Your Site and Bot Attacks
By Sean Wang
December 23, 2020
As a web developer, your visitors and your site’s information are crucial. The last thing you want is bot attacks affecting your site traffic. A major block of internet traffic online is dedicated to bots scouring and interacting with websites and apps; approximately fifty-percent of all internet traffic comes from bots with about one-in-five website requests being generated by bad bots. While different bots target different things from lifting information found on your website to trying to access your app users’ information, you should be aware of what is out there and what you can do to prevent them in the future. In this article, I will provide an overview about different types of bots and bot attacks, provide a few ways to detect them, and how to stop bot attacks in the future.
What are bots and what do they do?
Bots are software applications or scripts of code that are programmed to complete certain, usually repetitive tasks. They are written to run automatically without a human user needed to start or manage their actions. While there are many bots that are useful like customer service chatbots, there are many types of bots that can negatively affect your websites. It is worth noting that there are a number of companies that produce and sell bots as a service.
- Scraping bots can extract information from websites ranging from taking your original content without your permission to collecting sensitive data. They can be used to spread spam or take data and perform acts such as “credential stuffing” which can brute force leaked information to breach accounts. Be aware that there are companies that market and sell scraping bots as a service.
- Spam bots create fake accounts across different platforms or apps and then disguise their activities as coming from a real user. They can then begin sending out spam messages over email or on social media.
- Botnets are networks of hijacked computer devices to carry out scams or cyberattacks. They can be spread out across a variety of computers, phones, or smart devices which can then be controlled by attackers to create this “botnet” or zombie network. These botnets can then be used to flood websites with fake requests and eliminate a site’s resources, leading to a DDoS attack). They can also be used to steal information, extort or steal money, or steal a device’s processing power for mining cryptocurrency.
Where can you find bots?
- Analyze your web traffic to determine where the bots are coming from and when they’re affecting your site. You should also monitor when there may be failed login attempts and set up automatic alerts to determine if bots are attempting to breach your site (i.e. high bounce rate, low conversion rate). You can start with a service such as Google Analytics for help.
- Review your potential access points. If you have any exposed APIs and mobile apps, these can be open to exploitation by bots. Remove any features that your site no longer uses.
How to stop bot attacks?
- Require authentication services – Rather than provide bots an easy opportunity use all parts of your site, consider using a service that validates users. Groups like humanID are able to maintain user privacy while ensuring that each user is a real person accessing your site’s content.
- Limit administrative rights – Not every user needs unlimited access to your organization. By limiting administrative rights, you can prevent users from inadvertently installing malicious apps like spyware or malware. Furthermore, you should focus on securing any super-accounts or accounts with full administrative access.
- Web Application Firewalls (WAF) – Similar to a firewall for your computer, WAFs are deployed to protect your web application from anything may appear malicious. Rather than necessarily creating an IP blacklist, WAFs rely on “reputation intelligence” data to provide context on user behavior rather than evaluating individual network events. There are a number of companies that provide WAFs as a service.
- Ensure only authorized software and updates – On a server/developer end, ensure that your devices are configured to verify any software updates pushed from a service. This is crucial to ensuring that your devices are properly up to date and not susceptible to false downloads.
How does humanID help?
humanID is a quick and easy solution to cutting down on bot traffic on the internet. We prevent bot attacks by limiting devices to one account per device, using country-code filters, and verifying your account with a unique phone number. We do not require your users to remember passwords, complete CAPTCHAs, or download additional security apps. Our services can help you enforce user bans, paywalls, community rules, and country-level restrictions. Learn more about partnering with humanID today!