Gcore named a Leader in the GigaOm Radar for AI Infrastructure!Get the report
Under attack? Log in
Sign up for free

Products

Solutions

Pricing

Resources

Partners

Why Gcore

Under attack?
Log in
Contact us
Contact us Sign up for free
  1. Home
  2. Developers
  3. What are bad bots? | How to stop bad bot traffic

What are bad bots? | How to stop bad bot traffic

  • By Gcore
  • March 31, 2023
  • 13 min read
What are bad bots? | How to stop bad bot traffic

Table of contents

Try Gcore Security

Try for free

Bad bots are computer programs designed to carry out harmful actions such as stealing website content, account hacking, and DDoS attacks. The damaging outcome has been exposed through multiple news outlets. These reports have shed some light on how bad bots are being used to spread misinformation on social media, commit identity theft, and steal bank accounts.

Our main goal with this article is to equip users and website/application owners like you with valuable insights on bad bots: how to comprehend the different types of bad bots, and how to prevent bad bot traffic.

What are the types of bad bots?

Let’s dive into the most common types of malicious bots out there. Familiarizing yourself with these threats is crucial to understanding how they can potentially harm your website or even target you as an internet user. Below is a list we’ve created for you to discover the different types of bad bots that you need to watch out for.

1. DDoS bot

DDoS bots are used by cybercriminals that seek to disrupt a website or online service by overwhelming it with traffic from multiple sources. To execute this attack effectively, botnets come into play. Botnets are networks of computers and internet of things (IoT) devices that have been infected with malware and are under the control of a hacker or malicious actor.

How do DDoS botnets work?

Malicious actors can manipulate bots remotely, corrupting a large number of internet-connected devices after infecting them with malware. What makes this especially alarming is that the owner of the compromised device may not be aware that their device has been infected.

In every botnet, there are four key components:

  • Bot master. This is the attacker who creates and manages the bot code and controls the entire botnet.
  • Bot code. Also known as a bot controller, this is a malicious program that is designed to infect vulnerable devices and turn them into bots.
  • Bots (also called “zombies”). These are the compromised devices that are infected with the bot code and can be controlled remotely by the bot master.
  • Command and control (C&C) server. This is the central server to which all the bots in the botnet connect to communicate with each other and receive commands from the bot master. The C&C server allows the bot master to send instructions to the bots, such as launching a DDoS attack.

Let’s take a look at the typical setup of a botnet and how these four participants work together.

In the diagram, the bot master distributes a bot code to victim computers. This can be done through email attachments, malicious links, software downloads, or exploiting vulnerabilities. When the victim’s computer becomes infected (i.e., becomes a bot), it joins the botnet and connects to the C&C server. The attacker sends instructions to the bot through the C&C server and synchronizes its actions with other bots.

Key takeaways about a DDoS botnet

  • The bot master is responsible for setting up the C&C mechanism and providing instructions to the bots.
  • Botnets rely on C&C mechanisms to coordinate the actions of infected machines.
  • The effectiveness of DDoS attacks often depends on the structure of the attacker’s architecture, the number of bots in the botnet controlled with a C&C mechanism.

DDoS bots can use variety of techniques to carry out their attacks, including the following:

DDoS Bot Attack TypeDescriptionExample & Impact
SYN floodsSYN is an acronym for “synchronize”. In SYN floods, a botnet sends a large number of SYN packets to the target server. The attack floods the server with connection requests that do not receive confirmation, leaving many open TCP connections that consume the server’s resources, mainly crowding out legitimate traffic and making it impossible to open new legitimate connections. This makes the website or application unavailable to legitimate users.An e-commerce website, which heavily depends on its online platform for generating sales, falls victim to a SYN flood attack during the busy holiday shopping season. Attackers use fake IP addresses to carry out these attacks, making them difficult to detect and counter. Since the holiday season sees a high volume of online traffic, the website owner may overlook the flood of requests and consider it normal, causing the website to become unavailable to genuine customers. The outcome is a loss of sales and harm to the website’s reputation.
UDP floodsUDP, short for “User Datagram Protocol,” is a protocol designed for communication between network devices. It is a lightweight protocol commonly used to transmit data over the internet. However, in certain cases, UDP can be used maliciously to launch a type of attack that involves flooding a target server or network with a high volume of UDP packets. This can cause congestion, resulting in a slow down or complete website/application unavailability.An online game experiences a major disruption due to a DDoS attack that involves a UDP flood. The attackers send a large number of UDP packets to the servers, overwhelming their ability to process incoming data. This causes players or users of the service to experience connectivity issues, lags, and delays, and some are even disconnected from the service entirely.
DNS amplificationDNS amplification is an attack that exploits the unique features of DNS services on the internet. The attacker sends a request to a public DNS server, directing its response to the targeted server. This floods the victim server with voluminous responses from public DNS servers, overwhelming the server and making it difficult to identify the attacker.A DNS amplification attack is carried out, causing the website or app to become inundated with traffic, which makes it difficult for legitimate users to access it.
HTTP floodsAn HTTP flood is a form of DDoS attack that sends a large volume of seemingly legitimate HTTP requests to a web server or application with the goal of overwhelming it and rendering it unavailable to legitimate users. This type of attack is usually carried out using a botnet of compromised computers. Unlike other DDoS attacks, HTTP floods do not rely on spoofing or reflection techniques and can be more difficult to detect and block.An attacker wants to take down a website to disrupt its operations. The attacker launches an HTTP flood attack by using a botnet to send a massive number of HTTP GET or POST requests. The requests appear to be legitimate, so the server tries to process each one, but the sheer volume of requests overwhelms the server’s resources, causing the website or service to become unavailable to real users.

2. Account takeover bot

This is a type of bad bot that cybercriminals use to take over users’ online accounts. These bots are designed to automate the process of guessing or cracking login credentials, such as usernames and passwords. Once the bad bot takes over the account, it can carry out harmful activities like stealing confidential information, spamming, or being used in phishing campaigns.

How does an account takeover bot work?

  1. A cybercriminal typically obtains a list of stolen usernames and passwords from data breaches, phishing attacks, or the dark web.
  2. The attacker uses account takeover bots to automatically test login credentials on different websites—for instance, e-commerce or social media sites—persisting until they successfully gain access to an account. With the use of bots, even strong passwords can be cracked in no time, putting personal information at risk.
  3. Once the bot has taken over the account, the attacker can carry out different malicious activities, such as making unauthorized purchases or posting spam messages.

Before we discuss different types of account takeover bots, let’s take a look at a few examples of incidents involving account takeovers:

  • Twitter hack: In July 2020, several high-profile Twitter accounts were hacked, including those of Barack Obama, Elon Musk, and Bill Gates. The attackers used an account takeover scheme to promote a bitcoin scam to the followers of these accounts.
  • Equifax data breach: In 2017, Equifax, one of the largest credit reporting agencies, suffered a data breach that exposed the personal information of millions of consumers. The breach was the result of an account takeover bot, where the attackers gained access to Equifax’s systems by exploiting a vulnerability in its website software.
  • Uber breach: In 2016, the personal information of 57 million users and drivers of the ride-sharing service Uber was exposed due to a data breach caused by an account takeover. The attackers were able to gain access to an Uber engineer’s account, which contained access keys to Uber’s Amazon Web Services account.

What are the types of account takeover bots?

Now that you’ve gained an understanding of the impact of this bad bot, let’s explore common types of account takeover bots, including their descriptions, examples, and the potential consequences they can cause.

Type of Account Takeover (ATO) BotDescriptionExample & Impact
Credential stuffing botThese malicious bots use lists of usernames and passwords from data breaches and try to log in to different websites and gain access to user accounts. They take advantage of users who reuse their passwords across multiple sites.A person uses the same login information for multiple online services. A hacker gains access to one of the victim’s accounts, and then uses the same login information to break into other sensitive accounts, like a bank account or email, resulting in difficulty in recovering accounts, identity theft, and financial loss.
Brute-force attack botThese malicious bots use automated tools to try various combinations of usernames and passwords until they find the correct combination that grants access to a user’s account.A user has a weak and easily guessable password that is vulnerable to brute-force attacks. An attacker gains access to an account and steals sensitive information, or uses the account for other malicious activities that leads to invasion of privacy, leak of sensitive information, and financial loss.
Phishing botThese malicious bots use phishing emails or messages to dupe users into sharing their login credentials. The attacker sends a malicious link, which, once clicked on, directs the user to a counterfeit website that resembles a genuine one. As a result, the user may unintentionally provide their login credentials, which are then captured by the attacker.A user falls for a phishing scam. An attacker gains access to their accounts and steals sensitive information or uses the accounts for other malicious purposes. The phishing attacks result in significant financial business losses, data breaches, and damage to reputation.

Among the various types of account takeover bots, the most widespread is credential stuffing. According to a report from Google, 52% of individuals use the same passwords for multiple accounts. This means that if a cybercriminal gains access to one of those accounts, they may also be able to access other sensitive accounts, including those containing credit card information, bank account details, and social media profiles.

3. Web content scraping bot

These malicious bots use web content scraping techniques to extract data and content from websites, including copying information from the HTML code and databases of the victim’s server. However, it’s worth noting that legitimate uses of web content scraping do exist, such as search engine bots like Googlebot, which help to index websites and improve search results. But the majority of web content scraping is actually done for malicious and illegal purposes, like stealing copyrighted content, pricing scraping to undercut competitors, and, of course, data breach.

How does a web content scraping bot work?

  1. The cybercriminal programs a web scraping bot to visit the target website.
  2. The bot reads the HTML code of the website and looks for relevant data to extract.
  3. The bot extracts the desired data from the HTML code and may also extract data from the databases that are connected to the victim’s website.
  4. The extracted data is stored in a structured format, such as a spreadsheet or scraper’s database.
  5. Once the bot has scraped all the data from the website, the attacker will analyze it for various purposes—for example, for reposting copyrighted materials.

What are the types of content scraping bots?

Content scraping, also known as web scraping, is the act of using bots to download most or all of a website’s content without the owner’s consent. It falls under the category of data scraping and is usually done using automated bots. Website scraper bots can download all of a site’s content within seconds.

In this section, we will cover different types of content scraping, how they work and the impact they can cause on users or businesses.

Type of Web Scraping BotDescriptionExample & Impact
Content scrapersThese are bad bots that scrape websites for specific types of content, such as product listings, emails, blog posts, or news articles, and anything that is stored in the victim’s database.Online businesses are the primary targets of attackers who use content scrapers to steal large amounts of data from databases. The stolen information is then used to repost it or sell to competitors. Additionally, email addresses can be harvested for spam and email fraud, which can damage the victim’s brand reputation.
Price scrapersPrice scraping bots are created to extract pricing information from e-commerce databases. Their purpose is to use this information to undercut competitors’ prices and increase sales.A shoe reseller business owner may use bots to buy and sell sneakers online. By adjusting their prices based on their competitors’ pricing, the reseller can gain an unfair advantage in the market. This strategy could also apply to other industries that conduct a significant portion of their business through online sales.

What are the risks of bad bots?

The risks associated with malicious bots extend beyond just business organizations. As a regular user, you are also a prime target for these bots, which puts your personal information, online security, and overall well-being at risk.

One particularly dangerous example is Trickbot, a botnet discovered by researchers in 2019. It was designed to steal login credentials and financial information on a global scale and had the ability to spread ransomware and malware, putting millions of people at risk as the infection on affected machines was not traceable.

The potential dangers associated with bad bot traffic are numerous and should not be taken lightly. Here are just a few of the risks:

  1. Identity theft. With account takeover bots, personal data can be snatched and used to infiltrate sensitive accounts, which could result in identity theft and cause significant monetary harm to the user.
  2. Malware infections. It is a prevalent method for bots to infiltrate a computer system, often through downloads disguised as social media or email links. These links may appear as pictures or videos, containing harmful viruses and malware. If a user’s computer becomes infected, it could become part of a botnet.
  3. Spam. This can be a result of account takeover bots when the attacker uses the victim’s credentials to send out spam emails or messages.
  4. Information theft. Web scraping bots have the ability to acquire sensitive information, including confidential user data such as login details, personal addresses, and other private information.
  5. Brand damage. Content scraping bots can duplicate and repost a company’s content on various fake and untrusted websites, which may result in losing potential clients.
  6. Financial loss. DDoS bots can be used to flood a website with traffic, causing it to be unavailable for regular users and resulting in lost revenue for businesses.
  7. Data breaches. Credential stuffing bots can be used to test stolen login credentials on multiple sites, increasing the risk of a data breach. This is because if a user’s credentials work on one site, such as a social media account, they may also work on other sites where the user has financial information, such as their bank account.
  8. Intellectual property theft. Web scraping bots can also be used to steal intellectual property, such as copyrighted images or product designs, leading to financial loss for creators.

How to stop bad bot traffic

The issue now arises on how regular website owners and users like you can prevent malicious bot traffic. Unfortunately, there is no single solution to address this concern. However, there are some recommended measures to stop and prevent the associated risks of bad bot traffic. Let’s explore the following recommendations.

  • Implement CAPTCHA challenges. To prevent automated bot attacks, websites can implement measures that require users to complete tasks that only humans can accomplish. These tasks often involve solving puzzles or answering questions before accessing sensitive data on a website.
  • Use web application firewalls (WAFs). These can block malicious traffic by analyzing incoming traffic and filtering out suspicious requests.
  • Monitor web traffic. This can help identify unusual traffic patterns that may be indicative of bot activity.
  • Implement rate limiting. This can limit the number of requests a user or IP address can make within a certain time frame, which can help prevent bot attacks.
  • Use bot detection software. This can analyze web traffic to identify and block bot traffic based on specific criteria such as IP addresses, user-agent strings, and behavior patterns.
  • Implement bot management policies. This can involve identifying and blocking known bot traffic, blacklisting suspicious IP addresses, and whitelisting known good bots.
  • Regularly update software and security protocols. This can help prevent bots from exploiting known vulnerabilities in software or systems.

Using these strategies can help website owners and organizations identify and reduce the risks of malicious bots, improving their online security. However, it’s important to keep in mind that these strategies might also affect legitimate human traffic and helpful bots that enhance website features. To effectively combat malicious bot traffic, website owners should consult with experts to differentiate between good and bad bots and implement mitigation strategies that balance security with website functionality. This helps to ensure that their websites remain accessible to legitimate users while minimizing the risks posed by bad bots. At Gcore, we understand the importance of providing effective measures against bad bot traffic and will provide information on how it assists our clients in countering these threats in the following section.

How does Gcore’s DDoS and bot protection help against bad bot traffic?

Here at Gcore, we guarantee that your online business will continue to function seamlessly, regardless of any disruptions or threats. Our security platform is designed to keep your digital business operations safe from cybercriminal attacks. We have scrubbing centers located globally that are linked to various service providers and have backup copies of essential systems, such as cleaning servers, managing servers, data storage systems, and network equipment. With our platform, you can be confident that any potential attack will not affect your website’s performance or cause any disruption to your visitors and customers. Let’s take a closer look at the protection services we offer to defend against DDoS attacks and malicious bots.

Protection against DDoS attacks

Gcore’s DDoS protection ensures uninterrupted application performance even during large-scale attacks, minimizing the risk of service disruptions and preventing degradation of website performance. Here are some key points about how the DDoS protection in our web security module operates:

  1. Attackers generate spam traffic to overwhelm targeted servers.
  2. The DDoS protection layer detects and filters incoming traffic. This includes protection against network and transport layer (L3 and L4)  and also against application layer DDoS attacks (L7).
  3. Real-time bot protection. We’ll prevent parsing, advertisement fraud, and theft of your user’s personal data.
  4. WAF hacking protection. It protects our clients from manual hacking and attempts to exploit vulnerabilities or loopholes in your website without implementing third-party SDKs or making changes to the application’s code.

Furthermore, there are various security features to protect against DDoS attacks. These are designed to prevent or mitigate the impact of a DDoS attack on a target network or website. Some of the common DDoS security features offered by Gcore include the following:

  • A globally distributed network to filter all traffic around the world.
  • Our growing distributed network capacity will always exceed any single DDoS attack.
  • Protection against low-rate attacks from their first request.
  • Advanced load balancing algorithms for better availability.

To learn more, check out our Global DDoS protection page.

Protection against bad bots

At our company, we understand the importance of keeping your web applications and servers safe from malicious bot activities. That’s why we offer top-of-the-line bot protection services that prevent website fraud attacks, spamming of request forms, brute-force attacks, and other harmful bot activities.

How do we achieve this? Our team of experts utilizes advanced algorithms that identify and remove unwanted traffic that has entered your system’s perimeter. This not only prevents overloading but also ensures that your business processes run smoothly. Want to learn more about how our protection module operates? Here are some key points:

  1. First, bad bots imitate human behavior to conduct activities that are considered inappropriate.
  2. Second, our system’s bot protection feature identifies and terminates connections from bots engaged in automated activities.
  3. The workflow of the client only interacts with legitimate users, and not with any bad bot traffic.

Our bot protection system provides protection against the following harmful bad bot activities:

  • DDoS botnet attacks
  • Account takeover attempts
  • Web content scraping
  • API data scraping
  • Form submission abuse
  • TLS session attacks

Discover more details about Gcore’s bot protection.

Now that you’re familiar with our robust DDoS and bot protection services, let’s dive into real-world use cases across various industries and their corresponding descriptions.

IndustryDescription
FintechBanking institutions are more prone to complex DDoS attacks than other sectors, and attackers aim to not only disable the service but also steal personal and financial information from users. To mitigate such risks, it is essential to monitor individual requests, detect potential threats, and safeguard websites, applications, and APIs.
E-commercePrevent bad bots from attempting to guess login credentials and passwords in order to gain unauthorized access to your system. Additionally, block bots that scrape your online store for the purpose of gaining a competitive advantage.
Gaming

80% of the attacks are on game servers. Once you fail, you risk losing your reputation and customer loyalty forever.

Learn more about our game server protection expertise.

AdvertisingWith bots accounting for approximately 50% of the world’s web traffic, it is highly likely that a significant portion of the traffic you purchase is fraudulent advertising. By removing these bots from your paid traffic, you can accurately analyze your website’s traffic and optimize your marketing budget accordingly.

Conclusion

Protecting your website against bad bot traffic is more important now than ever before. These malicious bots can pose a significant risk to both your website’s security and performance, leading to negative impacts on legitimate user traffic. But with Gcore’s effective mitigation strategies, you can safeguard your online systems and services from the risks associated with bad bot activity. Our DDoS protection and Edge Stream services, such as Gcore CDN, provide a comprehensive solution that detects and blocks bad bot traffic, ensuring optimal performance and maximum security. To learn more and start protecting your business today, contact us at Gcore.

Table of contents

Try Gcore Security

Try for free

Related articles

3 underestimated security risks of AI workloads and how to overcome them

3 underestimated security risks of AI workloads and how to overcome them

Artificial intelligence workloads introduce a fundamentally different security landscape for engineering and security teams. Unlike traditional applications, AI systems must protect not just endpoints and networks, but also training data pipelines, feature stores, model repositories, and inference APIs. Each phase of the AI life cycle presents distinct attack vectors that adversaries can exploit to corrupt model behavior, extract proprietary logic, or manipulate downstream outputs.In this article, we uncover three security vulnerabilities of AI workloads and explain how developers and MLOps teams can overcome them. We also look at how investing in your AI security can save time and money, explore the challenges that lie ahead for AI security, and offer a simplified way to protect your AI workloads with Gcore.Risk #1: data poisoningData poisoning is a targeted attack on the integrity of AI systems, where malicious actors subtly inject corrupted or manipulated data into training pipelines. The result is a model that behaves unpredictably, generates biased or false outputs, or embeds hidden logic that can be triggered post-deployment. This can undermine business-critical applications—from fraud detection and medical diagnostics to content moderation and autonomous decision-making.For developers, the stakes are high: poisoned models are hard to detect once deployed, and even small perturbations in training data can have system-wide consequences. Luckily, you can take a few steps to mitigate against data poisoning and then implement zero-trust AI to further protect your workloads.Mitigation and hardeningRestrict dataset access using IAM, RBAC, or identity-aware proxies.Store all datasets in versioned, signed, and hashed formats.Validate datasets with automated schema checks, label distribution scans, and statistical outlier detection before training.Track data provenance with metadata logs and checksums.Block training runs if datasets fail predefined data quality gates.Integrate data validation scripts into CI/CD pipelines pre-training.Enforce zero-trust access policies for data ingestion services.Solution integration: zero-trust AIImplement continuous authentication and authorization for each component interacting with data (e.g., preprocessing scripts, training jobs).Enable real-time threat detection during training using runtime security tools.Automate incident response triggers for unexpected file access or data source changes.Risk #2: adversarial attacksAdversarial attacks manipulate model inputs in subtle ways that trick AI systems into making incorrect or dangerous decisions. These perturbations—often imperceptible to humans—can cause models to misclassify images, misinterpret speech, or misread sensor data. In high-stakes environments like facial recognition, autonomous vehicles, or fraud detection, these failures can result in security breaches, legal liabilities, or physical harm.For developers, the threat is real: even state-of-the-art models can be easily fooled without adversarial hardening. The good news? You can make your models more robust by combining defensive training techniques, input sanitization, and secure API practices. While encrypted inference doesn’t directly block adversarial manipulation, it ensures that sensitive inference data stays protected even if attackers attempt to probe the system.Mitigation and hardeningUse adversarial training frameworks like CleverHans or IBM ART to expose models to perturbed inputs during training.Apply input sanitization layers (e.g., JPEG re-encoding, blurring, or noise filters) before data reaches the model.Implement rate limiting and authentication on inference APIs to block automated adversarial probing.Use model ensembles or randomized smoothing to improve resilience to small input perturbations.Log and analyze input-output patterns to detect high-variance or abnormal responses.Test models regularly against known attack vectors using robustness evaluation tools.Solution integration: encrypted inferenceWhile encryption doesn't prevent adversarial inputs, it does mean that input data and model responses remain confidential and protected from observation or tampering during inference.Run inference in trusted environments like Intel SGX or AWS Nitro Enclaves to protect model and data integrity.Use homomorphic encryption or SMPC to process encrypted data without exposing sensitive input.Ensure that all intermediate and output data is encrypted at rest and in transit.Deploy access policies that restrict inference to verified users and approved applications.Risk #3: model leakage of intellectual assetsModel leakage—or model extraction—happens when an attacker interacts with a deployed model in ways that allow them to reverse-engineer its structure, logic, or parameters. Once leaked, a model can be cloned, monetized, or used to bypass the very defenses it was meant to enforce. For businesses, this means losing competitive IP, compromising user privacy, or enabling downstream attacks.For developers and MLOps teams, the challenge is securing deployed models in a way that balances performance and privacy. If you're exposing inference APIs, you’re exposing potential entry points—but with the right controls and architecture, you can drastically reduce the risk of model theft.Mitigation and hardeningEnforce rate limits and usage quotas on all inference endpoints.Monitor for suspicious or repeated queries that indicate model extraction attempts.Implement model watermarking or fingerprinting to trace unauthorized model use.Obfuscate models before deployment using quantization, pruning, or graph rewriting.Disable or tightly control any model export functionality in your platform.Sign and verify inference requests and responses to ensure authenticity.Integrate security checks into CI/CD pipelines to detect risky configurations—such as public model endpoints, export-enabled containers, or missing inference authentication—before they reach production.Solution integration: native security integrationIntegrate model validation, packaging, and signing into CI/CD pipelines.Serve models from encrypted containers or TEEs, with minimal runtime exposure.Use container and image scanning tools to catch misconfigurations before deployment.Centralize monitoring and protection with tools like Gcore WAAP for real-time anomaly detection and automated response.How investing in AI security can save your business moneyFrom a financial point of view, the use of AI and machine learning in cybersecurity can lead to massive cost savings. Organizations that utilize AI and automation in cybersecurity have saved an average of $2.22 million per data breach compared to organizations that do not have these protections in place. This is because the necessity for manual oversight is reduced, lowering the total cost of ownership, and averting costly security breaches. The initial investment in advanced security technologies yields returns through decreased downtime, fewer false positives, and an enhanced overall security posture.Challenges aheadWhile securing the AI lifecycle is essential, it’s still difficult to balance robust security with a positive user experience. Rigid scrutiny can add additional latency or false positives that can stop operations, but AI-powered security can avoid such incidents.Another concern organizations must contend with is how to maintain current AI models. With threats changing so rapidly, today's newest model could easily become outdated by tomorrow’s. Solutions must have an ongoing learning ability so that security detection parameters can be revised.Operational maturity is also a concern, especially for companies that operate in multiple geographies. Well-thought-out strategies and sound governance processes must accompany the integration of complex AI/ML tools with existing infrastructure, but automation still offers the most benefits by reducing the overhead on security teams and helping ensure consistent deployment of security policies.Get ahead of AI security with GcoreAI workloads introduce new and often overlooked security risks that can compromise data integrity, model behavior, and intellectual property. By implementing practices like zero-trust architecture, encrypted inference, and native security integration, developers can build more resilient and trustworthy AI systems. As threats evolve, staying ahead means embedding security at every phase of the AI lifecycle.Gcore helps teams apply these principles at scale, offering native support for zero-trust AI, encrypted inference, and intelligent API protection. As an experienced AI and security solutions provider, our DDoS Protection and AI-enabled WAAP solutions integrate natively with Everywhere Inference and GPU Cloud across 210+ global points of presence. That means low latency, high performance, and proven, robust security, no matter where your customers are located.Talk with our AI security experts and secure your workloads today

Flexible DDoS mitigation with BGP Flowspec cover image

Flexible DDoS mitigation with BGP Flowspec

For customers who understand their own network traffic patterns, rigid DDoS protection can be more of a limitation than a safeguard. That’s why Gcore supports BGP Flowspec: a flexible, standards-based method for defining granular filters that block or rate-limit malicious traffic in real time…before it reaches your infrastructure.In this article, we’ll walk through:What Flowspec is and how it worksThe specific filters and actions Gcore supportsCommon use cases, with example rule definitionsHow to activate and monitor Flowspec in your environmentWhat is the BGP Flowspec?BGP Flowspec (RFC 8955) extends Border Gateway Protocol to distribute traffic filtering rules alongside routing updates. Instead of static ACLs or reactive blackholing, Flowspec enables near-instantaneous propagation of mitigation rules across networks.BGP tells routers how to reach IP prefixes across the internet. With Flowspec, those same BGP announcements can now carry rules, not just routes. Each rule describes a pattern of traffic (e.g., TCP SYN packets >1000 bytes from a specific subnet) and what action to take (drop, rate-limit, mark, or redirect).What are the benefits of the BGP Flowspec?Most traditional DDoS protection services react to threats after they start, whether by blackholing traffic to a target IP, redirecting flows to a scrubbing center, or applying rigid, static filters. These approaches can block legitimate traffic, introduce latency, or be too slow to respond to fast-evolving attacks.Flowspec offers a more flexible alternative.Proactive mitigation: Instead of waiting for attacks, you can define known-bad traffic patterns ahead of time and block them instantly. Flowspec lets experienced operators prevent incidents before they start.Granular filtering: You’re not limited to blocking by IP or port. With Flowspec, you can match on packet size, TCP flags, ICMP codes, and more, enabling fine-tuned control that traditional ACLs or RTBH don’t support.Edge offloading: Filtering happens directly on Gcore’s routers, offloading your infrastructure and avoiding scrubbing latency.Real-time updates: Changes to rules are distributed across the network via BGP and take effect immediately, faster than manual intervention or standard blackholing.You still have the option to block traffic during an active attack, but with Flowspec, you gain the flexibility to protect services with minimal disruption and greater precision than conventional tools allow.Which parts of the Flowspec does Gcore implement?Gcore supports twelve filter types and four actions of the Flowspec.Supported filter typesGcore supports all 12 standard Flowspec match components.Filter FieldDescriptionDestination prefixTarget subnet (usually your service or app)Source prefixSource of traffic (e.g., attacker IP range)IP protocolTCP, UDP, ICMP, etc.Port / Source portMatch specific client or server portsDestination portMatch destination-side service portsICMP type/codeFilter echo requests, errors, etc.TCP flagsFilter packets by SYN, ACK, RST, FIN, combinationsPacket lengthFilter based on payload sizeDSCPQuality of service code pointFragmentMatch on packet fragmentation characteristicsSupported actionsGcore DDoS Protection supports the following Flowspec actions, which can be triggered when traffic matches a specific filter:ActionDescriptionTraffic-rate (0x8006)Throttle/rate limit traffic by byte-per-second rateredirectRedirect traffic to alternate location (e.g., scrubbing)traffic-markingApply DSCP marks for downstream classificationno-action (drop)Drop packets (rate-limit 0)Rule orderingRFC 5575 defines the implicit order of Flowspec rules. The crucial point is that more specific announcements take preference, not the order in which the rules are propagated.Gcore also respects Flowspec rule ordering per RFC 5575. More specific filters override broader ones. Future support for Flowspec v2 (with explicit ordering) is under consideration, pending vendor adoption.Blackholing and extended blackholing (eBH)Remote-triggered blackhole (RTBH) is a standardized protection method that the client manages via BGP by analyzing traffic, identifying the direction of the attack (i.e., the destination IP address). This method protects against volumetric attacks.Customers using Gcore IP Transit can trigger immediate blackholing for attacked prefixes via BGP, using the well-known blackhole community tag 65000:666. All traffic to that destination IP is dropped at Gcore’s edge.The list of supported BGP communities is available here.BGP extended blackholeExtended blackhole (eBH) allows for more granular blackholing that does not affect legitimate traffic. For customers unable to implement Flowspec directly, Gcore supports eBH. You announce target prefixes with pre-agreed BGP communities, and Gcore translates them into Flowspec mitigations.To configure this option, contact our NOC at noc@gcore.lu.Monitoring and limitationsGcore can support several logging transports, including mail and Slack.If the number of Flowspec prefixes exceeds the configured limit, Gcore DDoS Protection stops accepting new announcements, but BGP sessions and existing prefixes will stay active. Gcore will receive a notification that you reached the limit.How to activateActivation takes just two steps:Define rules on your edge router using Flowspec NLRI formatAnnounce rules via BGP to Gcore’s intermediate control planeThen, Gcore validates and propagates the filters to border routers. Filters are installed on edge devices and take effect immediately.If attack patterns are unknown, you’ll first need to detect anomalies using your existing monitoring stack, then define the appropriate Flowspec rules.Need help activating Flowspec? Get in touch via our 24/7 support channels and our experts will be glad to assist.Set up GRE and benefit from Flowspec today

Securing AI from the ground up: defense across the lifecycle

As more AI workloads shift to the edge for lower latency and localized processing, the attack surface expands. Defending a data center is old news. Now, you’re securing distributed training pipelines, mobile inference APIs, and storage environments that may operate independently of centralized infrastructure, especially in edge or federated learning contexts. Every stage introduces unique risks. Each one needs its own defenses.Let’s walk through the key security challenges across each phase of the AI lifecycle, and the hardening strategies that actually work.PhaseTop threatsHardening stepsTrainingData poisoning, leaksValidation, dataset integrity tracking, RBAC, adversarial trainingDevelopmentModel extraction, inversionRate limits, obfuscation, watermarking, penetration testingInferenceAdversarial inputs, spoofed accessInput filtering, endpoint auth, encryption, TEEsStorage and deploymentModel theft, tamperingEncrypted containers, signed builds, MFA, anomaly monitoringTraining: your model is only as good as its dataThe training phase sets the foundation. If the data going in is poisoned, biased, or tampered with, the model will learn all the wrong lessons and carry those flaws into production.Why it mattersData poisoning is subtle. You won’t see a red flag during training logs or a catastrophic failure at launch. These attacks don’t break training, they bend it.A poisoned model may appear functional, but behaves unpredictably, embeds logic triggers, or amplifies harmful bias. The impact is serious later in the AI workflow: compromised outputs, unexpected behavior, or regulatory non-compliance…not due to drift, but due to training-time manipulation.How to protect itValidate datasets with schema checks, label audits, and outlier detection.Version, sign, and hash all training data to verify integrity and trace changes.Apply RBAC and identity-aware proxies (like OPA or SPIFFE) to limit who can alter or inject data.Use adversarial training to improve model robustness against manipulated inputs.Development and testing: guard the logicOnce you’ve got a trained model, the next challenge is protecting the logic itself: what it knows and how it works. The goal here is to make attacks economically unfeasible.Why it mattersModels encode proprietary logic. When exposed via poorly secured APIs or unprotected inference endpoints, they’re vulnerable to:Model inversion: Extracting training dataExtraction: Reconstructing logicMembership inference: Revealing whether a datapoint was in trainingHow to protect itApply rate limits, logging, and anomaly detection to monitor usage patterns.Disable model export by default. Only enable with approval and logging.Use quantization, pruning, or graph obfuscation to reduce extractability.Explore output fingerprinting or watermarking to trace unauthorized use in high-value inference scenarios.Run white-box and black-box adversarial evaluations during testing.Integrate these security checks into your CI/CD pipeline as part of your MLOps workflow.Inference: real-time, real riskInference doesn’t get a free pass because it’s fast. Security needs to be just as real-time as the insights your AI delivers.Why it mattersAdversarial attacks exploit the way models generalize. A single pixel change or word swap can flip the classification.When inference powers fraud detection or autonomous systems, a small change can have a big impact.How to protect itSanitize input using JPEG compression, denoising, or frequency filtering.Train on adversarial examples to improve robustness.Enforce authentication and access control for all inference APIs—no open ports.Encrypt inference traffic with TLS. For added privacy, use trusted execution environments (TEEs).For highly sensitive cases, consider homomorphic encryption or SMPC—strong but compute-intensive solutions.Check out our free white paper on inference optimization.Storage and deployment: don’t let your model leakOnce your model’s trained and tested, you’ve still got to deploy and store it securely—often across multiple locations.Why it mattersUnsecured storage is a goldmine for attackers. With access to the model binary, they can reverse-engineer, clone, or rehost your IP.How to protect itStore models on encrypted volumes or within enclaves.Sign and verify builds before deployment.Enforce MFA, RBAC, and immutable logging on deployment pipelines.Monitor for anomalous access patterns—rate, volume, or source-based.Edge strategy: security that moves with your AIAs AI moves to the edge, centralized security breaks down. You need protection that operates as close to the data as your inference does.That’s why we at Gcore integrate protection into AI workflows from start to finish:WAAP and DDoS mitigation at edge nodes—not just centralized DCs.Encrypted transport (TLS 1.3) and in-node processing reduce exposure.Inline detection of API abuse and L7 attacks with auto-mitigation.180+ global PoPs to maintain consistency across regions.AI security is lifecycle securityNo single firewall, model tweak, or security plugin can secure AI workloads in isolation. You need defense in depth: layered, lifecycle-wide protections that work at the data layer, the API surface, and the edge.Ready to secure your AI stack from data to edge inference?Talk to our AI security experts

3 ways to safeguard your website against DDoS attacks—and why it matters

DDoS (distributed denial-of-service) attacks are a type of cyberattack in which a hacker overwhelms a server with an excessive number of requests, causing the server to stop functioning correctly and denying access to legitimate users. The volume of these types of attacks is increasing, with a 56% year-on-year rise recorded in late 2024, driven by factors including the growing availability of AI-powered tools, poorly secured IoT devices, and geopolitical tensions worldwide.Fortunately, there are effective ways to defend against DDoS attacks. Because these threats can target different layers of your network, a single tool isn’t enough, and a multi-layered approach is necessary. Businesses need to protect both the website itself and the infrastructure behind it. This article explores the three key security solutions that work together to protect your website—and the costly consequences of failing to prepare.The consequences of not protecting your website against DDoS attacksIf your website isn’t sufficiently protected, DDoS attacks can have severe and far-reaching impacts on your website, business, and reputation. They not only disrupt the user experience but can spiral into complex, costly recovery efforts. Safeguarding your website against DDoS attacks is essential to preventing the following serious outcomes:Downtime: DDoS attacks can exhaust server resources (CPU, RAM, throughput), taking websites offline and making them unavailable to end users.Loss of business/customers: Frustrated users will leave, and many won’t return after failed checkouts or broken sessions.Financial losses: By obstructing online sales, DDoS attacks can cause businesses to suffer substantial loss of revenue.Reputational damage: Websites or businesses that suffer repeated unmitigated DDoS attacks may cause customers to lose trust in them.Loss of SEO rankings: A website could lose its hard-won SEO ranking if it experiences extended downtime due to DDoS attacks.Disaster recovery costs: DDoS disaster recovery costs can escalate quickly, encompassing hardware replacement, software upgrades, and the need to hire external specialists.Solution #1: Implement dedicated DDoS protection to safeguard your infrastructureAdvanced DDoS protection measures are customized solutions designed to protect your servers and infrastructure against DDoS attacks. DDoS protection helps defend against malicious traffic designed to crash servers and interrupt service.Solutions like Gcore DDoS Protection continuously monitor incoming traffic for suspicious patterns, allowing them to automatically detect and mitigate attacks in real time. If your resources are attacked, the system filters out harmful traffic before it reaches your servers. This means that real users can access your website without interruption, even during an attack.For example, a financial services provider could be targeted by cybercriminals attempting to disrupt services with a large-scale volumetric DDoS attack. With dedicated DDoS protection, the provider can automatically detect and filter out malicious traffic before it impacts users. Customers can continue to log in, check balances, and complete transactions, while the system adapts to the evolving nature of the attack in the background, maintaining uninterrupted service.The protection scales with your business needs, automatically adapting to higher traffic loads or more complex attacks. Up-to-date reports and round-the-clock technical support allow you to keep track of your website status at all times.Solution #2: Enable WAAP to protect your websiteGcore WAAP (web application and API protection) is a comprehensive solution that monitors, detects, and mitigates cyber threats, including DDoS layer 7 attacks. WAAP uses AI-driven algorithms to monitor, detect, and mitigate threats in real time, offering an additional layer of defense against sophisticated attackers. Once set up, the system provides powerful tools to create custom rules and set specific triggers. For example, you can specify the conditions under which certain requests should be blocked, such as sudden spikes in API calls or specific malicious patterns common in DDoS attacks.For instance, an e-commerce platform during a major sale like Black Friday could be targeted by bots attempting to flood the site with fake login or checkout requests. WAAP can differentiate between genuine users and malicious bots by analyzing traffic patterns, rate of requests, and attack behaviors. It blocks malicious requests so that real customers can continue to complete transactions without disruption.Solution #3: Connect to a CDN to strengthen defenses furtherA trustworthy content delivery network (CDN) is another valuable addition to your security stack. A CDN is a globally distributed server network that ensures efficient content delivery. CDNs spread traffic across multiple global edge servers, reducing the load on the origin server. During a DDoS attack, a CDN with DDoS protection can protect servers and end users. It filters traffic at the edge, blocking threats before they ever reach your infrastructure. Caching servers within the CDN network then deliver the requested content to legitimate users, preventing network congestion and denial of service to end users.For instance, a gaming company launching a highly anticipated multiplayer title could face a massive surge in traffic as players around the world attempt to download and access the game simultaneously. This critical moment also makes the platform a prime target for DDoS attacks aimed at disrupting the launch. A CDN with integrated DDoS protection can absorb and filter out malicious traffic at the edge before it reaches the core infrastructure. Legitimate players continue to enjoy fast downloads and seamless gameplay, while the origin servers remain stable and protected from overload or downtime.In addition, Super Transit intelligently routes your traffic via Gcore’s 180+ point-of-presence global network, proactively detecting, mitigating, and filtering DDoS attacks. Even mid-attack, users experience seamless access with no interruptions. They also benefit from an enhanced end-user experience, thanks to shorter routes between users and servers that reduce latency.Taking the next steps to protect your websiteDDoS attacks pose significant threats to websites, but a proactive approach is the best way to keep your site online, secure, and resilient. Regardless of your industry or location, it’s crucial to take action to safeguard your website and maintain its uninterrupted availability.Enabling Gcore DDoS protection is a simple and proven way to boost your digital infrastructure’s resiliency against different types of DDoS attacks. Gcore DDoS protection also integrates with other security solutions, including Gcore WAAP, which protects your website and CDNs. These tools work seamlessly together to provide advanced website protection, offering improved security and performance in one intuitive platform.If you’re ready to try Gcore Edge Security, fill in the form below and one of our security experts will be in touch for a personalized consultation.

From reactive to proactive: how AI is transforming WAF cybersecurity solutions

While digital transformation in recent years has driven great innovation, cyber threats have changed in parallel, evolving to target the very applications businesses rely on to thrive. Traditional web application security measures, foundational as they may be, are no longer effective in combating sophisticated attacks in time. Enter the next generation of WAFs (web application firewalls) powered by artificial intelligence.Next-generation WAFs, often incorporated into WAAP solutions, do much more than respond to threats; instead, they will use AI and ML-powered techniques to predict and neutralize threats in real time. This helps businesses to stay ahead of bad actors by securing applications, keeping valuable data safe, and protecting hard-earned brand reputations against ever-present dangers in an expanding digital world.From static to AI-powered web application firewallsTraditional WAFs were relied on to protect web applications against known threats, such as SQL injection and cross-site scripting. They’ve done a great job as the first line of defense, but their reliance on static rules and signature-based detection means they struggle to keep up with today’s fast-evolving cyber threats. To understand in depth why traditional WAFs are no longer sufficient in today’s threat landscape, read our ebook.AI and ML have already revolutionized what a WAF can do. AI/ML-driven WAFs can examine vast streams of traffic data and detect patterns, including new threats, right at the emergence stage. The real-time adaptability that this allows is effective even against zero-day attacks and complex new hacking techniques.How AI-powered WAP proactively stops threatsOne of the most significant advantages of AI/ML-powered WAFs is proactive identification and prevention capabilities. Here's how this works:Traffic pattern analysis: AI systems monitor both incoming and outgoing traffic to set up baselines for normal behavior. This can then allow for the detection of anomalies that could show a zero-day attack or malicious activity.Real-time decision making: Machine learning models keep learning from live traffic and detect suspicious activities on the go sans waiting for any updates in the rule set. This proactive approach ensures that businesses are guarded from emerging threats before they escalate.Heuristic tagging and behavioral insights: Advanced heuristics used by AI-driven systems tag everything from sessionless clients to unusual request frequencies. It helps administrators classify potential bots or automated attacks much faster.Ability to counter zero-day attacks: Traditional WAF solutions can only mitigate attacks that are already in the process of accessing sensitive areas. AI/ML-powered WAFs, on the other hand, can use data to identify and detect patterns indicative of future attacks, stopping attackers in their tracks and preventing future damage.Intelligent policy management: Adaptive WAFs detect suspicious activity and alert users to misconfigured security policies accordingly. They reduce the need for manual configuration while assuring better protection.Integrated defense layers: One of the strongest features of AI/ML-powered systems is the ease with which they integrate other layers of security, including bot protection and DDoS mitigation, into a connected architecture that protects several attack surfaces.User experience and operational impactAI-driven WAFs improve the day-to-day operations of security teams by transforming how they approach threat management. With intuitive dashboards and clearly presented analytics, as offered by Gcore WAAP, these tools empower security professionals to quickly interpret complex data, streamline decision-making, and respond proactively to threats.Instead of manually analyzing vast amounts of traffic data, teams now receive immediate alerts highlighting critical security events, such as abnormal IP behaviors or unusual session activity. Each alert includes actionable recommendations, enabling rapid adjustments to security policies without guesswork or delay.By automating the identification of sophisticated threats such as credential stuffing, scraping, and DDoS attacks, AI-powered solutions significantly reduce manual workloads. Advanced behavioral profiling and heuristic tagging pinpoint genuine threats with high accuracy, allowing security teams to concentrate their efforts where they're most needed.Embracing intelligent security with Gcore’s AI-driven WAAPOur AI-powered WAAP solution provides intelligent, interrelated protection to empower companies to actively outperform even the most sophisticated, ever-changing threats by applying advanced traffic analysis, heuristic tagging, and adaptive learning. With its cross-domain functionality and actionable security insights, this solution stands out as an invaluable tool for both security architects and strategic decision-makers. It combines innovation and practicality to address the needs of modern businesses.Curious to learn more about WAAP? Check out our ebook for cybersecurity best practices, the most common threats to look out for, and how WAAP can safeguard your businesses’ digital assets. Or, get in touch with our team to learn more about Gcore WAAP.Learn why WAAP is essential for modern businesses with a free ebook

How AI helps prevent API attacks

APIs have become an integral part of modern digital infrastructure, and it can be easy to take their security for granted. But, unfortunately, APIs are a popular target for attackers. Hackers can use APIs to access crucial data and services, and breaching APIs allows attackers to bypass traditional security controls.Most companies focus on speed of development and deployment ahead of security when crafting APIs, making them vulnerable to issues like insecure authentication, poor validation, or misconfigured endpoints, which attackers can abuse. Additionally, the interconnected nature of APIs creates multiple endpoints, widening the attack surface and creating additional points of entry that attackers can exploit.As threats evolve and the attack surface grows to include more API endpoints, integrating AI threat detection and mitigation is an absolute must for businesses to take serious, deliberate action against API cyberattacks. Let’s find out why.Staying ahead of zero-day API attacksOf all the cyber attacks that commonly threaten APIs, zero-day attacks, leveraging unknown vulnerabilities, are probably the toughest to defeat. Traditional solutions rely more on the existence of preconfigured rules or signatures along with human interference to detect and block such attacks. This approach often fails against novel threats and can block legitimate traffic, leaving applications vulnerable and making APIs inaccessible to users.APIs must balance between allowing legitimate users access and maintaining security. AI and ML technologies excel at identifying zero-day attacks based on pattern and behavior analysis rather than known signatures. For instance, heuristic algorithms can detect anomalies, such as sudden spikes in unusual traffic or behaviors indicative of malicious intent.Consider the following example: A certain IP address makes an abnormally large number of requests to a rarely accessed endpoint. Even without prior knowledge of the IP or attack vector, an AI/ML-enhanced solution can flag the activity as suspicious and block it proactively. Using minimal indicators, such as frequency patterns or traffic anomalies, AI can stop attackers before they fully exploit vulnerabilities. Additionally, this means that only suspicious IPs are blocked, and legitimate users can continue to access APIs unimpeded.The risks of shadow APIsOne of the biggest risks is shadow APIs, which are endpoints that exist but aren't documented or monitored. These can arise from configuration mistakes, forgotten updates, or even rogue development practices. These unknown APIs are the ideal target for Layer 7 attacks, as they are often left undefended, making them easy targets.AI-powered API discovery tools map both known and unknown API endpoints, enabling the grouping and management of these endpoints so sensitive APIs can be properly secured. This level of visibility is critical to securing systems against API-targeting attacks; without it, businesses are left in the dark.API discovery as a critical security practiceWAAP with AI/ML capabilities excels in API security because it accurately checks and analyzes API traffic. The Gcore API discovery engine offers 97 to 99 percent accuracy, mapping APIs in users’ domains and using data to recommend policies to help secure APIs.How heuristics enhance WAAP AI capabilities to protect APIsWhile AI and ML form the backbone of modern WAAPs, heuristic methods complement them in enhancing detection accuracy. Heuristics allow the system to inspect granular behaviors, such as mouse clicks or scrolling patterns, which distinguish legitimate users from bots.For example, most scraping attacks involve automated scripts that interact with APIs in predictable and repetitive manners. In those cases, WAAP can use request patterns or user action monitoring to identify the script with high accuracy. Heuristics may define bots by checking how users interact with page elements, such as buttons or forms, and flagging those that behave unnaturally.This layered approach ensures that the most sophisticated automated attack attempts are caught in the net and mitigated without affecting legitimate traffic.Protect your APIs with the click of a button using Gcore WAAPAI offers proactive, intelligent solutions that can address the modern complexities of cybersecurity. These technologies empower organizations to secure APIs against even the most sophisticated threats, including zero-day vulnerabilities and undiscovered APIs.Interested in protecting your APIs with WAAP? Download our ebook to discover cybersecurity best practices, the most prevalent threats, and how WAAP can protect your business’s digital infrastructure, including APIs. Or, reach out to our team to learn more about Gcore WAAP.Discover why WAAP is a must-have for API protection

Subscribe to our newsletter

Get the latest industry trends, exclusive insights, and Gcore updates delivered straight to your inbox.

Subscribe