forum Spammers&lt;/li&gt;
&lt;li&gt;TOR anonymous users&lt;/li&gt;
&lt;li&gt;IPs with poor reputation&lt;/li&gt;
&lt;li&gt;Unroutable and unassigned IPs&lt;/li&gt;
&lt;li&gt;Robots and web scrapers&lt;/li&gt;
&lt;li&gt;Datacenter&lt;/li&gt;
&lt;li&gt;Hosting Providers&lt;/li&gt;
&lt;li&gt;Crawlers&lt;/li&gt;
&lt;li&gt;And more&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Customers have access to all 10 lists, which can be enabled as blocklists or used as part of a custom
firewall rule, rate limiting rule, or page rule. For example, you may want to disallow POSTs from forum spammers, rate
limit proxies, and outright deny traffic from known brute-forcing IPs.&lt;/p&gt;
&lt;div class="text-center" style="padding: 20px 0px"&gt;
&lt;img src="/static/images/blog/spammers-cant-post.jpg" width="100%" alt="Creating a spammer can't post rule"/&gt;
&lt;em&gt;Creating a spammer can't post rule&lt;/em&gt;
&lt;/div&gt;

&lt;h2&gt;How does Peakhour assemble these lists?&lt;/h2&gt;
&lt;p&gt;The IP reputation lists are sourced from third-party sources, including open source intelligence feeds (OSINT),
commercial feeds, community feeds, and our own threat intelligence. IPs are categorised into our pre-defined lists and
made available to the &lt;a href="/docs/firewall/"&gt;WAF&lt;/a&gt; and &lt;a href="/docs/configuration/rules/"&gt;rules&lt;/a&gt;
engine. Each list is re-evaluated and updated based on the data provider's update schedule; some are
updated every minute.&lt;/p&gt;
&lt;p&gt;Internally managed feeds include bot sources that are verified using reverse DNS lookups, PTR record lookups,
and WHOIS verification (such as Facebook IPs). WAF hits across customers are consolidated and made available as
the Active Attacker list, which is updated in near real time. Our Malware and C&amp;amp;C nodes lists are generated from
various partnerships.&lt;/p&gt;
&lt;p&gt;The Anonymous Proxies list contains known open proxies, services that relay traffic without authentication, whilst our
targeted VPN list tracks known third-party VPN services.&lt;/p&gt;
&lt;p&gt;IPs are fed back into our system for re-evaluation to help identify emerging behaviour within our customer data.&lt;/p&gt;
&lt;h2&gt;Data visualisation&lt;/h2&gt;
&lt;p&gt;Requests from IPs that match a blocklist are tagged with the lists they belong to. Firewall events are
enriched with this information, providing visibility into security threats. This context helps you decide how to
handle requests, whether they should be blocked, rate limited or observed.&lt;/p&gt;
&lt;div class="text-center" style="padding: 20px 0px"&gt;
&lt;img src="/static/images/blog/ip-reputation-events.jpg" width="100%" alt="Ip reputation events"/&gt;
&lt;em&gt;Firewall events generated by reputation matches&lt;/em&gt;
&lt;/div&gt;

&lt;p&gt;Blocks generated by our reputation lists can also be viewed in our analytics section.&lt;/p&gt;
&lt;div class="text-center" style="padding: 20px 0px"&gt;
&lt;img src="/static/images/blog/ip-reputation-analytics.jpg" width="100%" alt="Ip reputation events"/&gt;
&lt;em&gt;Firewall events generated by reputation matches&lt;/em&gt;
&lt;/div&gt;

&lt;h2&gt;Future work&lt;/h2&gt;
&lt;p&gt;We are working on additional data sources to further refine and expand our lists. This includes further
segregating our data centre lists and categorising IPs that appear on several lists. We are also introducing
our threat research centre to discover possible threats and enrich data blocked only by our WAF.&lt;/p&gt;
&lt;p&gt;IP threat intelligence adds another layer of security to a cyber defence system. Peakhour sources and
maintains up-to-date threat intelligence, helping our clients better protect themselves against would-be attackers.&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;&lt;em&gt;See how Peakhour's IP threat intelligence supports the first line of defence for your applications. &lt;a href="/contact-sales/"&gt;Contact our team&lt;/a&gt; to discuss your security requirements.&lt;/em&gt;&lt;/p&gt;</content><category term="Security"></category><category term="Threat Detection"></category><category term="DDoS"></category><category term="Rate Limiting"></category><category term="API Security"></category><category term="Bot Management"></category><category term="Networking"></category></entry><entry><title>CVE-2022-26134</title><link href="https://www.peakhour.io/blog/cve202226134-atlassian-confluence/" rel="alternate"></link><published>2022-06-02T00:00:00+10:00</published><updated>2022-06-02T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2022-06-02:/blog/cve202226134-atlassian-confluence/</id><summary type="html">&lt;p&gt;Peakhour clients are protected against CVF-2022-26134 Atlassian Confluence RCE&lt;/p&gt;</summary><content type="html">&lt;p&gt;On June 2, 2022, &lt;a href="https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/"&gt;Volexity&lt;/a&gt; announced active exploitation of Atlassian Confluence. The issue is a
Remote Code Execution vulnerability via OGNL injection, tracked as &lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134"&gt;CVE-2022-26134&lt;/a&gt;, and impacts all
Confluence Server and Data Center versions greater than 1.3.0.&lt;/p&gt;
&lt;p&gt;Atlassian has released its &lt;a href="https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html"&gt;security advisory&lt;/a&gt;
with patches and mitigation instructions.&lt;/p&gt;
&lt;p&gt;Peakhour WAF clients are already protected. Since the vulnerability was announced on June 2nd, we have observed a 200% increase in OGNL-based exploit attempts.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;Peakhour's Web Application Firewall helps protect applications against zero-day exploitation attempts such as CVE-2022-26134. &lt;a href="/contact-sales/"&gt;Contact our team&lt;/a&gt; to secure your applications.&lt;/em&gt;&lt;/p&gt;</content><category term="Security"></category><category term="API Security"></category><category term="DDoS"></category><category term="Rate Limiting"></category><category term="Application Security"></category><category term="Credential Stuffing"></category><category term="Features"></category></entry><entry><title>Intelligent Rate Limiting</title><link href="https://www.peakhour.io/blog/rate-limiting/" rel="alternate"></link><published>2022-05-16T13:00:00+10:00</published><updated>2022-05-16T13:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2022-05-16:/blog/rate-limiting/</id><summary type="html">&lt;p&gt;Comprehensive guide to intelligent rate limiting for modern application security platforms. Learn how sophisticated rate limiting protects APIs and web applications from abuse, DDoS attacks, and automated threats whilst maintaining optimal user experience.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Rate limits protect web applications from clients making excessive requests. Peakhour.IO supports rate limits
with flexible controls for selecting which clients are limited and which type of limit applies.&lt;/p&gt;
&lt;h1&gt;What kinds of attacks are stopped by rate limiting&lt;/h1&gt;
&lt;p&gt;When an application is protected with rate limiting, the main attack patterns are:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Brute force and enumeration attacks&lt;/li&gt;
&lt;li&gt;Denial of Service (DoS) and Distributed Denial of Service (DDoS)&lt;/li&gt;
&lt;li&gt;Site scraping&lt;/li&gt;
&lt;li&gt;Vulnerability scanners&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;What else can rate limiting protect&lt;/h2&gt;
&lt;p&gt;Public APIs and authenticated APIs can be abused or misused. Sensible rate limit policies on these endpoints can
reduce attack traffic and help maintain service availability. Rate limiting can protect:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;APIs&lt;/li&gt;
&lt;li&gt;Overzealous 'good bots'&lt;/li&gt;
&lt;/ul&gt;
&lt;h1&gt;How does it work?&lt;/h1&gt;
&lt;p&gt;Rate limiting focuses on a connecting client and their IP address. The following measures can be used to track
client requests for rate limiting:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Concurrent connections&lt;/li&gt;
&lt;li&gt;Connections per interval&lt;/li&gt;
&lt;li&gt;Hits per interval&lt;/li&gt;
&lt;li&gt;HTTP 4xx responses per interval&lt;/li&gt;
&lt;li&gt;HTTP 5xx responses per interval&lt;/li&gt;
&lt;li&gt;Custom criteria&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;How granular can rate limiting be?&lt;/h2&gt;
&lt;p&gt;Using wirefilter rules, rate limiting can identify clients from both the HTTP request and response, allowing
rate limits to be separated by endpoint or behaviour. For example, the URL /api can be rate limited separately from
the /login endpoint. Rate limits can also be set on response codes; for example, the endpoint /search can be
protected from scraping by rate limiting clients with excessive 4xx response codes.&lt;/p&gt;
&lt;h2&gt;What types of criteria can be used to define rate limits?&lt;/h2&gt;
&lt;p&gt;Rate limits can include any information defined in an HTTP request and response, including:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;IP address&lt;/li&gt;
&lt;li&gt;URL&lt;/li&gt;
&lt;li&gt;Query string&lt;/li&gt;
&lt;li&gt;Headers&lt;/li&gt;
&lt;li&gt;Response codes&lt;/li&gt;
&lt;li&gt;GeoIP information such as ASN or country code&lt;/li&gt;
&lt;li&gt;Parsed user agent information allowing different rules for search engines vs generic 'bots'&lt;/li&gt;
&lt;li&gt;Metadata we make available from our BOT protection service&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Defining your rate limits&lt;/h2&gt;
&lt;p&gt;Picking sensible rate limits is difficult without adequate analytics on how the web application is typically used.
The Peakhour dashboard includes rate-based analytics to help with setup.&lt;/p&gt;
&lt;p&gt;&lt;img src="/static/images/blog/client-access-rates.png" class="img-responsive"/&gt;&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;&lt;em&gt;Peakhour's Application Security Platform combines high-performance delivery and cache capabilities with security controls for applications and APIs. It maintains caching performance while applying advanced threat protection. &lt;a href="/contact-sales/"&gt;Contact our team&lt;/a&gt; to discuss how rate limiting can improve application performance and security posture.&lt;/em&gt;&lt;/p&gt;</content><category term="DDoS"></category><category term="Rate Limiting"></category><category term="DDoS"></category><category term="API Security"></category><category term="Bot Management"></category><category term="Application Security"></category><category term="Threat Detection"></category></entry><entry><title>Rate limiting</title><link href="https://www.peakhour.io/blog/rate-limiting-how-it-works/" rel="alternate"></link><published>2022-05-16T13:00:00+10:00</published><updated>2022-05-16T13:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2022-05-16:/blog/rate-limiting-how-it-works/</id><summary type="html">&lt;p&gt;How can rate limiting protect your web application and the key items to consider when enabling.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Rate limits are a useful control for protecting a web application from abuse. When setting them for a web application,
the key elements to consider are:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;What endpoints on the web application require protecting?&lt;/li&gt;
&lt;li&gt;Do different endpoints require separate handling?&lt;/li&gt;
&lt;li&gt;What is the normal request rate for the entire application over a time period?&lt;/li&gt;
&lt;li&gt;How many concurrent connections are typically used by your clients?&lt;/li&gt;
&lt;li&gt;What errors does your API endpoint return in response to requests?&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Before setting those policies, it helps to understand how rate limits protect an application from abuse
or misuse, the types of attacks they can reduce, and how the &lt;a href="/learning/api-protection/what-is-api-rate-limiting/"&gt;rate limiting&lt;/a&gt; algorithm makes
decisions.&lt;/p&gt;
&lt;h1&gt;What kinds of attacks are stopped by rate limiting?&lt;/h1&gt;
&lt;p&gt;When protecting an application with rate limiting, common attack scenarios include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Brute force and enumeration attacks&lt;/li&gt;
&lt;li&gt;Denial of Service (DoS) and Distributed Denial of Service (DDoS)&lt;/li&gt;
&lt;li&gt;Site scraping&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;What else can rate limiting protect?&lt;/h2&gt;
&lt;p&gt;Public APIs and authenticated APIs can be subject to both abuse and misuse. Sensible rate limit policies can be applied
on these endpoints to help prevent attacks and maintain service availability. Rate limiting can help protect these endpoints.&lt;/p&gt;
&lt;h1&gt;How does rate limiting work with user logins?&lt;/h1&gt;
&lt;p&gt;A well designed web application should allow only a limited number of failed login attempts
before locking an account and requiring a password reset. This is designed to protect against
&lt;a href="/learning/security/brute-force/"&gt;brute force&lt;/a&gt; attacks against an account. Bots commonly attempt to brute force logins to
WordPress and other popular web applications. Determined attackers can also attempt to brute
force API login endpoints.&lt;/p&gt;
&lt;p&gt;Rate limiting on a login page can be applied to the IP address of a user attempting to log in.
By rate limiting by IP address, you can limit both password brute force attacks and simpler
username enumeration attempts.&lt;/p&gt;
&lt;p&gt;Using Peakhour.IO rate limiting, responses to requests can be monitored and IPs blocked
for administrator-defined periods. This saves origin server resources and stops repeated
attempts before they reach the application.&lt;/p&gt;
&lt;h1&gt;How could API rate limiting work?&lt;/h1&gt;
&lt;p&gt;APIs are ubiquitous across the modern web. Single Page Applications (SPAs) can be built almost
entirely on REST or GraphQL APIs, while legacy applications often use form submits. Even when
browsing this blog, you have consumed a range of APIs.&lt;/p&gt;
&lt;p&gt;Because APIs are often publicly available, rate limits are commonly used to reduce abuse. &lt;a href="/blog/introducing-advanced-rate-limiting/"&gt;Rate limiting for APIs&lt;/a&gt;
can protect against malicious attacks. An attacker could script a bot to perform many API calls and make the service
unavailable for other users, causing unplanned downtime - a layer 7 DoS or DDoS attack.&lt;/p&gt;
&lt;h3&gt;APIs&lt;/h3&gt;
&lt;p&gt;Public and private APIs can be subject to abuse or misuse. Public APIs are discoverable by anyone and can
be scripted for data mining or attacks. Rate limiting these endpoints
based on fair use policies is commonplace. Keeping track of this within an endpoint can be expensive, so handling
it through Peakhour can offload that work from developers.&lt;/p&gt;
&lt;h3&gt;Overzealous 'good bots'&lt;/h3&gt;
&lt;p&gt;Peakhour has seen websites where up to 65% of requests come from automated bots. These bots are typically indiscriminate
when mining information, and they do not carry the operational cost when your site slows down or fails. Rate limiting good
bots separately from your main users helps ensure these crawlers do not stop your site from generating revenue.&lt;/p&gt;
&lt;h1&gt;How is rate limiting implemented?&lt;/h1&gt;
&lt;p&gt;Rate limiting is typically implemented using several common methods:&lt;/p&gt;
&lt;h2&gt;Fixed window&lt;/h2&gt;
&lt;p&gt;Window-based rate limiting is the simplest to understand. Fixed window limits are easy to
define, such as 5,000 requests per 60 minutes. Fixed window rate limiting is subject to
spikes at the edges of the window. For example, 5,000 requests in the first 5 minutes
of the window may overwhelm a service.&lt;/p&gt;
&lt;h2&gt;Sliding window&lt;/h2&gt;
&lt;p&gt;A sliding window keeps much of the simplicity of a fixed window, but
uses a rolling window. This allows bursts to be smoothed.&lt;/p&gt;
&lt;h2&gt;Token bucket&lt;/h2&gt;
&lt;p&gt;A token bucket is an algorithm where tokens are placed into a fixed-capacity bucket. Tokens could be defined as bytes transferred
or hits to an API. When a request is considered for rate limiting, tokens are removed from the bucket. If the bucket has a
sufficient quantity of tokens, the request can proceed. If there are insufficient tokens, the request is considered to be
non-conforming. Non-conforming requests are dropped.&lt;/p&gt;
&lt;h2&gt;Leaky bucket&lt;/h2&gt;
&lt;p&gt;Leaky buckets are a mirror image of token buckets. Instead of removing tokens from a bucket, tokens are added to a bucket.
Tokens are removed from the bucket (leaks) at a fixed rate. When a request is considered for rate limiting, it is compared
to the number of tokens in the bucket. If the bucket is full, the request is considered non-conforming and is dropped.&lt;/p&gt;
&lt;p&gt;If rate limiting is something you need to do to protect and secure your website,
reach out to see how we can help.&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;&lt;em&gt;Learn how Peakhour's Application Security Platform can improve your application's performance and security. &lt;a href="/contact-sales/"&gt;Contact our team&lt;/a&gt; to get started.&lt;/em&gt;&lt;/p&gt;</content><category term="DDoS"></category><category term="Rate Limiting"></category><category term="API Security"></category><category term="DDoS"></category><category term="Application Security"></category><category term="Web Performance"></category><category term="Bot Management"></category></entry><entry><title>Why Manage Bots?</title><link href="https://www.peakhour.io/blog/bad-bot-countermeasures/" rel="alternate"></link><published>2020-11-30T13:00:00+11:00</published><updated>2020-11-30T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2020-11-30:/blog/bad-bot-countermeasures/</id><summary type="html">&lt;p&gt;Comprehensive guide to enterprise bot management and advanced countermeasures for protecting applications against sophisticated malicious bot threats. Learn proven strategies for bot detection, mitigation, and automated defence systems.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Modern &lt;a href="/blog/when-good-bots-break-bad/" target="threats"&gt;sophisticated bad bots&lt;/a&gt; often work around traditional
security controls. They disrupt websites,
mobile applications, and APIs. Malicious bot tactics include scraping user and pricing data, creating fake accounts,
running advertising click fraud, exhausting online inventories, and taking websites offline with automated
DDoS attacks.&lt;/p&gt;
&lt;p&gt;About one-quarter of all website traffic in 2019 originated from &lt;a href="/blog/when-good-bots-break-bad/"&gt;bad bots&lt;/a&gt;, an
increase of 18 percent over 2018.
Advanced persistent bots (APBs) made up seventy-five percent of that bad bot traffic as they attempted to evade
detection by cycling through random IP addresses, using
anonymous/residential proxies, and changing their
identities &lt;em&gt;(user agent)&lt;/em&gt;.
The industries hit hardest by bad bots in 2019 included financial services, education, ecommerce, and
government as well as media and airlines.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;“Bot attack campaigns have become big business for threat actors, and major organizations are now fighting to
support legitimate users and prospects while keeping attackers out of online applications and services,”&lt;/em&gt;
says Paula Musich, Research Director, Enterprise Management Associates.&lt;/p&gt;
&lt;p&gt;Bots have moved from simple scripts to distributed networks of automated agents that
can mimic human interactions with &lt;a href="/learning/threat-detection/what-is-ml-security/"&gt;machine learning&lt;/a&gt; techniques. They can avoid detection by network security
technologies that have not kept pace with the way automated agents now operate.&lt;/p&gt;
&lt;p&gt;Reducing the damage from bad bots means using security countermeasures that detect automated traffic and make attacks
uneconomic, not just visible.&lt;/p&gt;
&lt;h2&gt;Bot Countermeasure Best Practices:&lt;/h2&gt;
&lt;p&gt;The following bad bot countermeasure practices cover network security, machine learning, and behavioural
analysis. The aim is to reduce the economic harm that malicious bots inflict on businesses and end-users.&lt;/p&gt;
&lt;h3&gt;Web Application Firewalls&lt;/h3&gt;
&lt;p&gt;&lt;a href="//web-application-firewall/"&gt;Web Application Firewalls (WAF)&lt;/a&gt; are a common first line of defence that
filter out harmful &lt;a href="/learning/security/layer-7-ddos"&gt;Layer 7 &lt;/a&gt;
web application (HTTP) traffic using rules or policies that protect organisations against Distributed Denial
of Service (DDoS) &lt;a href="/learning/bots/bot-management/"&gt;bot attacks&lt;/a&gt;. WAFs also protect against cross-site forgery, cross-site-scripting (XSS), file
inclusion, and &lt;a href="/products/waf/"&gt;SQL injection&lt;/a&gt; attacks. A WAF is considered a reverse proxy that protects servers and can be
deployed as an appliance, server plug‑in, or filter, and customised by application type or use case.
WAF rules can be updated or changed based on the type of bot attack.&lt;/p&gt;
&lt;h3&gt;IP Tracking and Reputation&lt;/h3&gt;
&lt;p&gt;Sophisticated bots can be detected with network forensics by inspecting web traffic and
assessing whether requests come from actual users or bad bots. Requests can be analysed using data sources
including Tor/proxy IPs, &lt;a href="/learning/web-concepts/what-is-an-ip-address/"&gt;IP addresses&lt;/a&gt;, IP geo-location information, ISP information, and IP owners. Additional
sources for real-time and near-time malicious IP threat data can come from network data,
CERTs, MITRE and cooperating competitors.&lt;/p&gt;
&lt;h3&gt;Client/Device Fingerprinting&lt;/h3&gt;
&lt;p&gt;Fingerprinting attempts to identify devices, including PCs, Internet of Things (IoT) devices, mobile devices and servers,
using data attributes that create real-time risk profiles to stop bot attacks. Using web page access data,
a &lt;a href="/blog/tls-fingerprinting/"&gt;bot detection fingerprinting&lt;/a&gt;
engine generates unique fingerprints for each end-user device and checks them against bad bots
that use evasion techniques, including dynamic IP addresses and anonymous web proxies.&lt;/p&gt;
&lt;h3&gt;Machine Learning&lt;/h3&gt;
&lt;p&gt;Artificial Intelligence (AI) and machine learning algorithms are increasingly used to analyse malicious bot activity and make
mitigation recommendations using data from sources such as user activity history, behavioural
patterns and meta-data. Machine learning can use
custom-tailored algorithms to target bots and iteratively process user data and identities to
discern emerging bot attack patterns from very large amounts of real-time information.&lt;/p&gt;
&lt;h3&gt;Tarpitting&lt;/h3&gt;
&lt;p&gt;Tarpitting is a bot countermeasure that delays and slows down incoming malicious traffic from suspect connections.
The technique is used to increase the financial and resource costs of bot attacks in an attempt to discourage malicious actors.
Bad bot tar pits can delay bot request responses or take the bad bot IP address attack source offline completely.
Innovative tarpitting techniques include requiring bad bots to solve computationally complex maths challenges
to access resources or websites, thereby slowing down or stopping bot activity.&lt;/p&gt;
&lt;h3&gt;User Behavior Analysis&lt;/h3&gt;
&lt;p&gt;User interaction behaviour and identifying characteristics on a web page or mobile app differ from the
behaviour of an automated malicious bot. Factors such as number of pages visited per session, time spent on each web
page or within a mobile app and repeat visit frequency all help differentiate authentic users from bad bots.
Defeating bad bots using Behavior Analysis involves creating a user model for individual sites with historical
visitor data, then checking for anomalies that may indicate bad bot activity.&lt;/p&gt;
&lt;h3&gt;Intent-based Deep Behavior Analysis (IDBA)&lt;/h3&gt;
&lt;p&gt;Compared with Behavior Analysis, Intent-based Deep Behavior Analysis (IDBA)
conducts behavioural analysis at the user intent level rather than the commonly used interaction-based behaviour analysis.
IDBA consists of intent encoding, intent analysis, and adaptive learning. It also employs machine learning
techniques to detect bad bots emulating on-site human behaviour interactions. Bad bot mitigation techniques include
limiting attempts on login pages, web authentication pages and API call authentication pages.&lt;/p&gt;
&lt;h3&gt;Rate Limiting&lt;/h3&gt;
&lt;p&gt;Rate Limiting mitigates bad bots and DDoS attacks by restricting the amount of incoming traffic accepted by
specific applications and API endpoints using pre-defined bandwidth limitation policies. Web applications,
GET versus POST requests, APIs that receive queries, and login credentials can all be blocked if clients,
IP addresses or IP and user-agent pairs violate Rate Limiting rules. Intellectual property scraping can also be protected
by Rate Limiting policies that restrict repeated image or digital downloads.&lt;/p&gt;
&lt;h3&gt;Javascript Injection&lt;/h3&gt;
&lt;p&gt;JavaScript Injection techniques can help mitigate bad bot attacks in several ways. Scripts can be placed into
web applications that “fingerprint” a user’s browser to distinguish humans versus bad bots emulating “human-like”
mouse movements, keystrokes or clicks. Fingerprinting detection may also involve user agent identification,
HTML5 canvas and audio fingerprinting, and protocol-level fingerprinting with TLS and HTTP2. JavaScript
combined with browser cookies can also be used to identify anomalous behaviour from unwanted traffic or bad bots
trending over time.&lt;/p&gt;
&lt;h3&gt;ANYCast DDoS Mitigation&lt;/h3&gt;
&lt;p&gt;Anycast is an IP addressing method that routes incoming traffic requests to the nearest location or
“node.” Using ANYCast for selective routing enables network load resilience against DDoS attacks by routing
high traffic across multiple servers and data centres. This prevents network resources from becoming
overwhelmed with malicious or irrelevant traffic.&lt;/p&gt;
&lt;h3&gt;Alternative Content Serving&lt;/h3&gt;
&lt;p&gt;Serving Alternate and Cached Content when a bad bot is detected gives organisations a way to
mislead bots without blocking them altogether. For instance, e-commerce sites may fool price scraping bots by
serving alternative web pages that look like legitimate pages but with higher prices. Serving Cached Content when
a bot is detected also minimises load on servers without affecting site performance.&lt;/p&gt;
&lt;h3&gt;Challenges&lt;/h3&gt;
&lt;p&gt;Requests from suspected bots can be redirected to Challenges or puzzles such as a CAPTCHA, also known as a
Completely Automated Public Turing test, to help identify a bad bot versus a human. Online puzzles,
such as letter matching, are easy for humans to solve but difficult for automated bots. reCAPTCHA, offered
free from Google, is an advanced version of CAPTCHA puzzles that require users to identify text from real-world images
such as street address signs, printed books or text from paper newspapers.&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Bad bots hijack user accounts, create fake accounts, scrape websites for data and personal information, flood
websites with traffic through automated distributed &lt;a href="/products/ddos-protection/"&gt;denial of service&lt;/a&gt; attacks and attack public-facing APIs using constantly
changing techniques. They hide behind dynamic IP addresses, change their attack signatures, mimic
human behaviours, and take over vast networks of hosts and IoT devices, creating zombie machines that distribute
malware across the internet. Countermeasures ranging from Web Application Firewalls to
sophisticated Machine Learning algorithms form an organisation's primary line of defence against bad bots.&lt;/p&gt;</content><category term="Bots"></category><category term="Bot Management"></category><category term="DDoS"></category><category term="API Security"></category><category term="Threat Detection"></category><category term="Residential Proxies"></category><category term="Credential Stuffing"></category></entry><entry><title>Malicious Bot Threats</title><link href="https://www.peakhour.io/blog/malicious-bot-threats-enterprise-application-security/" rel="alternate"></link><published>2020-08-12T13:00:00+10:00</published><updated>2020-08-12T13:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2020-08-12:/blog/malicious-bot-threats-enterprise-application-security/</id><summary type="html">&lt;p&gt;Comprehensive analysis of malicious bot threats targeting modern applications and APIs. Learn how enterprise bot management protects against automated attacks, credential stuffing, price scraping, and sophisticated bot-driven financial damage.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Bots are software applications that automate repetitive tasks without human interaction. They have become part of the
normal infrastructure of the internet. Some bots are useful; others are &lt;a href="/learning/bots/bot-management/"&gt;bad bots&lt;/a&gt;. The
latter are the concern for application and security teams.&lt;/p&gt;
&lt;p&gt;Bad bots keep changing and are increasingly difficult to detect. They can cause significant financial damage to
organisations by disrupting online operations, overwhelming websites with traffic, and stealing information such as web
content and ecommerce pricing data.&lt;/p&gt;
&lt;h2&gt;&lt;i class="fas fa-robot text-primary"&gt;&lt;/i&gt; Bad Bot Types &lt;i class="fas fa-robot text-primary"&gt;&lt;/i&gt;&lt;/h2&gt;
&lt;p&gt;Bad bots span a wide range of attack capabilities and scenarios. The following are the main categories these attacks
fall into:&lt;/p&gt;
&lt;h4&gt;&lt;i class="fas fa-mail-bulk text-primary"&gt;&lt;/i&gt; Spam Bots&lt;/h4&gt;
&lt;p&gt;Spam bots typically target blog comment sections, community portals and lead generation forms with 'garbage' or fake
content. They can also insert unwanted ads, malicious phishing links and banners into real-time conversations to disrupt
the service and attack users.&lt;/p&gt;
&lt;h4&gt;&lt;i class="fas fa-search text-primary"&gt;&lt;/i&gt; &amp;nbsp;Scraping Bots&lt;/h4&gt;
&lt;p&gt;Price, content and inventory scraping bots steal prices and product listings. This can damage an ecommerce site's
revenue stream and harm SEO rankings when duplicate content appears on competitor and bogus sites. These bots also
scrape product reviews, news, product catalogues and user-generated content. Scraper bots can harvest email addresses,
images and text from victim websites, then repurpose that material to pose as legitimate web pages.&lt;/p&gt;
&lt;h4&gt;&lt;i class="fas fa-passport text-primary"&gt;&lt;/i&gt; &amp;nbsp;Credential Stuffing Bots&lt;/h4&gt;
&lt;p&gt;Credential Stuffing Bots attempt to use login details from other sites, or run brute force guessing attacks against
customer and admin accounts. If successful, they can make purchases, harvest personal information and purchase
histories, make unauthorised cryptocurrency transactions, and transfer reward points and money to gift cards and air
miles.&lt;/p&gt;
&lt;h4&gt;&lt;i class="fas fa-ad text-primary"&gt;&lt;/i&gt; &amp;nbsp;Ad Click Fraud Bots&lt;/h4&gt;
&lt;p&gt;Ad Click Fraud Bots can sabotage competitors by clicking on their ads to drive costs up and exhaust budget caps. They
can also be used to scam advertisers with fake websites and ad clicks that pay the fraudster directly. In both
scenarios, bots automatically generate interactions or 'clicks' with ads, promotions and media.&lt;/p&gt;
&lt;h4&gt;&lt;i class="fas fa-credit-card text-primary"&gt;&lt;/i&gt; &amp;nbsp;Credit Card Stuffing Bots&lt;/h4&gt;
&lt;p&gt;Carding bots make repeated attempts to authorise stolen credit card credentials. This can leave merchant payment
processors with chargebacks and penalties, and may ultimately result in the victim merchant being prevented from
accepting credit cards altogether.&lt;/p&gt;
&lt;h4&gt;&lt;i class="fas fa-boxes text-primary"&gt;&lt;/i&gt; &amp;nbsp;Inventory Denial Bots&lt;/h4&gt;
&lt;p&gt;Cart Abandonment and Inventory Exhaustion bots automatically add hundreds of products to ecommerce shopping carts, then
abandon them. This can block consumers from buying products, reduce sales, manipulate conversion rates and damage a
brand’s reputation.&lt;/p&gt;
&lt;h4&gt;&lt;i class="fas fa-network-wired text-primary"&gt;&lt;/i&gt; &amp;nbsp;DDoS Bots and Botnets&lt;/h4&gt;
&lt;p&gt;&lt;a href="/ddos-protection/"&gt;Distributed Denial of Service (DDoS)&lt;/a&gt; attack bots and botnets are made up of thousands of compromised computers or
Internet of Things (IoT) devices called "zombies". They can slow down a website or take it offline completely by
flooding sites with massive amounts of artificially generated traffic. Researchers have found cybercriminals advertising
DDoS services on the dark web with basic fees to attack unprotected sites ranging from $50 to $100, while an attack on
a protected site can reach $400 or more.&lt;/p&gt;
&lt;h4&gt;&lt;i class="fas fa-ticket-alt text-primary"&gt;&lt;/i&gt; &amp;nbsp;Ticket Scalping Bots&lt;/h4&gt;
&lt;p&gt;Ticket scalping bots automatically buy tickets, enabling malicious users to resell them at a higher price. Examples
include using a bot to purchase concert tickets for major events the minute they go on sale.&lt;/p&gt;
&lt;h4&gt;&lt;i class="fas fa-user text-primary"&gt;&lt;/i&gt; &amp;nbsp;Fake Account Creation Bots&lt;/h4&gt;
&lt;p&gt;Fake Account Creation bots create fake accounts for criminal activities such as content spam, cryptocurrency laundering
and malware distribution. Fake accounts can compromise brands and attack users with malware such as ransomware.&lt;/p&gt;
&lt;h4&gt;&lt;i class="fas fa-user-secret text-primary"&gt;&lt;/i&gt; &amp;nbsp;Hacker Bots&lt;/h4&gt;
&lt;p&gt;Hacker bots can distribute malware, attack websites and compromise entire networks by exploiting security
vulnerabilities and injecting code into victim sites. Hacker bots can also perform &lt;a href="/products/ddos-protection/"&gt;DDoS attacks&lt;/a&gt; across web proxies
with browser-like signatures to disrupt business operations.&lt;/p&gt;
&lt;h4&gt;&lt;i class="fas fa-grin-alt text-primary"&gt;&lt;/i&gt; &amp;nbsp;Impersonator Bots&lt;/h4&gt;
&lt;p&gt;Impersonator bots copy human computer interactions and behaviours to fool users and bot mitigation defences while they
conduct malicious activity. Impersonator bots also include propaganda bots that influence political opinions on
platforms such as Facebook and Twitter. According to researchers at the University of Southern California who studied
bot use during the 2016 U.S. Presidential election, “the presence of social media bots can indeed negatively affect
democratic political discussion rather than improving it, which in turn can potentially alter public opinion.”&lt;/p&gt;
&lt;h2&gt;The Growing Threat&lt;/h2&gt;
&lt;p&gt;A report from Imperva found that roughly one-quarter of all website traffic in 2019 originated from bad bots, an
increase of 18% over 2018. 75% of that bad bot traffic is made up by Advanced persistent bots (APBs) that attempt to
evade detection by cycling through random IP addresses, using anonymous proxies, and changing their identities. The
industries hardest hit by bad bots in 2019 included financial services, education, ecommerce and government, as well as
media and airlines.&lt;/p&gt;
&lt;p&gt;Companies offering "Bad Bots as-a-Service"* are also gaining ground. These data scraping services sell bots as
easy-to-use packaged products that provide pricing and competitive intelligence, alternative data for finance, or
competitive insights managed by Web Data Extraction Specialists and Data Scraping Specialists.&lt;/p&gt;
&lt;p&gt;Malicious bot-for-hire services also offer personal and financial data harvesting, brute-force login services, ad click
fraud, spamming services, transaction fraud services, and Distributed Denial of Service (DDoS) attacks.&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Bad bot activity continues to increase, so websites need security controls that can identify and stop them. Our next
article on bots will go over the common countermeasures used to combat bad bots.&lt;/p&gt;</content><category term="Bots"></category><category term="Bot Management"></category><category term="Credential Stuffing"></category><category term="API Security"></category><category term="Account Protection"></category><category term="Residential Proxies"></category><category term="Fraud Prevention"></category></entry></feed>