What are bad bots? | How to stop bad bot traffic

Bad bots are computer programs designed to carry out harmful actions such as stealing website content, account hacking, and DDoS attacks. The damaging outcome has been exposed through multiple news outlets. These reports have shed some light on how bad bots are being used to spread misinformation on social media, commit identity theft, and steal bank accounts.

Our main goal with this article is to equip users and website/application owners like you with valuable insights on bad bots: how to comprehend the different types of bad bots, and how to prevent bad bot traffic.

What are the types of bad bots?

Let’s dive into the most common types of malicious bots out there. Familiarizing yourself with these threats is crucial to understanding how they can potentially harm your website or even target you as an internet user. Below is a list we’ve created for you to discover the different types of bad bots that you need to watch out for.

1. DDoS bot

DDoS bots are used by cybercriminals that seek to disrupt a website or online service by overwhelming it with traffic from multiple sources. To execute this attack effectively, botnets come into play. Botnets are networks of computers and internet of things (IoT) devices that have been infected with malware and are under the control of a hacker or malicious actor.

How do DDoS botnets work?

Malicious actors can manipulate bots remotely, corrupting a large number of internet-connected devices after infecting them with malware. What makes this especially alarming is that the owner of the compromised device may not be aware that their device has been infected.

In every botnet, there are four key components:

• Bot master. This is the attacker who creates and manages the bot code and controls the entire botnet.
• Bot code. Also known as a bot controller, this is a malicious program that is designed to infect vulnerable devices and turn them into bots.
• Bots (also called “zombies”). These are the compromised devices that are infected with the bot code and can be controlled remotely by the bot master.
• Command and control (C&C) server. This is the central server to which all the bots in the botnet connect to communicate with each other and receive commands from the bot master. The C&C server allows the bot master to send instructions to the bots, such as launching a DDoS attack.

Let’s take a look at the typical setup of a botnet and how these four participants work together.

In the diagram, the bot master distributes a bot code to victim computers. This can be done through email attachments, malicious links, software downloads, or exploiting vulnerabilities. When the victim’s computer becomes infected (i.e., becomes a bot), it joins the botnet and connects to the C&C server. The attacker sends instructions to the bot through the C&C server and synchronizes its actions with other bots.

Key takeaways about a DDoS botnet

• The bot master is responsible for setting up the C&C mechanism and providing instructions to the bots.
• Botnets rely on C&C mechanisms to coordinate the actions of infected machines.
• The effectiveness of DDoS attacks often depends on the structure of the attacker’s architecture, the number of bots in the botnet controlled with a C&C mechanism.

DDoS bots can use variety of techniques to carry out their attacks, including the following:

DDoS Bot Attack Type	Description	Example & Impact
SYN floods	SYN is an acronym for “synchronize”. In SYN floods, a botnet sends a large number of SYN packets to the target server. The attack floods the server with connection requests that do not receive confirmation, leaving many open TCP connections that consume the server’s resources, mainly crowding out legitimate traffic and making it impossible to open new legitimate connections. This makes the website or application unavailable to legitimate users.	An e-commerce website, which heavily depends on its online platform for generating sales, falls victim to a SYN flood attack during the busy holiday shopping season. Attackers use fake IP addresses to carry out these attacks, making them difficult to detect and counter. Since the holiday season sees a high volume of online traffic, the website owner may overlook the flood of requests and consider it normal, causing the website to become unavailable to genuine customers. The outcome is a loss of sales and harm to the website’s reputation.
UDP floods	UDP, short for “User Datagram Protocol,” is a protocol designed for communication between network devices. It is a lightweight protocol commonly used to transmit data over the internet. However, in certain cases, UDP can be used maliciously to launch a type of attack that involves flooding a target server or network with a high volume of UDP packets. This can cause congestion, resulting in a slow down or complete website/application unavailability.	An online game experiences a major disruption due to a DDoS attack that involves a UDP flood. The attackers send a large number of UDP packets to the servers, overwhelming their ability to process incoming data. This causes players or users of the service to experience connectivity issues, lags, and delays, and some are even disconnected from the service entirely.
DNS amplification	DNS amplification is an attack that exploits the unique features of DNS services on the internet. The attacker sends a request to a public DNS server, directing its response to the targeted server. This floods the victim server with voluminous responses from public DNS servers, overwhelming the server and making it difficult to identify the attacker.	A DNS amplification attack is carried out, causing the website or app to become inundated with traffic, which makes it difficult for legitimate users to access it.
HTTP floods	An HTTP flood is a form of DDoS attack that sends a large volume of seemingly legitimate HTTP requests to a web server or application with the goal of overwhelming it and rendering it unavailable to legitimate users. This type of attack is usually carried out using a botnet of compromised computers. Unlike other DDoS attacks, HTTP floods do not rely on spoofing or reflection techniques and can be more difficult to detect and block.	An attacker wants to take down a website to disrupt its operations. The attacker launches an HTTP flood attack by using a botnet to send a massive number of HTTP GET or POST requests. The requests appear to be legitimate, so the server tries to process each one, but the sheer volume of requests overwhelms the server’s resources, causing the website or service to become unavailable to real users.

2. Account takeover bot

This is a type of bad bot that cybercriminals use to take over users’ online accounts. These bots are designed to automate the process of guessing or cracking login credentials, such as usernames and passwords. Once the bad bot takes over the account, it can carry out harmful activities like stealing confidential information, spamming, or being used in phishing campaigns.

How does an account takeover bot work?

1. A cybercriminal typically obtains a list of stolen usernames and passwords from data breaches, phishing attacks, or the dark web.
2. The attacker uses account takeover bots to automatically test login credentials on different websites—for instance, e-commerce or social media sites—persisting until they successfully gain access to an account. With the use of bots, even strong passwords can be cracked in no time, putting personal information at risk.
3. Once the bot has taken over the account, the attacker can carry out different malicious activities, such as making unauthorized purchases or posting spam messages.

Before we discuss different types of account takeover bots, let’s take a look at a few examples of incidents involving account takeovers:

• Twitter hack: In July 2020, several high-profile Twitter accounts were hacked, including those of Barack Obama, Elon Musk, and Bill Gates. The attackers used an account takeover scheme to promote a bitcoin scam to the followers of these accounts.
• Equifax data breach: In 2017, Equifax, one of the largest credit reporting agencies, suffered a data breach that exposed the personal information of millions of consumers. The breach was the result of an account takeover bot, where the attackers gained access to Equifax’s systems by exploiting a vulnerability in its website software.
• Uber breach: In 2016, the personal information of 57 million users and drivers of the ride-sharing service Uber was exposed due to a data breach caused by an account takeover. The attackers were able to gain access to an Uber engineer’s account, which contained access keys to Uber’s Amazon Web Services account.

What are the types of account takeover bots?

Now that you’ve gained an understanding of the impact of this bad bot, let’s explore common types of account takeover bots, including their descriptions, examples, and the potential consequences they can cause.

Type of Account Takeover (ATO) Bot	Description	Example & Impact
Credential stuffing bot	These malicious bots use lists of usernames and passwords from data breaches and try to log in to different websites and gain access to user accounts. They take advantage of users who reuse their passwords across multiple sites.	A person uses the same login information for multiple online services. A hacker gains access to one of the victim’s accounts, and then uses the same login information to break into other sensitive accounts, like a bank account or email, resulting in difficulty in recovering accounts, identity theft, and financial loss.
Brute-force attack bot	These malicious bots use automated tools to try various combinations of usernames and passwords until they find the correct combination that grants access to a user’s account.	A user has a weak and easily guessable password that is vulnerable to brute-force attacks. An attacker gains access to an account and steals sensitive information, or uses the account for other malicious activities that leads to invasion of privacy, leak of sensitive information, and financial loss.
Phishing bot	These malicious bots use phishing emails or messages to dupe users into sharing their login credentials. The attacker sends a malicious link, which, once clicked on, directs the user to a counterfeit website that resembles a genuine one. As a result, the user may unintentionally provide their login credentials, which are then captured by the attacker.	A user falls for a phishing scam. An attacker gains access to their accounts and steals sensitive information or uses the accounts for other malicious purposes. The phishing attacks result in significant financial business losses, data breaches, and damage to reputation.

Among the various types of account takeover bots, the most widespread is credential stuffing. According to a report from Google, 52% of individuals use the same passwords for multiple accounts. This means that if a cybercriminal gains access to one of those accounts, they may also be able to access other sensitive accounts, including those containing credit card information, bank account details, and social media profiles.

3. Web content scraping bot

These malicious bots use web content scraping techniques to extract data and content from websites, including copying information from the HTML code and databases of the victim’s server. However, it’s worth noting that legitimate uses of web content scraping do exist, such as search engine bots like Googlebot, which help to index websites and improve search results. But the majority of web content scraping is actually done for malicious and illegal purposes, like stealing copyrighted content, pricing scraping to undercut competitors, and, of course, data breach.

How does a web content scraping bot work?

1. The cybercriminal programs a web scraping bot to visit the target website.
2. The bot reads the HTML code of the website and looks for relevant data to extract.
3. The bot extracts the desired data from the HTML code and may also extract data from the databases that are connected to the victim’s website.
4. The extracted data is stored in a structured format, such as a spreadsheet or scraper’s database.
5. Once the bot has scraped all the data from the website, the attacker will analyze it for various purposes—for example, for reposting copyrighted materials.

What are the types of content scraping bots?

Content scraping, also known as web scraping, is the act of using bots to download most or all of a website’s content without the owner’s consent. It falls under the category of data scraping and is usually done using automated bots. Website scraper bots can download all of a site’s content within seconds.

In this section, we will cover different types of content scraping, how they work and the impact they can cause on users or businesses.

Type of Web Scraping Bot	Description	Example & Impact
Content scrapers	These are bad bots that scrape websites for specific types of content, such as product listings, emails, blog posts, or news articles, and anything that is stored in the victim’s database.	Online businesses are the primary targets of attackers who use content scrapers to steal large amounts of data from databases. The stolen information is then used to repost it or sell to competitors. Additionally, email addresses can be harvested for spam and email fraud, which can damage the victim’s brand reputation.
Price scrapers	Price scraping bots are created to extract pricing information from e-commerce databases. Their purpose is to use this information to undercut competitors’ prices and increase sales.	A shoe reseller business owner may use bots to buy and sell sneakers online. By adjusting their prices based on their competitors’ pricing, the reseller can gain an unfair advantage in the market. This strategy could also apply to other industries that conduct a significant portion of their business through online sales.

What are the risks of bad bots?

The risks associated with malicious bots extend beyond just business organizations. As a regular user, you are also a prime target for these bots, which puts your personal information, online security, and overall well-being at risk.

One particularly dangerous example is Trickbot, a botnet discovered by researchers in 2019. It was designed to steal login credentials and financial information on a global scale and had the ability to spread ransomware and malware, putting millions of people at risk as the infection on affected machines was not traceable.

The potential dangers associated with bad bot traffic are numerous and should not be taken lightly. Here are just a few of the risks:

1. Identity theft. With account takeover bots, personal data can be snatched and used to infiltrate sensitive accounts, which could result in identity theft and cause significant monetary harm to the user.
2. Malware infections. It is a prevalent method for bots to infiltrate a computer system, often through downloads disguised as social media or email links. These links may appear as pictures or videos, containing harmful viruses and malware. If a user’s computer becomes infected, it could become part of a botnet.
3. Spam. This can be a result of account takeover bots when the attacker uses the victim’s credentials to send out spam emails or messages.
4. Information theft. Web scraping bots have the ability to acquire sensitive information, including confidential user data such as login details, personal addresses, and other private information.
5. Brand damage. Content scraping bots can duplicate and repost a company’s content on various fake and untrusted websites, which may result in losing potential clients.
6. Financial loss. DDoS bots can be used to flood a website with traffic, causing it to be unavailable for regular users and resulting in lost revenue for businesses.
7. Data breaches. Credential stuffing bots can be used to test stolen login credentials on multiple sites, increasing the risk of a data breach. This is because if a user’s credentials work on one site, such as a social media account, they may also work on other sites where the user has financial information, such as their bank account.
8. Intellectual property theft. Web scraping bots can also be used to steal intellectual property, such as copyrighted images or product designs, leading to financial loss for creators.

How to stop bad bot traffic

The issue now arises on how regular website owners and users like you can prevent malicious bot traffic. Unfortunately, there is no single solution to address this concern. However, there are some recommended measures to stop and prevent the associated risks of bad bot traffic. Let’s explore the following recommendations.

• Implement CAPTCHA challenges. To prevent automated bot attacks, websites can implement measures that require users to complete tasks that only humans can accomplish. These tasks often involve solving puzzles or answering questions before accessing sensitive data on a website.
• Use web application firewalls (WAFs). These can block malicious traffic by analyzing incoming traffic and filtering out suspicious requests.
• Monitor web traffic. This can help identify unusual traffic patterns that may be indicative of bot activity.
• Implement rate limiting. This can limit the number of requests a user or IP address can make within a certain time frame, which can help prevent bot attacks.
• Use bot detection software. This can analyze web traffic to identify and block bot traffic based on specific criteria such as IP addresses, user-agent strings, and behavior patterns.
• Implement bot management policies. This can involve identifying and blocking known bot traffic, blacklisting suspicious IP addresses, and whitelisting known good bots.
• Regularly update software and security protocols. This can help prevent bots from exploiting known vulnerabilities in software or systems.

Using these strategies can help website owners and organizations identify and reduce the risks of malicious bots, improving their online security. However, it’s important to keep in mind that these strategies might also affect legitimate human traffic and helpful bots that enhance website features. To effectively combat malicious bot traffic, website owners should consult with experts to differentiate between good and bad bots and implement mitigation strategies that balance security with website functionality. This helps to ensure that their websites remain accessible to legitimate users while minimizing the risks posed by bad bots. At Gcore, we understand the importance of providing effective measures against bad bot traffic and will provide information on how it assists our clients in countering these threats in the following section.

How does Gcore’s DDoS and bot protection help against bad bot traffic?

Here at Gcore, we guarantee that your online business will continue to function seamlessly, regardless of any disruptions or threats. Our security platform is designed to keep your digital business operations safe from cybercriminal attacks. We have scrubbing centers located globally that are linked to various service providers and have backup copies of essential systems, such as cleaning servers, managing servers, data storage systems, and network equipment. With our platform, you can be confident that any potential attack will not affect your website’s performance or cause any disruption to your visitors and customers. Let’s take a closer look at the protection services we offer to defend against DDoS attacks and malicious bots.

Protection against DDoS attacks

Gcore’s DDoS protection ensures uninterrupted application performance even during large-scale attacks, minimizing the risk of service disruptions and preventing degradation of website performance. Here are some key points about how the DDoS protection in our web security module operates:

1. Attackers generate spam traffic to overwhelm targeted servers.
2. The DDoS protection layer detects and filters incoming traffic. This includes protection against network and transport layer (L3 and L4)  and also against application layer DDoS attacks (L7).
3. Real-time bot protection. We’ll prevent parsing, advertisement fraud, and theft of your user’s personal data.
4. WAF hacking protection. It protects our clients from manual hacking and attempts to exploit vulnerabilities or loopholes in your website without implementing third-party SDKs or making changes to the application’s code.

Furthermore, there are various security features to protect against DDoS attacks. These are designed to prevent or mitigate the impact of a DDoS attack on a target network or website. Some of the common DDoS security features offered by Gcore include the following:

• A globally distributed network to filter all traffic around the world.
• Our growing distributed network capacity will always exceed any single DDoS attack.
• Protection against low-rate attacks from their first request.
• Advanced load balancing algorithms for better availability.

To learn more, check out our Global DDoS protection page.

Protection against bad bots

At our company, we understand the importance of keeping your web applications and servers safe from malicious bot activities. That’s why we offer top-of-the-line bot protection services that prevent website fraud attacks, spamming of request forms, brute-force attacks, and other harmful bot activities.

How do we achieve this? Our team of experts utilizes advanced algorithms that identify and remove unwanted traffic that has entered your system’s perimeter. This not only prevents overloading but also ensures that your business processes run smoothly. Want to learn more about how our protection module operates? Here are some key points:

1. First, bad bots imitate human behavior to conduct activities that are considered inappropriate.
2. Second, our system’s bot protection feature identifies and terminates connections from bots engaged in automated activities.
3. The workflow of the client only interacts with legitimate users, and not with any bad bot traffic.

Our bot protection system provides protection against the following harmful bad bot activities:

• DDoS botnet attacks
• Account takeover attempts
• Web content scraping
• API data scraping
• Form submission abuse
• TLS session attacks

Discover more details about Gcore’s bot protection.

Now that you’re familiar with our robust DDoS and bot protection services, let’s dive into real-world use cases across various industries and their corresponding descriptions.

Industry	Description
Fintech	Banking institutions are more prone to complex DDoS attacks than other sectors, and attackers aim to not only disable the service but also steal personal and financial information from users. To mitigate such risks, it is essential to monitor individual requests, detect potential threats, and safeguard websites, applications, and APIs.
E-commerce	Prevent bad bots from attempting to guess login credentials and passwords in order to gain unauthorized access to your system. Additionally, block bots that scrape your online store for the purpose of gaining a competitive advantage.
Gaming	80% of the attacks are on game servers. Once you fail, you risk losing your reputation and customer loyalty forever. Learn more about our game server protection expertise.
Advertising	With bots accounting for approximately 50% of the world’s web traffic, it is highly likely that a significant portion of the traffic you purchase is fraudulent advertising. By removing these bots from your paid traffic, you can accurately analyze your website’s traffic and optimize your marketing budget accordingly.

Conclusion

Protecting your website against bad bot traffic is more important now than ever before. These malicious bots can pose a significant risk to both your website’s security and performance, leading to negative impacts on legitimate user traffic. But with Gcore’s effective mitigation strategies, you can safeguard your online systems and services from the risks associated with bad bot activity. Our DDoS protection and Edge Stream services, such as CDN, provide a comprehensive solution that detects and blocks bad bot traffic, ensuring optimal performance and maximum security. To learn more and start protecting your business today, contact us at Gcore.