blog.barracuda.com Open in urlscan Pro
4.234.25.19  Public Scan

Form analysis
1 forms found in the DOM

GET https://blog.barracuda.com/search

<form method="GET" class="cmp-search-box__form" action="https://blog.barracuda.com/search">
  <input class="cmp-search-box__form__input" type="search" name="searchTerm" aria-label="Search for" placeholder="Search" value="" data-cmp-hook-header="searchInput">
  <a href="#" class="cmp-search-box__form__search-btn" aria-label="Search" data-cmp-hook-header="searchSubmit">
        <span class="cmp-search-box__form__search-btn__icon"></span>
    </a>
</form>

Text Content

 * Home
 * Ransomware Protection
 * Email Protection
 * Research
 * Remote Work

 * Home
 * Ransomware Protection
 * Email Protection
 * Research
 * Remote Work

TYPE AND PRESS ENTER TO SEARCH


THREAT SPOTLIGHT: HOW BAD BOT TRAFFIC IS CHANGING

Topics:
Oct. 18, 2023
|
Tushar Richabadas
Tweet
Share
Share
Tweet
Share
Share

Once used primarily by search engines, bots now have a variety of uses — both
good and bad. The good bots are primarily search engine crawlers and other
similar bots used for aggregating or monitoring content. These bots obey the
website owner’s rules as specified in the robots.txt file, publish methods of
validating them as who they say they are, and work in a way to avoid
overwhelming the websites and applications they visit.

Bad bots are built to perform various malicious activities. They range from
basic scrapers that try to get some data off an application (and are easily
blocked), to advanced persistent bots that behave almost like human beings and
look to evade detection as much as possible. These bots attempt attacks that
range from web and price scraping to inventory hoarding, account takeover
attacks, distributed denial-of-service (DDoS) attacks, and much more.

Barracuda researchers have been tracking bots on the internet and their effect
on applications for several years now, and analyzing those traffic patterns for
the first six months of 2023 they identified several interesting trends.

From January 2023 to June 2023, bots made up nearly 50% of internet traffic,
with bad bots making up 30% of traffic. That’s down from 2021 when Barracuda
research found that bad bots made up 39% of internet traffic.

North America was the source of 72% of bad bot traffic in the first half of
2023. Roughly two-thirds (67%) of bad bot traffic came from hosting providers,
while 33% was from residential and other IP addresses. Most bad bot traffic
comes from the two large public clouds: AWS and Azure, which skews the
geographic data toward North America.

Let’s take a closer look at what’s driving these trends and where the traffic is
coming from.


THE E-COMMERCE BOT BUBBLE

When PlayStation 5 launched in 2020, people quickly realized that it was out of
stock everywhere — except with unauthorized resellers who used e-commerce bots
to quickly buy up all of the available PS5s and then resell them at a much
higher price. This brought bad bots into the limelight, and from late 2020 to
mid-2022 we saw a significant amount of bad bot traffic from these types of
e-commerce bots.

We saw a lot of people using bad bots to buy anything that was launched and
limited edition — sneakers, clothes, Funko Pops, and more. Bot forums were
loaded with people trying to figure out ways to get around restrictions and
anti-bot protections — and many were making real money. This trend finally ended
in late 2022 when the bottom dropped out of the sneaker resale market after
inflation started going up.

This decrease in traffic from e-commerce bots was likely the main driver for the
drop in bad bot traffic from 39% of internet traffic in the first half of 2021
to 30% in the first half of 2023. 




SOURCES OF BOT TRAFFIC

In their analysis, Barracuda’s researchers also uncovered interesting insights
into where bad bot traffic is coming from. The U.S. is the country of origin for
almost three-quarters (72%) of bad bot traffic. The next four regions are the
United Arab Emirates (12%), Saudi Arabia (6%), Qatar (5%), and India (5%).
However, the traffic source is skewed toward the U.S. because 67% of bad bot
traffic comes from public cloud data centers’ IP ranges. 


From our sample set, most of the bot traffic comes in from the two large public
clouds — AWS and Microsoft Azure — in roughly equal measure. This could be
because it is easy to set up an account for free with either provider and then
use the account to set up bad bots. It also makes it relatively simple to
identify and block these bots. If your application does not expect traffic from
a specific data center IP range, you can consider blocking it, similar to geo-IP
based blocking.


Barracuda’s researchers also saw a significant amount of bad bot traffic (33%)
coming from residential IP addresses. A lot of this is because bot creators are
trying to hide in residential traffic by using someone else’s IP address through
proxies to try to bypass IP blocks.

Attackers have been using this tactic for some years now, particularly for
things like web scraping or other bot attacks. If attackers are doing something
malicious, they don’t want to do it from their own IP address due to
traceability, so they end up using a service that provides anonymous residential
IP ranges.

This can sometimes lead to residential IP users ending up in “CAPTCHA hell,”
unable to pass CAPTCHAs from Google or Cloudflare because their IP was used by
one of these attackers and flagged for malicious activity.


INCREASING ATTACKS ON APIS

The more serious bot threat groups are still operating, getting more
sophisticated, and causing serious damage. Bots are getting cleverer, and as a
result account takeover attacks, including attacks against APIs, are increasing.
Attacks against APIs are growing because they are relatively under-protected and
easier to attack with automation because they are made for automation.

These account takeover attacks generally start with a brute-force attack or a
credential stuffing/password spraying attack. In a brute-force attack,
cybercriminals keep trying permutations and combinations of credentials until
they find one that succeeds. For example, an attacker would use a list of common
usernames (like admin or administrator) and passwords (like hunter123 or
password) and keep iterating until they are successful. In credential stuffing,
attackers start with known good credentials from a data breach and rely on
people reusing their passwords on other sites. These attacks are more successful
and get to that success sooner because password reuse is so common.

Defenses like rate limits and multifactor authentication (MFA) can help detect
and stop brute-force attacks, so attackers will then try things like
low-and-slow bots to bypass rate limits and other techniques like phishing and
MFA-bombing to bypass MFA. Unfortunately, many organizations do not have proper
rate limits and monitoring in place, which can lead to bigger problems, as it
did with the Optus breach in 2022.


EFFECTIVE DEFENSES

When it comes to protecting against bot attacks, organizations can be
overwhelmed at times due to the number of solutions required. The good news is
that solutions are consolidating into Web Application and API Protection (WAAP)
services. To protect your business, as well as your data, analytics, and
inventory, you need to invest in WAAP technology that identifies and stops bad
bots. This will improve both user experience and overall security.

 * Put proper application security in place. Install a web application firewall
   or WAF-as-a-Service solution and make sure it is properly configured with
   rate limiting and monitoring in place. This is an important first step to
   make sure your application security solution is working as intended.
 * Invest in bot protection. Make sure the application security solution you
   choose includes anti-bot protection so it can effectively detect and stop
   advanced automated attacks.
 * Take advantage of machine learning. With a solution that uses the power of
   machine learning, you can effectively detect and block hidden almost-human
   bot attacks. Be sure to turn on credential stuffing protection to prevent
   account takeover as well.

E-book: The new ABCs of application security
Tushar Richabadas

Tushar Richabadas is Senior Product Marketing Manager, Applications and Cloud
Security, Barracuda.  Prior to this role, Tushar was a Product Manager for the
Barracuda Web Application Firewall and Barracuda Load Balancer ADC, with a focus
on cloud and automation.  Tushar has a wide range of experience, from leading
networking product testing teams and technical marketing for HCL-Cisco. Tushar
closely tracks the rapidly increasing impact of digital security and is
passionate about simplifying digital security for everyone.

Connect with him on LinkedIn here.

Related Posts:
Key considerations in securing digital supply systems
Improve your cybersecurity with a Software Bill of Materials
Zombie APIs: What they are and why you should care
Cybersecurity Threat Advisory: Zero-day vulnerabilities found in Apple’s PassKit
Tweet
Share
Share
Tweet
Share
Share

--------------------------------------------------------------------------------


Popular Posts

Modern enterprises cannot rely on VPNs anymore Threat Spotlight: Reported
ransomware attacks double as AI tactics take hold Barracuda XDR Insights: How AI
learns your patterns to protect you Barracuda wins big in CRN Annual Report Card
for second year in a row URL manipulation techniques: Punycode, typosquatting,
and more

Topics

13 Email Threat Types Ransomware Protection Microsoft 365 Email Protection
Network Protection Application and Cloud Protection Data Protection and Recovery
Healthcare Education Industrial and IoT Security Managed Services Digital
Transformation Barracuda Engineering

Resources

Free Email Threat Scan Cyber Liability Insurance Guide Careers at Barracuda
Barracuda Engineering Barracuda News Room

2023 © Journey Notes
 * Email Protection
 * Application Protection
 * Network Protection
 * Data Protection
 * Managed XDR




HOW BARRACUDA USES COOKIES




YOUR PRIVACY


YOUR PRIVACY

Barracuda Sites may request cookies to be set on your device. We use cookies to
let us know when you visit our Barracuda Sites, to understand how you interact
with us, to enrich and personalize your user experience, to enable social media
functionality and to customize your relationship with Barracuda, including
providing you with more relevant advertising. Note that blocking some types of
cookies may impact your experience on our Barracuda Sites and the services we
are able to offer.


 * STRICTLY NECESSARY COOKIES
   
   
   STRICTLY NECESSARY COOKIES
   
   Always Active
   Strictly Necessary Cookies
   
   These cookies are necessary for the website to function and cannot be
   switched off in our systems. They are usually only set in response to actions
   made by you which amount to a request for services, such as setting your
   privacy preferences, logging in or filling in forms. You can set your browser
   to block or alert you about these cookies, but some parts of the site will
   not then work.


 * ANALYTICS COOKIES
   
   
   ANALYTICS COOKIES
   
   Analytics Cookies
   
   These cookies help Barracuda to understand how visitors to our pages engage
   within their session. Analytics Cookies assist in generating reporting site
   usage statistics which do not personally identify individual users.


 * PERFORMANCE COOKIES
   
   
   PERFORMANCE COOKIES
   
   Performance Cookies
   
   These cookies allow us to count visits and traffic sources so we can measure
   and improve the performance of our site. They help us to know which pages are
   the most and least popular and see how visitors move around the site. If you
   do not allow these cookies we will not know when you have visited our site,
   and will not be able to monitor its performance.


 * TARGETING COOKIES
   
   
   TARGETING COOKIES
   
   Targeting Cookies
   
   These cookies may be set through our site by our advertising partners. They
   may be used by those companies to build a profile of your interests and show
   you relevant adverts on other sites. They do not directly identify you, but
   are based on uniquely identifying your browser and internet device. If you do
   not allow these cookies, you will experience less targeted advertising.


 * FUNCTIONAL COOKIES
   
   
   FUNCTIONAL COOKIES
   
   Functional Cookies
   
   These cookies enable the website to provide enhanced functionality and
   personalisation. They may be set by us or by third party providers whose
   services we have added to our pages. If you do not allow these cookies then
   some or all of these services may not function properly.

Back Button


ADVERTISING COOKIES

Filter Button
Consent Leg.Interest
Select All Vendors
Select All Vendors
Select All Hosts

Select All

 * REPLACE-WITH-DYANMIC-HOST-ID
   
   
   33ACROSS
   
   33ACROSS
   
   View Third Party Cookies
   
    * Name
      cookie name

 * REPLACE-WITH-DYANMIC-VENDOR-ID
   
   
   33ACROSS
   
   3 Purposes
   
   View Privacy Notice
   
   
   
   33ACROSS
   
   3 Purposes
   
   View Privacy Notice
   
   REPLACE-WITH-DYANMIC-VENDOR-ID
   
   Consent Purposes
   
   Location Based Ads
   
   Consent Allowed
   
   Legitimate Interest Purposes
   
   Personalize
   
   Require Opt-Out
   
   Special Purposes
   
   Location Based Ads
   
   Features
   
   Location Based Ads
   
   Special Features
   
   Location Based Ads



Clear Filters

Information storage and access
Apply
Confirm My Choices



COOKIE ACCEPTANCE

We use cookies to make our website work. We and our partners would also like to
set optional cookies for analytics purposes, as well as to measure and improve
the performance of the website, and to remember your preferences and provide you
enhanced functionality and personalization. Click on the Cookies Preferences
button to find out more and set your preferences.

Click on the Accept All button if you consent to the use of all such cookies. If
you choose to allow the use of such cookies, you will be able to withdraw your
consent at any time. Please refer to our Privacy Policy to better understand
your rights.Privacy Policy

Accept All Cookies
Cookie Preferences