How to Detect and Stop Bot Traffic? Techniques and Tips

What are the bot detection techniques?

Websites have created various bot detection techniques to detect bots and prevent malicious bot traffic. Here are several ways they do that:

• Browser fingerprinting – this refers to information that is gathered about a computing device for identification purposes (any browser will pass on specific data points to the connected website’s servers, such as your operating system, language, plugins, fonts, hardware, etc.) Learn more about what is browser fingerprinting in our in-depth blog. 

• Browser consistency – checking the presence of specific features that should or should not be in a browser. This can be done by executing certain JavaScript requests.

• Behavioral inconsistencies – this involves behavioral analysis of nonlinear mouse movements, rapid button and mouse clicks, repetitive patterns, average page time, average requests per page, and similar bot behavior.

• CAPTCHA – a popular anti-bot measure, is a challenge-response type of test that often asks you to fill in correct codes or identify objects in pictures. You can read more on how CAPTCHAs work in our blog.

Once a website identifies bot-like behavior, it blocks them from further crawling. For more details, Dmitry Babitsky, the co-founder & chief scientist at ForNova, has spoken in-depth on how websites block bots in his presentation at OxyCon. 

How can bot traffic be identified?

While websites can use anti-bot systems that automatically check incoming traffic and detect bots, other options include tools like Google Analytics. When inspecting web traffic, you may find strange behavior that can help identify bot traffic, such as:

• Unusual volume of page views. Bots may simulate a high number of page views, which may be the case if your website usually attracts significantly fewer views.

• Increased or dropped session time. If the time users stay on your website has unexpectedly increased or significantly decreased, there may be bots browsing the website at very slow or inhumanly fast rates.

• A sudden increase in bounce rate. When there’s a high bounce rate you can’t explain, it may indicate that bots are used to target a single page.

• Unforeseen increase in traffic from one location. An unexpected and unexplained rise of traffic from one specific location may point to a bot network.

• Falsified user conversions. Another factor that may be caused by bot traffic is falsified information. For instance, fake names and surnames, company names, phone numbers, email addresses, physical addresses, and other details that can be entered by form-filling bots.

Bot detection challenges

Distinguishing bot traffic patterns from human behavior online has become a complex task in itself, and the bots on the internet have evolved dramatically over the years. Currently, there are four different generations of bots:

• First-generation – these basic bots are built with basic scripting tools and mainly perform simple automated tasks like scraping, spam, etc.

• Second-generation – they mainly operate through website development, hence ending up with the name ‘web crawlers.’ They are relatively easy to detect due to the presence of specific JavaScript firing and iframe tampering.

• Third-generation – often used for slow DDoS attacks, identity thefts, API abuse, and others. They are relatively difficult to detect based on device and browser characteristics and would require proper behavioral and interaction-based analysis to identify bot traffic.

• Fourth-generation – the newest iteration of bots. Such bots can perform human-like interactions like nonlinear mouse movements. In order to detect such bots, advanced methods, often involving the use of artificial intelligence (AI) and machine learning algorithms (ML), are required.

The fourth generation of bots is tough to differentiate from legitimate users, and basic bot detection technologies are no longer sufficient. For such bot traffic to be detected, it will take a lot more than simple tools and behavioral interaction analysis.

How do I stop bot traffic?

On top of using Google Analytics or similar tools to track and investigate traffic, you can also implement the following prevention methods:

1. Create a robots.txt file for your website. A good starting point might be to provide crawling instructions for bots accessing your website's resources. See these examples of Oxylabs' robots.txt and Google's robots.txt file.

2. Implement CAPTCHA tests. CAPTCHAs could be your next move as they work well at catching simple bots and may introduce difficulties for more advanced bots. One of the popular free options is Google’s reCAPTCHA, which reliably secures websites from spam and abuse.

3. Set request rate limits. Rate limiting solves the issue of multiple bots coming from one IP address, which can directly prevent DoS attacks. However, this method only works in specific situations and may still allow malicious bots to go through.

4. Use honeypot traps. Honeypots are specifically designed to attract unwanted or malicious bots, allowing websites to detect bots and ban their IP addresses.

5. Set up a web application firewall (WAF). WAFs can be used to filter out suspicious requests and block IP addresses based on various factors. Yet, WAFs are complex and may not be the best option for website owners with limited technical resources.

6. Use bot detection systems. Implementing an anti-bot system is the best and most assured way to detect and prevent bots from accessing your website. While there may be certain limits with such bot detection tools like PerimeterX, they can still use a variety of modern bot detection methods coupled with AI and machine learning to provide up-to-date and proven defenses against most bots.

Overcoming anti-bot measures

If you want a step-by-step guide on how to crawl a website without getting blocked by the anti-bot measures, we have written in great detail on how to do exactly that. In that blog post, we provide you with a list of actions to prevent getting blacklisted while scraping and crawling websites. However, if you would like a faster and less labor-intensive method, you could check out Web Unblocker as a solution.

It's an AI-powered proxy solution that has a dynamic fingerprinting feature. This feature allows Web Unblocker to choose the right combination of headers, cookies, browser attributes, and proxies so that you can appear as an organic user and successfully bypass all target website blocks. 

Another great option is using a pre-built scraper that encompasses all the features necessary to overcome anti-bot measures. For example, our SERP Scraper API is feature-rich and designed to get the data from search engine results pages. On top of that, it's specifically adapted to extract data from the major search engines and overcome any sort of anti-bot techniques specific to these engines. See how simple it is to use our API in this guide to scraping Google search results.

Conclusion

Bad bot traffic is predicted only to increase each year. As for good bot traffic, the chance to not get mixed in with the bad crowd is slowly dwindling. Amongst friendly bots, there are a lot of web scrapers that use gathered data for research, pulling down illegal ads, market research, etc. All of them may get flagged as bad and blocked. Fortunately, solutions implementing AI and ML technologies are being built to overcome false bot blocks.