Humans are taking back the Internet — that’s the good news from Distil Networks’ annual report on bot traffic. As noted by SecurityWeek, over 54 percent of Web traffic in 2015 came from human users, while 46 was produced by bots.
The bad news? About 18 percent of those were bad bots. What’s more, 88 percent were advanced persistent bots (APBs), which can mimic human behavior, hide their presence and resist attempts to limit their impact. Simply put? While the bad bot footprint isn’t so deep, it comes with a bigger kick.
Evolving Attack Vectors
According to Marketing Land, the rise of bad bots is tied in part to the increasing complexity of websites. As noted by Distil CEO Rami Essaid, “A lot of previous bots were written for specific purposes and script-driven.”
But with Web apps becoming more powerful and Internet traffic critical to the success or failure of major brands, bot-makers have adapted. Rather than writing massive amounts of easily blocked code, they’re trending toward persistent bots that aren’t so easy to detect or disarm.
So what does an APB look like? In addition to acting like humans on the Web, these bad bots can load JavaScript and other external assets, spoof IP addresses, take a bite out of cookies and initiate browser automation. They’re also able to avoid detection using dynamic IP rotation, Tor networks and peer-to-peer proxies.
Distil’s report found that 73 percent of these bots used multiple IP addresses, and 36 percent used two or more agents to obfuscate their origins. Additionally, 20 percent leveraged more than 100 IP addresses to carry out their work, according to SecurityWeek.
When it comes to ultimate purpose, some bad bots are designed to simply spin up endless executables and gobble CPU resources while others scrape and then repurpose website content. Although good bots — such as search engine crawlers and legitimate advertising bots — do exist, it’s hard to tell helpful from harmful at first glance.
Battling Bad Bots
So how do companies fight back against bad bots? According to ReadWrite, one option is a blockade: Don’t let any bots execute on a website. But this kind of wall-building comes with a potentially massive downside. If search engine and SEO bots can’t crawl a site, companies get none of the ranking benefits.
Another option is bot management. Think of it like the app management uptick that accompanied widespread BYOD adoption. Instead of trying to block every bot or app on the network and forcing IT professionals to become full-time gatekeepers, the right management strategy lets companies gain both visibility and control over malicious bots. By slowing them down or feeding them false information, companies can lower their value to malicious actors and limit their impact.
Bottom line? There are fewer bad bots out there than last year. But they’re more sophisticated than ever — intelligent, persistent and pervasive. While businesses can’t kick all bots to the curb, it’s possible to find a better balance with an agile management posture.