Bad Bots Make Up 30% of Internet Traffic

Bad bots

Bots are on the rise! AI-powered attacks threaten businesses in the Middle East. Learn how Web Application and API Protection can defend against sophisticated, automated cyber threats.

With AI and automation being the year’s buzzwords, it should come as little surprise that complex, automated programs are increasingly being leveraged to carry out cyber-attacks. This is particularly true of the Middle East. According to a recent report, the number of bot attacks originating from the region has increased over the last year and now accounts for nearly a quarter (21%) of all attacks reported by businesses in the US and UK. 

Of course, not all bots are bad. Benign bots serve many useful purposes, such as harvesting data for search engines. However, bad bots – of which there appears to be no shortage – are more likely to target digital systems, web applications, and application programming interfaces (APIs), intent on data theft, fraud, denial of service, and more, at speeds and in volumes that human attackers couldn’t match. Our latest data shows that in the first six months of 2023, bots accounted for just under half (48%) of all internet traffic – with bad bots making up the majority of this, 30% overall. 

Bad bot attacks are evolving to become more sophisticated. They are getting better at mimicking human behaviour and bypassing traditional security controls. And, having done so, they are being used for more advanced attacks against organisations. 

This includes vulnerability scanning to find and exploit bugs and brute force and credential stuffing/password spraying attacks to compromise and take over email accounts – particularly those they can reach through vulnerable APIs. The bots come armed with millions of potential permutations of usernames and passwords and will bombard targets relentlessly, as seen from the Media Today incident.

APIs are a growing target for bot attacks because they are relatively under-protected and used extensively for automated processes and communications. Further, the growing use of APIs has made it easier for bots to access and manipulate data at scale. 

The attackers target applications that use APIs to access email accounts.  For example, a marketing mailshot application that sends and tracks bulk- or personalized- emails to potential or existing customers.  

APIs are designed to connect and share data with other applications – and it can be easy to underestimate just how exposed that data is. The combination of under-secured application interfaces, weak authentication and access policies, exposure to the outside world, and a lack of bot-specific security measures – such as limiting the volume and speed of inbound traffic – leaves these APIs and the data they hold immensely vulnerable to a breach. 

Beating the bad bots

Organisations can become overwhelmed by the sheer number of solutions required to stop bots in their tracks. The good news is that many security vendors are developing consolidated solutions known as Web Application and API Protection (WAAP) and Web Application Firewall (WAF) services that provide a robust defence against bad bots, in whatever guise they come knocking and whatever their target.

A web application firewall (WAF) with designated anti-bot protection monitors and filters the incoming and outgoing traffic between a web application and the internet. A WAF can protect APIs from bot attacks in several ways:

  • IP reputation: A WAF can block or log requests from known malicious IP addresses associated with botnets, the proxies bots use to launch attacks or anonymous routing networks. 
  • Rate limiting: A WAF can limit the number of requests that a program or client can make to an API within a certain time. This can prevent bots from overwhelming the target API with excessive requests or performing a brute-force attack against it.
  • Signature detection: A WAF can detect and block requests that match predefined patterns of malicious behaviour, such as SQL injection or cross-site scripting. This can stop bots from being able to exploit any bugs in the API or inject malicious code.
  • Behavioural analysis: A WAF can analyse the behaviour of programme and identify anomalies or deviations from expected ‘normal’ patterns, such as request frequency, size, headers, parameters, or cookies. This can help the firewall distinguish between human and bot traffic and detect bots trying to mimic human behaviour.

It is also important to reinforce the security fundamentals: implementing strong passwords and multi-factor authentication, keeping your software up to date, conducting regular security audits, and security awareness training. 


Bots are getting cleverer, and more advanced attacks, such as account takeover and attacks against APIs, are increasing. It is important to have multiple layers of detection and defence in place because the threat landscape evolves quickly. For example, faced with rate limits, attackers might launch attacks with low-and-slow bot traffic. Or they might opt for MFA-bombing, or MFA fatigue, to bypass multi-factor authentication barriers. A resilient, defence-in-depth security solution means that attacks can be blocked at different points and places long before they can do serious damage. 

Also Read: Malicious Bots Responsible for 40% of Global Internet Traffic: Report