Protecting an Airline from Bad Bots: A Case Study
This APAC airline provides low cost domestic and international flights with hubs throughout the Pacific. Based on number of passengers flown domestically and internationally, it has become one of the largest regional airlines in APAC.
Due to its recent success, the airline’s web platform and mobile APIs have become the target of cyberattacks from competitors. Their customer portal has experienced attacks including low and slow attacks, malicious behavior and bad bot signatures. Competitors would scrape prices on a periodic basis and hijack reservation inventory, reducing availability for legitimate customers. Hijacking attacks increased seat bookings with no corresponding reservation payments.
In order for the airline to advertise available flights on travel booking sites, it subscribes to a global distribution system (GDS) that charges a fee per search. The airline was being charged for false bot-initiated GDS searches, resulting in revenue loss. Distributed bot attacks impacted the portal response when real customers tried to make a ticket purchase, causing a poor user experience. The airline needed to stop the competition from impacting their business and revenue.
The airline was using Oracle’s Dyn Web Application Security suite for application and bot protection. The WAF was approaching end of service and needed to be replaced. The Oracle bot management service used rate limiting and other basic mitigation techniques which could not defend the airline against advanced, human-like bot attacks they were experiencing. Bots were using rotating IP addresses to strike the airline’s website, making it difficult to block these attacks using traditional mitigation practices. Because the Oracle solution did not have behavioral-based capabilities, the airline’s mobile APIs and website were not sufficiently protected.
The APAC airline is a customer of Limelight Networks, a CDN service provider. When Limelight discovered the airline’s predicament, they recommended Radware’s Cloud WAF Service and Bot Manager. After a successful proof of concept, the airline purchased both services. Bot Manager detected and mitigated price scraping, account takeover, ticket scalping and payment fraud attacks against alternating IP addresses in the following months. During one extended attacked, Radware Bot Manager reduced the number of bot hits from 21 million to zero within a two-week timeframe.
Radware’s Bot Manager and Cloud WAF Service protect the airline’s website and mobile APIs so the company can keep inventory free for legitimate customers and provide a better online experience. Lastly, the airline is leveraging these solutions to also protect its website from compromised mobile apps on Android and iOS smartphones.