Executive Summary

As more companies transform digitally and become more automated, we’ll see an increase in good bots designed to improve customer experiences online. However, cyber attackers will accelerate their use of bad bots to target industries at scale that have the most potential for monetary gain. Now businesses don’t just have to block the bad bots: they also have to enable the good bots.


Most estimates say that bots account for approximately 50% of all internet traffic and are delivered by a variety of sources. One of the most common is when user devices such as laptops, smart phones, or tablets are compromised by malware. Users might unknowingly download a bot via phishing or a drive-by download. When the bot attacks, the device itself becomes part of a botnet, ready to take commands from an unknown entity. Most people associate volumetric DDoS attacks with these zombie armies, because those are the attacks that make the headlines.

Sometimes, however, servers or processes are simply owned by the attacker—in many cases, because a malicious hacker purchased the means to do so on the dark web. This is surprisingly affordable: for example, a 300-second DDoS attack using a botnet with a total bandwidth of 125 Gbps costs around $6 to buy.

Additionally, since the attack is coming from an actual (unsuspecting) user, as opposed to an automated script, the attacker can bypass security controls aimed to block automated attacks

A 300-second DDos attack using a botnet with a total bandwidth of 125 Gbps costs around $6 on the dark web.


Airlines and ticketing sites rely heavily on what they call the “look to book ratio” to ensure the availability of tickets, especially when they’re getting hit with bots performing content scraping. At the same time, a barrage of bad bots can drop DDoS or credential stuffing attacks on their sites, or clog email servers with spam. This situation results in loaded servers and clogged bandwidth for an extremely slow ordering process, terrible customer experience, skewed visitor metrics, and tainted security logs.

Ad bots can also create and abandon shopping carts, steal unique content and present it as their own, fabricate fake accounts on membership sites, and generate malicious traffic to create false traffic spikes—skewing any marketing KPIs, CPC conversions, and overall ad campaign ROI. According to recent reports, ad fraud alone is set to exceed $3.3 billion.

Here are the top 5 ways bots can impact your business:



Web-scraping bots can copy and extract copyrighted or trademarked data from websites and reuse it—often for competitive purposes—on other websites. Because there are two versions of the content online, this can greatly diminish your site’s search authority.



Attackers can use botnets to launch DDoS attacks that make an application or network unavailable, which can affect web traffic metrics. Bots can then create non-existent leads by creating and abandoning online shopping carts on an ecommerce site. The inaccurate metrics results can lead to insufficient marketing decisions later. Some business logic attacks can cause denial of service using only a single malicious request.



Bots can commit click fraud by automatically clicking on an ad. Companies can then deliberately drive up the advertising costs for their competitors. Click fraud skews data reported to advertisers and costs companies a lot of money because they end up paying for non-human clicks. Even worse, those companies get no revenue from fake shoppers.



Malicious bots can negatively impact the bottom line. Losses can be the result of an unresponsive or flagged website, redirecting visitors to a competitor, sales personnel chasing false opportunities or leads, paying more for a clicked ad, or making major business decisions based on bad data.



Bots can steal sensitive information such as user credentials, fill your customers’ inboxes with unwanted email containing malicious links, write fake product reviews, and create fake social media accounts to write false or biased content. They can also inflate views and follower counts, write provocative comments online to stir up controversy, rig votes, and more. These types of activities can frustrate customers, drive them away from your site, and ruin your reputation.


The sophistication of bad bots can make them look like a real human is interacting with the site, leading to organizations using corrupt analytics data. Even worse, bad bots can ruin a company’s reputation by redirecting visitors to phishing sites.



It’s important to filter out misleading data and detect bot threats within encrypted traffic. It’s also important to filter out unwanted automated programs, traffic, and tools, to get better business intelligence. By removing malicious bot traffic, you can clean up your data and make decisions based on real visitor interactions.

Because most threats in any environment start with bots or botnets, the best way to mitigate these types of threats is to target the attack tool itself and adopt a layered security approach to manage changing attack vectors. It's also important to inspect ingress and egress application traffic to identify and block scanners, attackers, and bots, while preserving and accelerating apps for legitimate usage.

Traditional IP intelligence, geofencing, and reputation-based filtering can help; but these technologies must evolve to keep pace with smarter and more sophisticated bots. For example, although many attacks look like they’re coming from a single IP address, blocking that one address will not fix the situation: the criminal behind it will simply adjust accordingly. Additionally, mobile applications are built differently than web applications, and are becoming a critical revenue-generating component of many businesses. Bot mitigation must seamlessly protect all applications from attack.

With the right tools, you can filter out unwanted traffic, improve the quality of your data and make better business decisions.


So how do we solve the challenge of detecting and mitigating bad bots? By having a solution that can:

  • Safeguard intellectual property and stop web scraping attempts by competitors

  • Protect revenue generating URLs that can be exploited with business logic attacks

  • Leverage analytics to detect sophisticated bots that emulate human behavior

  • Prevent credential theft by securing sensitive fields like usernames and passwords

  • Defend mobile applications without burdensome app changes or SDK customization

When we filter out the unwanted or malicious traffic, we reduce the number of actual requests our apps need to service. This means we have a delta between how much we’re spending to maintain our apps servicing all traffic and how much we should be spending to service only our intended customer base. Once we do this, we should be able to shrink our apps and reclaim those costs. In addition, having clean visitor metrics gives marketing a clear, honest picture of what visitors actually do on their site in order to make informed decisions.

You might not normally think to draw a connection between bad BI and bad bots, but it’s there. The good news is that with the right tools, you can break that connection, improve the quality of your data and make better business decisions.

Fight the Good Fight Against the Bad Bots

Learn how you can defend against bad bots without disrupting the good ones.

Read the article
Watch the Bots Webinar



Advanced WAF

Protect your apps with behavioral analytics, proactive bot defense, and application-layer encryption of sensitive data.


Web App and API Protection

F5 provides app protection in any architecture that stands up to a range of ever-evolving attack types.