In recent years, the internet has witnessed a significant shift in its traffic composition, with non-human entities—commonly referred to as bots—accounting for an increasingly substantial portion of online activity. This trend poses profound implications for cybersecurity, data integrity, and the overall user experience.
The Rise of Non-Human Internet Traffic
Historically, human users dominated internet traffic. However, recent analyses reveal a stark transformation. By 2023, non-human sources constituted nearly half of global internet traffic, marking a 2% increase from the previous year. This surge represents the highest level of bot-generated traffic observed since tracking began in 2013. Notably, in 2022, human-generated web traffic dropped to 50.4%, indicating a persistent decline in human activity relative to automated processes.
Understanding the Nature of Bots
Bots are automated software applications designed to perform specific tasks over the internet. They can be categorized into two primary types:
1. Good Bots: These include search engine crawlers that index web content, social media bots that disseminate information, and other automated tools that perform beneficial functions.
2. Bad Bots: These are malicious in nature, engaging in activities such as data scraping, spamming, account takeovers, and distributed denial-of-service (DDoS) attacks.
Alarmingly, bad bot activity has been on the rise for five consecutive years, reaching 32% of web traffic in 2023, up from 30.2% in 2022. This escalation underscores the growing threat posed by malicious automated traffic.
The Financial and Operational Impact
The proliferation of automated traffic has led to significant financial losses for organizations worldwide. Malicious bots target websites, APIs, and applications, resulting in billions of dollars in damages annually. These attacks degrade online services, necessitate increased investment in infrastructure and customer support, and can lead to substantial reputational harm.
Nanhi Singh, General Manager at Imperva’s Application Security division, emphasizes the severity of the issue:
Bots are one of the most pervasive and growing threats facing every industry. From simple web scraping to malicious account takeover, spam, and denial of service, bots negatively impact an organization’s bottom line by degrading online services and requiring more investment in infrastructure and customer support.
Geographical Distribution of Bot Traffic
Certain regions have experienced more pronounced increases in bad bot traffic. In 2023, Ireland, Germany, and Mexico emerged as frontrunners in battling these malicious bots, with rates reaching 71%, 67.5%, and 42.8%, respectively. The United States also saw a rise in bad bot traffic, increasing to 35.4% from 32.1% in 2022.
The Role of Artificial Intelligence
The advent and widespread adoption of generative AI and large language models (LLMs) have contributed to the surge in bot activity. These technologies have facilitated the creation of web scraping bots and automated crawlers, enabling the training of models and empowering non-technical users to develop automated scripts for various purposes. Consequently, the volume of simple bots escalated to 39.6% in 2023, up from 33.4% the previous year.
Account Takeover Attacks and API Vulnerabilities
Account takeover (ATO) attacks have become a persistent threat, rising by 10% in 2023 compared to the previous year. API endpoints were a primary target, with 44% of all ATO attacks directed towards them, a notable increase from 35% in 2022. Across the internet, 11% of all login attempts were associated with account takeovers, posing significant risks to users and organizations alike. The financial services sector bore the brunt of these attacks, with a staggering 36.8% of ATO incidents targeting the industry.
APIs have emerged as a popular vector for cyberattacks, with automated threats causing 30% of all API attacks in 2023. Among these, 17% were perpetrated by bad bots exploiting business logic vulnerabilities within the API’s design and implementation. This flaw enables attackers to manipulate legitimate functionality and gain unauthorized access to sensitive data or user accounts, underscoring the critical need for robust API security measures.
Industry-Specific Impacts
The pervasiveness of bad bot traffic extends across every industry. The gaming sector experienced the largest proportion for a second consecutive year at 57.2%. Retail, travel, and financial services sectors faced the highest volumes of bot attacks. Moreover, the proportion of advanced bad bots, capable of closely mimicking human behavior and evading defenses, was particularly pronounced in the law and government, entertainment, and financial services domains.
Evasion Tactics and Detection Challenges
Sophisticated actors leverage mobile user agents in combination with residential or mobile ISPs to evade detection, posing significant challenges for cybersecurity professionals. The increasing prevalence of bad bot traffic originating from residential ISPs grew to 25.8%. Masquerading as mobile user agents accounted for 44.8% of all bad bot traffic, a significant rise from 28.1% five years ago.
The Path Forward
As automated bots continue to constitute a growing share of internet traffic, organizations must adopt proactive measures to mitigate associated risks. Investing in advanced bot management solutions, enhancing API security, and implementing robust credential management practices are essential steps. Additionally, fostering a culture of security awareness and vigilance among developers and IT personnel can help identify and address vulnerabilities before they are exploited.
In conclusion, the explosive growth of non-human internet traffic presents a multifaceted challenge that requires a comprehensive and adaptive approach to cybersecurity. By understanding the nature and implications of this trend, organizations can better prepare to defend against the evolving landscape of automated threats.
