Bot Detection Basics

Comprehensive Guide to Bot Detection in 2023: Protecting Your API, mobile and Web endpoints.

Bot Detection Platform

Managing Good Bots

Let’s just serve harder CAPTCHA to all our customers anyone? One size fits all draconian user policies don’t work.  It’s time for a re-think on bot protection."

Introduction to Bot Detection

Whether you're running an e-commerce platform, financial services portal, or you're just your average billionaire who has massively overpaid for a social media platform proven to be riddled with bots, distinguishing between human and bot visitors reliably at scale is crucial for your online success. 

In 2023, Bots are becoming increasingly sophisticated with the advent of generative AI, and are routinely passing CAPTCHA and other traditional defense systems. X, formerly known as Twitter actually implemented rate-limiting across its entire platform - effectively crippling the service for legitimate users, as it tries to rein in the bots. Punishing your legitimate customers is rarely a winning strategy.

One size fits all draconian user policies don’t work. Let’s just serve harder CAPTCHA to all our customers anyone?  What could possibly go wrong? It’s time for a re-think on bot protection.

At VerifiedVisitors, we understand the importance of bot management and offer a comprehensive guide on bot detection, helping you protect your website from malicious traffic. In this article, we will delve into the intricacies of identifying bot traffic, offering you actionable insights to safeguard your web presence.

Bot Detection Platforms.

Why Bot Detection is Paramount?

Bot detection serves as the first line of defense against severe security threats that lurk in the online shadows. Without robust bot detection mechanisms, you may not even realize that your digital domain is under attack. Certain nefarious bot activities, including account takeover fraud and web scraping, can silently infiltrate your online assets, causing damage before you're aware of their presence.

Effective bot detection is not merely a security measure; it's the foundational bedrock of online fraud prevention. By blocking malicious bots from infiltrating your websites, mobile apps, and APIs, at the network edge, you gain the following advantages:

1. Enhanced User Experience

Sudden surges in bot traffic can lead to website slowdowns or crashes, resulting in a poor user experience. Preventing such incidents by blocking harmful bots ensures a smooth and efficient user journey and repeat visits. Many sites implement a draconian policy for all visitors - forcing each and every user to undergo an advanced CAPTCHA, two factor authentication or other disruptive event, that may cause user churn. 

2. Reduced DevOPs and IT support Costs

Malicious bots consume valuable bandwidth and drive up server, API, and CDN costs. Server spikes are often from bots. Eliminating the spiky burstable traffic, reduces the overall time spent of server maintenance, investigation and root causes analysis - which can often be a much higher cost than any hosting or bandwidth savings. By intercepting and thwarting these bots, you can significantly cut down your IT expenses.VerifiedVisitors customers report decreases in reduced DevOps management time by around 30%.

3. Competitive Edge

Some unscrupulous competitors employ bots to scrape your content and prices, gaining an unfair advantage. Bots can also clone your entire web site - and lead to impersonation attacks to obtain real login credentials. These passing off attacks can be very subtle and will fool many unsuspecting end-users. Effective bot detection and prevention can make it challenging for them to access your valuable data in the first-place..

4. Time Savings

A successful bot attack disrupts every facet of your business, from IT operations to customer support and marketing. By blocking malicious bot traffic, you save valuable time that would otherwise be wasted mitigating the aftermath of an attack.

5. Regulatory Compliance

Last but not least, regulatory bodies like GDPR and CCPA emphasize data protection and impose hefty fines on non-compliant entities. Blocking malicious bot traffic is a proactive step to safeguard your sensitive data and ensure compliance.

These are just a few compelling reasons to prioritize bot traffic identification. Bot attacks and online fraud pose existential threats to businesses, from small and medium-sized enterprises to financially secure corporations. Protecting yourself with robust bot detection is paramount.

How can you detect bots?

Identifying Bot Traffic

Recognizing bot traffic is a crucial aspect of effective bot detection.

Here are some indicators that can help you identify suspicious bot activities on your websites, apps, and APIs:

1. Sudden Changes in Login Pass / Fail -Ratios

Look out for abnormal login pass to fail ratios, or accessibility logins that are easier to pass e.g. audio.

2. Sudden Spikes in user Registrations

Bots create sleeper accounts that are then activated for a sale or other time bound event. Sudden increases in registrations, particularly if they have junk data, numeric values in the email, or other tell-tale indicators of a likely automated process for bulk registration..

3. Spikes in Pageviews

Certain bot attacks aim to overwhelm your servers, resulting in an inexplicable spike in pageviews on your analytics software. This is usually the first tell-tale sign of a bot attack.

4. Unusually High Bounce Rates

Bots often have specific objectives and leave a page as soon as their task is complete or unattainable. This behavior leads to an unusually high and rapid bounce rate.

5. Changes in Session Length

Suspiciously short or excessively long session durations are tell tale signs to look out for. Humans tend to spend a few seconds on a page, while unusually lengthy sessions can also indicate bot activity. Bots are often written specifically to avoid WAF rate-limiting, and will engage in long sessions over time to fly under the radar. 

6. Traffic Spikes from Unusual Locations or Platforms

If your business doesn't operate in certain regions, a sudden influx of requests from those locations is a clear sign of a bot attack. Similarly, if your site typically doesn’t get for example Linux based or Mobile traffic, and it’s pattern changes, it may be indicative of a bot attack.

7. Automated looking data submissions

Look out for meaningless contact form submissions, users constantly adding items to shopping carts without making purchases, or a surge in bouncebacks from your free newsletter. Bots often may subscribe to a newsletter, but won’t then verify their email address. These are signs of bot-induced chaos.

Common Bot Detection Techniques

Bot detection tools have evolved to counter increasingly sophisticated bots. However, some older techniques have become ineffective. Let's explore a few common bot detection methods:


Traditional CAPTCHAs, like reCAPTCHA, were once effective in deterring bots. However, bots now routinely pass CAPTCHA and also use CAPTCHA farms to get around even the most complex of CAPTCH by using cheap labour in remote areas.  Extensive use of CAPTCHA also raises concerns about accessibility and data privacy compliance,which can negatively  impact user experience. Many sites have also tried to solve the problem by introducing CAPTCHAs that are progressively harder to solve, if failed the first time. This is often a great source of frustration for legitimate users, who may have accessibility issues, or are just trying to quickly access webpages on the go on a mobile device.

2. Web Application Firewalls (WAFs)

WAFs are designed to protect against known attacks but are less effective against modern, advanced bots. They can reliably pick up known bad bot signatures - but the problem is they will fail with bots that are either new or purpose built that are attacking your site. New intelligent bots know the signature based methods, and take steps to disguise their origins and hide as legitimate domestic traffic using regular machines or mobile devices. 

WAFs also rely heavily on IP reputation, which can be easily circumvented by bot operators using residential or domestic IPs in botnets or in commercially available residential proxy services. Many of these services contain millions of domestic IPs, which renders the traditional IP reputation services almost obsolete. Worse, the reputation based services need constant updates, and can lead to a whole host of false positives. Infected botnet machines that have a blacklisted IP are often upgraded or patched to remove the botnet, but the IP address is still blacklisted. 

3. Multi-Factor Authentication (MFA)

While MFA can enhance user account security, it doesn't protect against various bot attacks, leaving businesses vulnerable to scrapers, scalpers, and DDoS attacks.

The Challenge of Bot Detection

Identifying bots has become increasingly challenging for several reasons:

  • Generative AI linked to intelligent bot agents is a game-changer as anyone without programming skills can now build sophisticated attacks using bots.
  • Bots target a wide range of endpoints, not just websites. API data abuse is particularly widespread and hard to stop with traditional fingerprinting techniques that seek to distinguish humans from bots.
  • Bots employ technologies that closely mimic human behavior - including mouse trails and triggering a mobile accelerometer.
  • Bots frequently rotate through numerous clean, residential IPs, rendering IP-based detection ineffective. Fingerprint detection often fails, as the machines and platforms are  legitimate and pass the fingerprint tests.
  • The rise of "Cybercrime as a Service (CaaS) allows anyone with zero programming knowledge to launch bot attacks with advanced capabilities, using residential IP, user agent rotation, and real fingerprints, all  just using simple prompts or templates. 
  • Bots can distribute attacks across different times and locations with ease - and often go low and slow to avoid simple rate limiting WAF rules.

Mitigating Bots with Advanced Bot Detection Software

To effectively identify and combat bots, you need a dedicated and advanced bot detection and online fraud protection solution. Here's what distinguishes a modern advanced bot detection platform in 2023.

1. Built from the ground up using AI:
Traditional bot software uses a fingerprint to analyze the underlying platform. Fingerprints just don’t work for API traffic - where all the visitors are machines, and fails for CyberCrime as a Service (CaaS) platform which uses real machines with valid fingerprints and domestic IP addresses. A good platform needs a modern streaming architecture to analyze 100% of requests in real time, handling traffic peaks and processing trillions of data signals efficiently using advanced ML. It should be hybrid cloud - and ideally automatic to integrate without additional integration scripts.

2. Historical Behaviour Analysis and Real-time Alerts: Effective bot detection requires both historical analysis of log-data to detect patterns of behaviour over time combined with a feedback loop that sends the latest threat data from the logs to update the real-time threat detectors with the new parameters..

3. Differentiating Good Bots An advanced solution should distinguish between legitimate and malicious bots, preventing the latter from masquerading as the former. It should include a recommendation engine to simplify the process of selecting good bots, and automated the good bot access list. It also needs to keep track and verify the good bots over time.It also needs to manage bot policies globally, so admins can create for example one central good bot access list for hundreds of domains. 

5. Threat ResearchAn advanced bot detector should be supported by a competent threat research team that keeps an eye on hacker forums and emerging technologies to stay ahead of new threats

Key Takeaways for Bot Detection in 2023

Bot detection software is the cornerstone of online fraud prevention. Implementing effective bot detection techniques has become more critical than ever. Traditional bot detection methods are no longer sufficient, and safeguarding all digital endpoints, including mobile apps and APIs, is imperative using the latest AI hybrid cloud platforms, to give you zero-trust at the network edge..For comprehensive protection of your business and customers, consider advanced bot detection software such as VerifiedVisitors. They identify and block the most advanced bots in real time, ensuring data security, a seamless user experience, and minimal downtime.

Frequently Asked Questions

How are bots detected?

Detecting bots by simply monitoring your traffic, and employing CAPTCHA is like finding the proverbial needle in the haystack, and will lead to frustrating user experience as they inevitably get challenged as if they were bots. Traditional old school bot detection uses fingerprints or CAPTCHA to detect the bots. Although this used to be effective, the use of APIs and widespread SaaS bot services which use botnets using domestic IPs has rendered these basic bot detection methods obsolete. .

What are bot attacks

Bot attacks encompass malicious activities performed by automated programs. These include scraping, brute force attacks, and denial of service attacks. Robust bot detection techniques and software are essential to prevent such attacks.

How effective is IP Reputation for detecting bots?

While IP addresses with known associations with bad actors or botnets can raise suspicion, they are just not sufficient alone for detecting bots and often lead to false positives. Many commercial bot services now use residential proxies and real machines, and bot farms using actual mobile devices that pass all the associated fingerprinting and mobile tests, and hide within the mobile proxies which cover many thousands of legitimate mobile devices, and can’t be simply blocked.

Are there specific industries more susceptible to online fraud and bots?

Yes, industries like finance, e-commerce, and social media are particularly vulnerable due to the high volume of online transactions and interactions.