March 28, 2016 By Douglas Bonderud 2 min read

Humans are taking back the Internet — that’s the good news from Distil Networks’ annual report on bot traffic. As noted by SecurityWeek, over 54 percent of Web traffic in 2015 came from human users, while 46 was produced by bots.

The bad news? About 18 percent of those were bad bots. What’s more, 88 percent were advanced persistent bots (APBs), which can mimic human behavior, hide their presence and resist attempts to limit their impact. Simply put? While the bad bot footprint isn’t so deep, it comes with a bigger kick.

Evolving Attack Vectors

According to Marketing Land, the rise of bad bots is tied in part to the increasing complexity of websites. As noted by Distil CEO Rami Essaid, “A lot of previous bots were written for specific purposes and script-driven.”

But with Web apps becoming more powerful and Internet traffic critical to the success or failure of major brands, bot-makers have adapted. Rather than writing massive amounts of easily blocked code, they’re trending toward persistent bots that aren’t so easy to detect or disarm.

So what does an APB look like? In addition to acting like humans on the Web, these bad bots can load JavaScript and other external assets, spoof IP addresses, take a bite out of cookies and initiate browser automation. They’re also able to avoid detection using dynamic IP rotation, Tor networks and peer-to-peer proxies.

Distil’s report found that 73 percent of these bots used multiple IP addresses, and 36 percent used two or more agents to obfuscate their origins. Additionally, 20 percent leveraged more than 100 IP addresses to carry out their work, according to SecurityWeek.

When it comes to ultimate purpose, some bad bots are designed to simply spin up endless executables and gobble CPU resources while others scrape and then repurpose website content. Although good bots — such as search engine crawlers and legitimate advertising bots — do exist, it’s hard to tell helpful from harmful at first glance.

Battling Bad Bots

So how do companies fight back against bad bots? According to ReadWrite, one option is a blockade: Don’t let any bots execute on a website. But this kind of wall-building comes with a potentially massive downside. If search engine and SEO bots can’t crawl a site, companies get none of the ranking benefits.

Another option is bot management. Think of it like the app management uptick that accompanied widespread BYOD adoption. Instead of trying to block every bot or app on the network and forcing IT professionals to become full-time gatekeepers, the right management strategy lets companies gain both visibility and control over malicious bots. By slowing them down or feeding them false information, companies can lower their value to malicious actors and limit their impact.

Bottom line? There are fewer bad bots out there than last year. But they’re more sophisticated than ever — intelligent, persistent and pervasive. While businesses can’t kick all bots to the curb, it’s possible to find a better balance with an agile management posture.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today