Even if you don't experience a breach, the costs of automated attacks may be higher than you think.
We know that just about half of the traffic on the Internet today is generated by bots. Some good, mostly bad. Operational efficiencies from automation and machine learning are being weaponized to perform reconnaissance probes and attacks alike.
Aside from the security threat - with is existential and no doubt the reason we see a significant percentage of organizations deploying bot defense services - there is a real economic impact to all this undesirable traffic. I've mocked up a couple of models to illustrate the impact.
First is the additional burden on the application / server. Apps only have so much connection capacity, and both bots and legitimate users require one. If bots are consuming connections, that means legitimate users aren't. More resources are necessary to ensure paying customers are able to access the site/application.
Based on the accepted composition of traffic - 50% or more is generated by bots - one can assume that bots are matching legitimate users on a one for one basis. If there are two requests, one is legitimate and one is a bot. Based on that assumption, we can extend it to mean that for every server instance required to respond to legitimate requests, we also need one to respond to bot requests.
Which basically means you're paying twice as much as you need to for server instances because of bots. If you typically needed 5 instances to service legitimate requests, that'd be about $1401.60 per year. Now double that to deal with bots, and now you're paying $2803.20 per year.
But wait, there's more!
Cloud's disruptive business model didn't stop by introducing us to utility billing and subscriptions. It also introduced the pay for what you use in terms of services. A la carte choices are made today from a buffet of options ranging from database to messaging to storage to load balancing.
But some services come regardless of whether you chose them or not. Outbound bandwidth - network usage - is one of those costs no one likes to discuss. But it is a cost, and it's as significantly impacted by the weaponization of bots as are computing resources.
According to HTTP archive, the average size of a page today is 1288kb. Chunky. The going price for bandwidth is about twelve (12) cents per GB. I modeled this conservatively, starting with a mere ten (10) visitors per day and ramping up by a factor of ten. The model assumes that 50% of the visitors are bots. At 10 visitors today we're only talking the difference between $1.09 (without bots) and $2.19 (with bots) annually. Ramp that up to 10,000 visitors per day and now you're looking at an annual cost of $1096.66 without bots and $2193.32 with bots.
Again, you're likely paying twice as much per annum because you're supporting bots. On its own, these may not look that bad. After all, you're only paying about $2K annually for bandwidth. That's a bargain considering the going rate of a T1.
Let's look at the costs together.
The economic impact of bots is starting to add up - especially since we're looking at fairly small visitors per day with limited interaction. An API-based app with greater frequency of interaction will dramatically increase these costs - and with it, the cost of treating bots with equal value to human consumers.
Consider, too, that we've only scratched the surface of what it costs to keep an app secure and speedy in the cloud. Add in CDN and load balancing services plus a WAF to stop weaponized bots from actually doing any damage and your bill is going to balloon rather dramatically.
Rackspace has a fairly simple but excellent "cloud cost" calculator that includes virtual servers, load balancers, databases, and several add-ons like storage, backup, and monitoring. All that in addition to bandwidth. It's a great tool for getting an idea of how much your cloud presence will cost you. Don't forget to double your estimate to take into consideration those weaponized bots.
Now, you might think you can avoid the economic impact by staying in the data center. Au contraire. While it might not be as obvious, you're still paying for compute and bandwidth and all the requisite services to speed and secure that app. Additionally, you're likely to have overhead required to operate the services and maintain the network and storage arrays. And because we should be thorough and honest about data center costs, I'm sure if I dig around, I can find the cost of bots on-premises in terms of kilowatt hours consumed. Cause if they're using compute, they're using power, and power costs money.
I encourage you to dive a bit deeper into your logs and do some analysis to determine what percentage of your overall traffic is, in fact, unsolicited attention from bots. And then start doing some math to figure out how much you're actually paying for it.
Because make no mistake, you are paying for that undesirable traffic in many ways - compute costs, bandwidth costs, services costs, and operational overhead. It makes sense to reduce that as much as possible by taking advantage of bot defense and web application firewalls. Both can reduce the cost of doing business in a digital economy by decreasing the amount of traffic from uninvited bots.