When armies of Taylor Swift fans in November were locked out of being able to purchase tickets for her upcoming The Eras tour, the so-called “Swifties” demanded answers.
And the Senate agreed.
This week, Ticketmaster testified in Senate Judiciary Committee hearings that it’s not the company’s monopoly on the live music market that caused the Swifty sales collapse — it was instead a cyberattack, executives said.
“There was unprecedented demand for Taylor Swift tickets,” according to the opening testimony, shared ahead of the hearing with Dark Reading. “We knew bots would attack that on-sale, and planned accordingly.”
However, Ticketmaster added that it received triple the amount of bot traffic that it had ever experienced, with bots both attempting to purchase tickets as well as breach the ticket sales servers for access codes.
“While the bots failed to penetrate our systems or acquire any tickets, the attack required us to slow down and even pause our sales,” according to the company, which added that the difference in this instance is that instead of bots attempting to beat humans to the tickets, these bots were also attacking the system itself.
Some senators, including Marsha Blackburn, a Republican from Tennessee, didn’t agree with Ticketmaster’s assessment that the company was prepared in advance for the Taylor Swift swarm.
“This is unbelievable,” Blackburn said during the hearing. She added, “Why is it that you have not developed an algorithm to sort out what is a bot and what is a consumer?”
Ticketmaster asked the Senate to consider stronger anti-bot legislation, enforcement, and penalties, but that does little to help shore up systems for future blockbuster tour event sales against an increasingly aggressive legion of shopper bots.
When Bot Traffic Looks Like a DDoS Attack
Rather than a targeted, intentional distributed denial-of-service (DDoS) attack, Ticketmaster’s outage was simply the result of the system getting crushed under a tidal wave of traffic. But the result was the same: disruption.
“Botnets are often used to launch DDoS attacks; they’re also used to do other things such as attempting to quickly (and unfairly!) snap up tickets to popular events the moment they go on sale,” Roland Dobbins, a DDoS expert and principal engineer with Netscout, explains to Dark Reading.
He adds, “Even though the intent in the latter scenario isn’t to cause an outage — which defeats the purpose of the bot-driven purchases — high levels of aggressive, bot-driven, ‘flash crowd’ transactions can effectively constitute an unintentional application-layer DDoS attack against the online ticket vending system, if all the key elements in the system’s service delivery chain haven’t been designed with resilience, scale, and defense against application-layer DDoS attacks in mind.”
SeatGeek Had Similar, but Not as Serious, Swift Sales Problems
Although it was also bogged down under a similar traffic spike, Ticketmaster competitor Seat Geek was able to sell tickets to 52 Taylor Swift concerts without the same technical failures, the company explained to Politico, blaming Ticketmaster’s troubles on its market monopoly.
“Ticketmaster’s outage, recovery time, and continued lack of a solution are the results of a monopoly’s complacency,” SeatGeek said in a statement. “No competition means no incentive to innovate and iron out problems that they’ve experienced in the past.”
Bot & DDoS Attack Defense Differ
Online retailers trying to protect against both bots and DDoS attacks need to adopt different approaches for each, Boaz Gelboard, senior vice president and chief security officer at Akamai, explains to Dark Reading in reaction to the Ticketmaster Senate testimony.
“Organizations face an increasing array of cyber-threats during ‘hype events’ such as flash sales or online commercial events,” Gelboard says. “These can include both DDoS attacks aimed at bringing down the event and bots that aim to subvert the legitimate sales process. The goals of these attacks differ and they also require different protection.”
DDoS protection is about putting up infrastructure and application defenses prior to an attack, while thwarting bots requires “a deeper understanding of the behavior to determine which traffic is legitimate and which is automated,” Gelboard explains.
Battling the Bot Problem
Online brands experienced a 71% increase in bot attacks in 2022 over 2021, with bad bots making up nearly a third of online traffic, Michael Pezely points out in response to the Ticketmaster hearing.
“All these trends were reflected in Ticketmaster’s own experience with the Taylor Swift tour,” Pezely adds. “While 3.5 million fans preregistered as verified fans, according to Ticketmaster, 3.5 billion purchase attempts were made.”
Pezely urges online retailers to consider a holistic artificial intelligence (AI) approach to battling the bot problem.
“Fighting AI with AI will continue to be part of the solution. Merchants, whether they’re selling PlayStations, sneakers, or tickets, can counter the bots with learning machines that provide the intelligence to understand the identity and intent behind each order,” Pezely explains. “That understanding allows merchants to turn to automation to block illegitimate orders.”