How To Detect Bot Traffic?

Often we perceive the term “bot” as negative. However, not all bots are bad. The issue is that good bots can share similar characteristics with malicious bots. Therefore, good bot traffic get labeled as bad and get blocked.

Bad bots are only getting smarter, and it’s hard for other bots to stay block-free. This creates a lot of issues not only for site owners to ensure a healthy performance of their website but for the web scraping community as well.

In this article, we’ll go more in-depth about bot traffic, what it is, how websites detect and block bots, and how it can affect businesses.

What is bot traffic?
Bot traffic is any non-human traffic made to a website. It’s a software application running automated and repetitive tasks; however, much faster than humanly possible.

With this ability to perform tasks very quickly, bots can be used for both bad and good. In 2020, 24.1% of bot traffic online were malicious bad bots. That’s +18.1% more than the previous year of 2019.

Whereas good bot traffic is also decreasing (compared to 2019, the numbers dropped by -25.1%). With the increase of bad bots and the decrease of good bots, website owners are forced to strengthen their security. Hence allowing more bots to get wrongfully caught.

To better understand what are good and bad bots, here are some examples:

Good bots
  • Search engine bots – these bots crawl, catalog, and index web pages. Such results are used by search engines such as Google to provide their services effectively.

  • Site monitoring bots – will monitor websites to identify possible issues such as long loading times, downtimes, etc.

  • Web scraping bots – if the data being scraped is publicly available, the data can be used for research, identifying and pulling down illegal ads, brand monitoring, and much more.

Bad bots
  • Spam bots – used for spam purposes. Often for the purpose of creating fake accounts on forums, social media platforms, messaging apps, and so on. They are used in order to build a social media presence, create more clicks on a post, etc.

  • DDoS attack bots – some bots are created to take down websites. DDoS attacks usually leave just enough bandwidth available to allow other attacks to make their way into the network and pass weakened network security layers undetected to steal sensitive information.

  • Ad fraud bots – these bots automatically click on ads siphoning off money from advertising transactions.

So a “good” bot is a bot that performs useful or helpful tasks that aren’t detrimental to a user’s experience on the Internet. Whereas a bad bot is the exact opposite and in most cases has malicious or even illegal intentions.

How can bot traffic be identified?

To prevent bad bot traffic, websites have created various bot detection techniques. Here are several ways they do that:

  • Browser fingerprinting – this refers to information that is gathered about a computing device for identification purposes (any browser will pass on specific data points to the connected website’s servers such as your operating system, language, plugins, fonts, hardware, etc.) Learn more about what is browser fingerprinting in our in-depth blog.
  • Browser consistency – checking the presence of specific features that should or should not be in a browser. This can be done by executing certain JavaScript requests.
  • Behavioral inconsistencies – nonlinear mouse movements, rapid button and mouse clicks, repetitive patterns, average page time, average requests per page, and similar, bot-like behavior.
  • CAPTCHA – a popular anti-bot measure are CAPTCHAs – a challenge-response type of test that often asks you to fill in correct codes or identify objects in pictures. You can read up more on how CAPTCHAS work in our blog.
Bot detection challenges

Distinguishing bot traffic from human behavior online has become a complex task in itself, and the bots on the internet have evolved dramatically over the years. Currently, there are four different generations of bots:

  • First-generation – these bots are built with basic scripting tools and mainly perform basic automated tasks like scraping, spam, etc.
    Second-generation – mainly operate through website development, hence ending up with the name ‘web crawlers.’ They are relatively easy to * detect due to the presence of specific JavaScript firing and iframe tampering.
  • Third-generation – often used for slow DDoS attacks, identity thefts, API abuse, and others. They are relatively difficult to detect based on device and browser characteristics and would require proper behavioral and interaction-based analysis to identify.
  • Fourth-generation – the newest iteration of bots. Such bots can perform human-like interactions like nonlinear mouse movements. In order to detect such bots, advanced methods, often involving the use of AI and machine learning technologies are required.

The fourth generation of bots are tough to differentiate from legitimate human users, and basic bot detection technologies are no longer sufficient. For such bot traffic to be detected, it will take a lot more than simple tools and behavioral interaction analysis.


Bad bot traffic is predicted only to increase each year. As for good bot traffic, the chance to not get mixed in with the bad crowd is slowly dwindling. Amongst good bots there are a lot of web scrapers that use gathered data for research, pulling down illegal ads, market research, etc. All of them may get flagged as bad and blocked.

Fortunately, solutions implementing AI and ML technologies are being built to overcome false bot blocks.