Bots Are Fast, Humans Are Smarter—Eliminate Unwanted Traffic and Defend Against DDoS

Wednesday, 30 August, 2017 - 15:4016:10

Felix Glaser, Shopify


In a world with ever-growing DDoS attacks, L7 attacks give even the most experienced engineers the sweats. Imagine if instead of following easy to detect patterns, bots could mimic the behaviour of customers. Well, that’s exactly what Shopify sees every day during flash sales.

Come and learn how we block nearly all bot traffic on our load balancers without any human intervention. We will share our challenges of differentiating between web crawlers and bots, users behind NATs and bots rotating user agents, as well as fast humans and browser extensions. When the stakes are blocking a customer completing a checkout, misclassification isn’t an option.

This is not yet another machine learning talk, but an example of how simple statistics, heuristics and some sane limits can give great results with minimal complexity. The lessons learned in this talk are applicable to any real-world problem with inexact constraints.

Felix Glaser, Shopify

Felix is a Production Engineer at Shopify where he thinks about how to keep its platform (and merchants!) safe. When he isn’t writing code he likes to climb, cycle and camp in the Rockies in Canada.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@conference {205492,
author = {Felix Glaser},
title = {Bots Are Fast, Humans Are {Smarter{\textemdash}Eliminate} Unwanted Traffic and Defend Against {DDoS}},
year = {2017},
address = {Dublin},
publisher = {USENIX Association},
month = aug