Bad bots have less share of internet traffic, but pose bigger threats

Nearly half (48%) of all internet traffic is now bot traffic and bad bots account for 30% of total during the first six months of 2023, according to a new report from Barracuda.

Good bots are primarily search engine crawlers or content monitors, which are part of the general functioning of the internet. Bad bots are designed with nefarious goals, ranging from basic scraping to more sophisticated distributed denial-of-service attacks.

Barracuda’s new Threat Spotlight report reveal that bad bots’s contribution to all traffic went down from 39% in the first half of 2021. 

Despite this, the research highlights how bad bot attacks have evolved to become more advanced and how, as a result, account takeover attacks, including attacks against Application Processing Interfaces (APIs), are increasing.

Barracuda saw that in the first six months of 2023, almost three-quarters (72%) of bad bot traffic originated in the United States, followed by the United Arab Emirates (12%), Saudi Arabia (6%), Qatar (5%), and India (5%). 

However, they note that the traffic source is skewed toward the US because 67% of bad bot traffic comes from public cloud data centres’ IP ranges.

According to the findings, most of the bad bot traffic originates from two large public clouds — AWS and Azure in roughly equal measure — which Barracuda researchers suggest could be because it’s easy to set up an account for free with either provider and then use the account to set up bad bots.

The report also shows that up to a third of bad bot traffic is coming from residential IP addresses, which Barracuda researchers believe to be from bot creators trying to hide by using residential IP addresses through proxies to bypass IP blocks.

Mark Lukie, Barracuda director of solution architects in the Asia-Pacific region, said that bots are getting cleverer, and attacks against APIs are increasing. This is likely due to many organisations having weak authentication and access policies, plus a lack of bot specific security measures.

“The good news is that protecting against these attacks is getting easier thanks to solutions which consolidate Web Application and API Protection (WAAP) services – which can help you to identify and stop bad bots in their tracks,” said Lukie.

“Beyond this, ensuring that your web application firewall or WAF-as-a-Service is configured with rate limiting and monitoring, and that you have credential stuffing protection, can not only increase your chances of staving off these attacks, but also help to prevent account takeover as well,” he added.