Published: 30/04/2020

Block Bot Traffic

Why is it necessary to block bot traffic? Bots aren’t exclusively all bad or all good. Which is why a blanket, rules or reputation-based block approach is not always effective as a standalone solution in the fight against bots. So how would you block bad bot traffic?

Rules and reputation-based approaches such as JavaScript, WAFs and CDNs will only mitigate known bot threats and not the growing number of technically advanced bots that emulate human behavior.

The capacity to mimic human behavior leaves conventional bot management solutions analyzing visitors’ mouse movements and click patterns ineffective. These solutions are often reliant on additional third-party code that bot operators can easily identify and circumvent. The use of external code also leaves users exposed to privacy risks.

Why blocking bot traffic is necessary

Like most online businesses, advertising and media operations are vulnerable to website spammers. The proliferation of ad-related domains on the clear web has made it increasingly difficult for them to rely solely on reputation-based anti-malware solutions. Relying on rules or JavaScript alone will only focus efforts on known bad bots as attackers continue to spread their malicious traffic over thousands of new domains with every bot iteration.

Why bot traffic can’t be stopped by a conventional SaaS web application firewall (WAF)

Most bot attacks use browser exploits to infect users. In the majority of bot infection cases, malicious bot code is executed on client-side browsers via JavaScript injection in advertisements.

Advertising networks will often hide their advertising content behind an obfuscated layer that prevents it from being rendered until the advertisement has been requested or served. Obfuscation allows bots and advertisers to request ads in advance, before they are needed, which means bots may attack thousands of new domains every day; making it difficult for reputation and rules-based solutions to keep up with bot innovation.

A bot operator can also prevent detection by only sending traffic to the server when a bot is detected. The bot operator can also use domain-level activation to activate bot activity only when it’s necessary for them to do so, such as during bot attacks.

The need for real-time detection of bad bot traffic

Sophisticated bots have been observed using browser exploits to inject malicious or arbitrary JavaScript into legitimate ads and site content. This means conventional bot solutions that rely on rules can never anticipate the number of new domains created every day or the fact that bots often target non-human traffic in order to blend seamlessly into legitimate user sessions. To counter this, bot operators can continue injecting more malicious JavaScript code onto pages but doing this would still require them to wait up to a minute or more for bot-specific JavaScript elements to appear on the page before bot traffic can be sent.

If bots were able to send malicious bot traffic immediately when they first appeared on the site, this would make it difficult for conventional bot solutions that rely on rules to accurately block bad bot traffic.

Bots, by design, are able to perform their duties quickly and effectively. For an average bot this means sending up to 100 requests per second of potentially malicious activity before being blocked by conventional bot defenses which still have no way of predicting how many domains will be used for bot traffic over the course of the day. This requires real-time defenses capable of anticipating new domains and blocking bot traffic before malicious bot activity is executed.

What you can do to block bot traffic

In order to block bot traffic, bot operators will have to change the way they create their bot code. In many cases bots are created using a function that can be called by JavaScript once it’s injected into an ad or site content; allowing bot operators to perform bot tasks immediately after injecting their malicious bot code.

How you should counter the bot threat

To protect your website from bad bot traffic, you should use server-side bot defense in order to mitigate these threats at the source, preventing them from reaching your servers. Bot defenses should also allow you to identify and block bad bots without relying on reputation data alone, such as those which rely on external browser plugins whose purpose is not easily identifiable. This would require a more advanced bot defense that relies on a bot fingerprinting solution to aggressively scan bot traffic as it’s sent to your servers.

To block bot traffic, bot defenders must have the ability to anticipate bot activity by identifying and blocking bad bot traffic before it can cause damage. There are a number of methods bot defenses commonly use in order to identify and block bad bot traffic:

Using blacklists and whitelists

The most basic form of bot defenses rely on the use of blacklists and whitelists to block unwanted bot traffic. Blacklists contain a list of domains or IPs known to send bad bot traffic, while whitelists contain a list of domains known to be safe. When these lists are used as the basis for an Apache module or iptables rule, any requests coming from IPs in the blacklist will result in being blocked; allowing you to block entire networks of bots from sending bad bot traffic your way.

Using reputation scores

Sophisticated and advanced today’s reputation-based solutions (such as Google’s reCAPTCHA) analyze activity based on user experience rather than relying solely on rules to determine whether or not a request is legitimate. They assign scores to requests based on combinations of user and browser characteristics, allowing them to effectively detect bad bot traffic even if it’s being sent from IP addresses not listed under their blacklist.

Using commercial solutions

Commercial content filters are used all over the world in order to block a wide variety of different threats that might appear on your site such as adult materials, reverse engineering and pharming; but they don’t necessarily work well for blocking bad bot traffic as they often rely solely on reputation data alone which can be circumvented by bots with easily generated domain names and random hidden subdomains.

Using geolocation filters

Geolocation-based solutions are commonly used in today’s IT world as they only allow users in specific geographic regions to access website content; such as restricting US users from viewing European content or vice versa. This great solution allows you to block most major forms of global botnets that don’t have servers physically located within your region, although it only works when dealing with bots that are coming from the same continent as you.

Using limits on requests per ip

If your hosting provider allows you to set limits on the number of requests per second and/or requests per minute allowed from a specific IP, then you can limit unwanted bot traffic before it even reaches your website by setting an extremely high limit in order to effectively block any actual users trying to access your content.

Using cloud-based blocking services

Cloud-based solutions allow you to block bad bot traffic directly without having to worry about complex coding or server configuration; giving you virtually no overhead at all while blocking bad bots out of the box. The downside is that these cloud-based solutions will only work if they have been whitelisted within the countries of your target audience, while also requiring you to set up an account with them in order to be able to use their service.

Using VAC (Virtual Application Content)

VAC is a virtual application that allows you to transform applications into containers that can only perform specific actions and which cannot leave the container unless specifically allowed by you; essentially allowing you to restrict all activity from bots in such a way that they’re not even aware of what kind of restrictions are being imposed on them. This method works great for both website content as well as apps/mobile-apps in general, although it has one major downside: it requires additional coding to allow VAC containers through Apache or iptables rules before they can be used.

Using user agent filters

This method uses browser fingerprinting, which relies on a variety of factors including the HTTP referrer, operating system, HTTP headers and plugins installed into your clients’ browsers in order to detect whether or not a bot is generating the website activityFingerprinting detection methods like these can cause performance issues because they are extremely aggressive at identifying bots by scanning both outbound and inbound communications for evidence of malicious intent; which can also lead to false positives if you don’t have an accurate database of bot fingerprints.

Using machine learning

Using this method is similar to using IP address restrictions, but it can be more accurate and maintainable because it monitors a website’s traffic in order to identify bot behavior without restrictions and then classifies the results as either bot or human based on data collected from many different websites over time; rather than relying on simplistic rules that are easily tricked by bots. By gathering enough data about how both humans and bots behave, you can create an optimized knowledge base that serves as the foundation for detecting bad bots through deep learning algorithms. Deep learning algorithms are usually machine-based tools that try to mimic the way humans think in order to find patterns of malicious activity within server logs. They work by comparing your current website’s traffic to known samples of bot behavior. It is important to keep in mind that machine learning models require constant maintenance because bots and humans will always find new ways to disguise themselves, which means you must update your system regularly just like with any other software.


This method is often used by large companies like Google, Facebook and Twitter in order to prevent human users from being attacked by bots that are designed specifically to post spam on their platforms. The best way to use this method is to create a simple test that can quickly be solved by humans but is not easy enough for even the most advanced bots to solve; because if you make it too hard then you will end up driving legitimate traffic away from your site.

Using web application firewalls (WAF)

This is the most advanced form of bot protection that can also be used by companies with large websites or apps in order to protect themselves from attacks more precisely. This method should only be used by businesses that already have a firm grasp on website architecture, security policies and IT monitoring; because if you don’t know what you’re doing then you could end up locking yourself out of your own website due to false positives or other mistakes made during configuration, which would obviously be disastrous for any business. WAFs are designed to monitor server logs in order to detect malicious activity such as SQL injections, HTTP floods, bot traffic and more; which means it can also detect advanced threats that other methods may not be able to, such as DDoS (Distributed Denial of Service) attacks.

Frequently Asked Questions about Blocking Bot Traffic

What’s the first step i should take to block bot traffic?

The first step you should take to block bot traffic is to use server-side bot defense in order to mitigate these threats at the source, preventing them from reaching my servers.

How do i block organic spam?

Organic spam can be blocked by using a CAPTCHA, which is a program that comes in the form of a test that verifies you are human. This type of spam is when people post links to their own sites and services on pages all across the internet where they are not allowed.

How can I block bot traffic from accessing my website?

To block bot traffic from getting to your website, use server-side bot defense.

What is the best way to block bot traffic from reaching my website or app?

The best way to block bot traffic from accessing your website or app is to use a Web Application Firewall (WAF).

The right approach to blocking bot traffic

Complex bot attacks require an intelligent approach to bot management, supported by a greater understanding of bot intent and using fast and accurate data to mitigate threats in real-time. Once understanding the threats and intent of bad bots, that’s where bot management comes in to block bot traffic.

Schedule Your Demo

Tired of your website being exploited by malicious malware and bots?

We can help

Subscribe and stay updated

Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.


By registering, you confirm that you agree to Netacea's privacy policy.