Half of all internet traffic comes from bots, research shows


Almost 50% of all internet traffic in 2023 came from bots, a 2% increase over the previous year.

The Thales Imperva Bad Bot report shows that almost half of all internet traffic (49.6%) came from bots in 2023, a 2% increase over the previous year. This is the highest amount observed since 2013.

The report also shows that bad bot traffic rose to 32% in 2023 while human user traffic is steadily decreasing.

ADVERTISEMENT

The trend is negatively affecting organizations and is said to cost billions of dollars annually “due to attacks on websites, APIs, and applications,” the report reads.

“Bad bots”

One of the main forms of bot traffic observed in the report is “bad bot traffic,” which reached 32% globally.

Bad bots are specialized applications that run specific tasks with malicious intent. These bots may aid in cybercrimes and other criminal activities such as theft or fraud.

Countries like Ireland, Germany, and Mexico saw growing levels of bad bot traffic in 2023, while the US saw a slight increase.

These bad bots, alongside simple bots, are being bolstered by rapidly evolving technologies such as generative AI.

The report demonstrates that the adoption of generative AI and large language models actually aided the increase in the use of simple bots across the internet.

The number of simple bots increased from 33% to 39% in 2023, as this technology “uses web scraping bots and automated crawlers to feed training models while enabling nontechnical users to write automated scripts for their own use.”

ADVERTISEMENT

Account takeover attacks

According to the report, account takeover attacks (ATO) increased by 10% in 2023, with almost half of all ATO attacks targeted at API endpoints.

The industries most frequently targeted by these attacks were financial services, travel, and business services.

However, almost every industry has a bot problem.

Certain industries grapple with this bot problem more than others. For example, gaming saw the highest proportion of bad bot traffic, while retail, travel, and financial services observed the highest level of bot attacks.

Advanced bots, which “closely mimic human behavior” and are adept at evading defenses, were observed most prominently in law and government, entertainment, and financial services.

The origins of bad bot traffic

According to the report, “early bad bot evasion techniques relied on masquerading as a user agent (browser) commonly used by legitimate human users.”

Now, bad bots masquerading as mobile users will account for 44% of all bad bot traffic in 2023.

“Sophisticated actors combine mobile user agents with residential or mobile ISPs. Residential proxies allow bot operators to evade detection by making it appear as if the origin of the traffic is a legitimate, ISP-assigned residential IP address,” the report reads.

ADVERTISEMENT

“Automated bots will soon surpass the proportion of internet traffic coming from humans, changing how organizations approach building and protecting their websites and applications,” Nanhi Singh, General Manager of Application Security at Imperva, said.

Bots continue to have a profound impact on organizations across the globe.

“From simple web scraping to malicious account takeover, spam, and denial of service, bots negatively impact an organization’s bottom line by degrading online services and requiring more investment in infrastructure and customer support,” Singh continued.

“Organizations must proactively address the threat of bad bots as attackers sharpen their focus on API-related abuses that can lead to account compromise or data exfiltration.”