Bots are simple programs that carry out repetitive tasks on the Internet on behalf of humans. Bots aren’t inherently bad and can be either malicious or benign. Benign bots provide basic but useful services, such as passively crawling the Web to index content on the web for search engines, or chatting with website visitors to help them find resources they need. Malicious bots, on the other hand, are scripts or programs designed to automate the actions an attacker would take in a cyberattack, allowing attackers to hit their targets faster and harder than they would if they were attacking manually.
Malicious bots have therefore become a core tool for attackers because they act as a force multiplier for attacks. This is key to why attackers use bots in so many different ways—bots are a way for attackers to achieve scalability no matter what their goals and techniques are. A group of bots that are all employed by a single threat actor or for a single purpose is often referred to at a botnet.
Threat actors use bots for a wide range of cyberattacks—in short, anything where simple, repeatable actions on the Internet can be repeated. Perhaps the most well-known kind of bot-supported attack is a distributed denial of service (DDoS) attack, but bots are also critical for credential stuffing, brute force, and click fraud. Because of the speed at which they can operate, they are also crucial tools for resellers, who use appropriately-named reseller bots (sometimes known as sneaker bots) to purchase high-demand commodities for resale.
Because of the wide range of nefarious uses for bots, it is important to think of them as a generalized tool and not a specific kind of attack. A ‘bot’ can be nothing more than a series of cURL requests, or it can be a sophisticated and modular piece of software that costs threat actors thousands of dollars. The defining characteristic is the use of automation for fast, repetitive, malicious actions on the Web. F5 Labs often refers to these kinds of attacks as ‘automated attacks’ to reflect the diversity of motivations and impacts associated with these methods.
Because malicious bots are designed to imitate how humans act, the first step in bot mitigation is bot identification. Once a request is identified as having come from a bot, the responding server can drop the connection and/or add that bot to a denylist.
One of the first and most well-known bot identification strategies was CAPTCHA. While CAPTCHA was initially successful, it places the burden of differentiation on customers and users even when it succeeds. Furthermore, over time threat actors have found reliable methods for bypassing CAPTCHA, so even if this degree of user friction is acceptable, it is no longer effective.
As attackers adapt to older bot mitigation strategies, organizations are increasingly turning to tools that detect bot traffic based on a combination of behavioral and technical signals. In contrast to CAPTCHA, this has the advantage of working undetected for legitimate human users. While simple bots can be easily detected by monitoring a few HTTP parameters, sophisticated bots go to great lengths to simulate complete browsers and human activity. Accurately mitigating these advanced bots requires machine learning platforms and the analysis of a wide range of signals.
Bots and automated attacks are a particular area of focus for us, and we're always looking for better ways to understand the threats they pose to security environments and how to defend against them. Sometimes that means looking at especially topical data, sometimes it means drilling down into a particular facet of the problem space, and sometimes it means taking a broad view to look at trends. Asking questions of the data leads to insights and, inevitably, more questions, so there's always more research to do. Below, you can see some of our more specific investigations grouped together to satisfy the instinct to pull on one particular thread, and you'll also find a collection of all our research into bots and automated attacks.
Reseller bots, sometimes known as sneaker bots, have evolved from humble beginnings in the 1990s into an enormous and sophisticated economy that presents a significant threat to retailers and manufacturers. Our series on reseller bots explains how and why they became such a problem, their impact on consumers, retailers and manufacturers, the availability and effectiveness of countermeasures to stop them, and case studies of what's worked for attackers and defenders alike.