F5 : The IP Address as Identity is Lazy Security

So it's not surprising when a report pops up noting that the ability to IP-shifting habits of bad bots makes it difficult to identity and block them. Particularly those bots who've attached themselves to a mobile device.

Using IP addresses as the basis for identifying anything - devices, bots, users - is lazy. It's the simplest piece of data to extract, yes, but it's also the least trustable.

This is not new. The information security industry has been preaching for several years now that traditional, signature-based techniques are not going to protect us any more. That's because they're based on the premise that bad actors are recognizable; that we know what they look like. While that's true, it's only true for yesterday's attacks. It doesn't really help us with tomorrow's attack, because we have no idea what that's going to look like.

Combined with the increased use of end-to-end encryption by everything - including malware - traditional security options are left guessing as to whether any given interaction is legitimate or malicious. Rendered blind by encryption, signature-based solutions become little more than bumps in the wire. Without the ability to inspect traffic, security on the wire is a dying breed of technology at which bots sneer as they pass by on their way to make a home amongst your resources.

It takes minimal effort to use IP addresses alone to identify endpoints. When paired with information like the user-agent from an HTTP header (which is user input and itself inherently untrustable) there are barely measurable improvements in success. With the processing power available to us today there is no reason we cannot take a few microseconds to extract from connections and interaction a broader array of characteristics from which we can deduce if not identity, then at least intent.

Using IP addresses or signatures alone isn't enough to protect apps and networks from infiltration. Behavioral analysis, challenge-response, and deep inspection will need to be used together to effectively weed out the bad from the good.