provisorisches Bild

Good bots, bad bots

…and the troublesome ones in between

As seen on The Future of Commerce Blog:

Over the past few years, we’ve seen a significant increase in the number of intelligent web-bots that target specific e-commerce websites.

At the very least these bots are an annoyance, and at the very worst they can effectively cause a DDoS attack and take a website down. Over the past few years, we’ve seen a significant increase in the number of intelligent web-bots that target specific e-commerce websites. At the very least these bots are an annoyance, and at the very worst they can effectively cause a DDoS attack and take a website down.

Web bots have been around for a long time and we all benefit from many of them.

There are good bots (like Googlebot or Bingbot), and there are bad bots that automatically attempt to hack a web application or inject spam into websites. The good ones are generally beneficial, and the bad ones can often be dealt with by a solution such as a Web Application Firewall (WAF) or enterprise bot manager that will recognize malicious requests and block them.

The problematic bots are often those that sit between good and bad. These can be hard to detect, as they will often impersonate a normal user and make requests that, on their own and in isolation, are perfectly safe, legitimate, and seemingly harmless.

Although their intention is normally something other than a DDoS attack, the effect can sometimes be the same when they are either too aggressive or too many instances of a bot hitting a website at once.

These bots are used commercially for a number of reasons including:

Aggressive purchase bots can cause severe performance issues during product launches.

Your content can be passed off as someone else's.
Competitors can use this data to undercut you.
Aggressive crawlers can put strain on your web platform.

Real-world example of a commercial bot causing a lot of issues

We have a client that often sells limited edition products which are very sought after. These products can often fetch 3 times the RRP when sold on eBay, and the retailer will only have a limited supply to sell. Most of these products have a coordinated worldwide launch and therefore the exact time of the launch is well known.

Over the last few years, we have increasingly seen extremely aggressive bots used in the many thousands to attempt to purchase these products to an extent where the performance of the e-commerce platform can be seriously compromised.

In this instance, the bots have been specifically designed for this retailer’s website, and know the exact requests that need to be made to add the product to the basket and go through the checkout. They don’t even need to visit the product display page. They are normally distributed across multiple cloud servers with multiple instances of the bot installed on each server. Because the launch time is public and coordinated, the bots all start to attempt to add the product to the basket and go through the checkout at the exact same time, normally many thousands at once.

The record we have seen is 3 million attempts to purchase a single product in a 12 hour period.

Because the requests are all legitimate and the bot is impersonating a real user, it can be hard to block the bots quickly enough before they do the damage without blocking real users. There is no point in waiting 1 minute to record how many requests a particular IP has made and, if the number is over a certain threshold, you then block them. By this point, the damage has already been done and you have tens of thousands of bots simultaneously in your checkout.

Laptop screen showing error message "authentication failed"

The bots also disadvantage real users

You can guarantee that the bots will be first in the queue to get the products, as they are timed to start purchasing the second the products go live. Although the retailer obviously still gets the sale, they can lose brand loyalty because of this since real and loyal customers will always lose out.

We have spent the last few years fighting bots on behalf of this customer to varying degrees of success.  Every time we implement a new layer of protection we keep them at bay for a short while but the bot developers then adapt their software to bypass that protection.  Licences to use these bots can sell for quite a lot of money so there is a big incentive for the developers to adapt to get around the defences.

So how do you manage good bots and bad bots?

Many organizations, such as CDNs, have been rapidly developing bot management solutions over the last year in response to the increasing problems with bots that retailers are facing. Some, such as Akamai’s bot manager solution, can be very sophisticated in the way that they attempt to identify a bot, as well as with the options it will give the retailer in how they deal with the bot.  Tools like this will constantly adapt and learn to keep up with the bots that are always evolving in an attempt to evade detection.

Simply blocking the bot is not always the answer. If they know they have been blocked, they can just jump to another IP or try to evolve in order to fool the bot manager. A better solution is to fool the bot by showing them the wrong content (maybe higher prices – in the case of a bot used to analyze competitor’s prices) or just slow them down. This is also a useful technique to use for bots that are only harmful because they are too aggressive in their crawling. You don’t want to block them altogether, but you do want to slow them down a little to reduce the impact on your infrastructure.

Although a bot manager solution is certainly a useful tool, it is unlikely to identify and stop all bots and, in the real-world instance detailed above, by the time it would possibly identify the user as a bot, it may be too late as the damage would already be done. Bots will constantly adapt and evolve to stop bot managers blocking them and so it is a moving target.

The solution to effectively managing these bots is multi-faceted. There is no one, single, solution that will catch everything and give you all of the control you need. Different services and solutions will give protection in different areas against different types of bots. Only by deploying multiple defences and solutions can you effectively manage these bots.

4 areas to consider when building a bot management strategy

A CDN can be a first line of defence against malicious or troublesome traffic. The ideal CDN configuration ensures that all requests to your web application, whether cacheable or not, are filtered through the CDN. You can then use tools that the CDN will provide such as a WAF, bot manager or even some basic rate limiting rules to protect your website against the most obvious bots.
Many retailers have a WAF layer sitting between their CDN and their hosting infrastructure. A high-quality WAF, such as Imperva WAF, can be used to automatically detect and block malicious requests such as those made by many bad bots. Additionally, custom rules can be added to recognize and block or limit those bots that are not malicious but can be troublesome.
Implementing a tool such as Varnish that sits between your firewall and your web application can not only improve speed and performance, but can also be used to limit the impact of aggressive bots. A number of Varnish modules (Vmods) are available that can be used to effectively limit the rate of requests being made to specific urls.
Changes can be made to your application to protect it from aggressive or troublesome bots. For example, using simple tools like Google reCAPTCHA at relevant times, limiting the number of users who can add a specific product to their basket at any one time or even introducing initiatives such as a raffle for the purchase of exclusive and limited edition products so that these products cannot be purchased in the conventional way will help to prevent the bots from being successful.

It is important to consider implementing some or all of the solutions above rather than just relying on one of them as each will provide defence against these bots in slightly different ways. For example, if you simply relied on an application change to prevent purchasing bots they will still be hammering the rest of your infrastructure and even cause issues such as filling apache or Varnish logs files to an extent that your server could run out of disk space.

Good bot vs bad bot: Don’t ignore the signs

In summary, bots are becoming an increasing commercial threat to e-commerce retailers and dealing with them effectively can be very complex. We have a customer that very recently implemented an enterprise bot manager and they have found that over 65% of their web traffic comes from bots.  The bot manager filters every request made to the website and uses various complex techniques and algorithms to identify and block requests that it deems to be from a bot. We knew that they were being hit hard by bots at times but that number took us a bit by surprise.

If you consider this number and the amount of bandwidth and server capacity that is required to serve this traffic and the fact that around 75% of that bot traffic is from ‘bad’ or malicious bots, it is not something that any retailer should ignore.

More Insights

You may also be interested in...

UX is part of UI is part of CX

Customer Experience

Create customer experiences that deliver brand loyalty

At KPS, we are on a mission to simplify the buying journey and make your customers' experience more enjoyable. Our unified commerce approach delivers a consistent customer experience across all touchpoints, providing you with an intelligent, integrated and scalable platform for managing all customer interactions. 
Clock ticking - Digital waits for no one

Read more

Increasing your metabolic rate: Digital waits for no one

We've been told the high street has been dying for years. People generally prefer home comforts to braving the harsh British weather. A lot of you responded, making that first leap into digital transformation. Some, however, sat idly by, content in their comfort zone of brick and mortar – or scared and directionless.
SAP Commerce Cloud

Read more

Lead the way: Why your business should upgrade to Commerce Cloud

If you’re currently running Hybris for e-commerce, you should be aware of the option to upgrade to SAP’s Commerce Cloud platform. We’ve recently been selected from over 20,000 partners worldwide to be named as one of the top 3 companies in the world in the recent SAP Pinnacle Awards, in the Customer Experience Partner of the Year (Small and Midsize Companies) category!

Privacy settings

We use cookies on our website. Some of them are essential, while others help us to improve this website and your experience. With your consent, we use cookies to analyse the usage of our website.

We also use cookies for marketing to help us measure the success of our marketing efforts. In the settings you will find detailed information about the individual cookies, and you can refuse the use of cookies.

You can change or revoke your selection at any time on any KPS.com page in the footer under Privacy Settings.

Essential Cookies

Essential cookies enable basic functions and are necessary for the proper functioning of the website.

  • Cookie Banner
    Cookie Name: kps-privacy-settings
    Value: PrivacyLevel_0#a
    Storage duration: 4 weeks
    Description: Cookie is required to save cookie settings. This is a purely technical cookie.

HubSpot:

  • Cookie Name: __hs_opt_out
    Storage duration: 6 months
    Description: Cookie is used by the opt-in privacy policy to ask the visitor to accept cookies again. This cookie is set when you give visitors the choice to disable cookies. It contains the string "Yes" or "No".
  • Cookie Name: __hs_do_not_tracking
    Storage duration: 6 months
    Description:: This cookie can be set so that the tracking code does not send any information to HubSpot. It contains the character string "Yes".
  • Cookie Name: __hs_initial_opt_in
    Storage duration: 7 days
    Description: This cookie is used to prevent banners from being displayed every time visitors visit your website in strict mode. It contains the string "Yes" or "No".
  • Cookie Name: __hs_cookie_cat_pref
    Storage duration: 6 months
    Description: This cookie is used to record the categories a visitor consented to. It contains data on the consented categories.
  • Cookie Name: __hs_gpc_banner_dismiss
    Storage duration: 180 days
    Description: This cookie is used when the Global Privacy Control banner is dismissed. It contains the string "yes" or "no"
  • Cookie Name: __hs_notify_banner_dismiss
    Storage duration: 180 days
    Description: This cookie is used when the website uses a Notify consent banner type. It contains a boolean value of True.
  • Cookie Name: hs_ab_test
    Speicherdauer: End of session
    Description: This cookie is used to consistently serve visitors the same version of an A/B test page they’ve seen before. It contains the id of the A/B test page and the id of the variation that was chosen for the visitor.
  • Cookie Name: <id>_key
    Storage duration: 14 days
    Description: When visiting a password-protected page, this cookie is set so future visits to the page from the same browser do not require login again. The cookie name is unique for each password-protected page. It contains an encrypted version of the password so future visits to the page will not require the password again.
  • Cookie Name: hs-messages-is-open
    Storage duration: 30 minutes
    Description: This cookie is used to determine and save whether the chat widget is open for future visits. It is set in your visitor's browser when they start a new chat, and resets to re-close the widget after 30 minutes of inactivity. If your visitor manually closes the chat widget, it will prevent the widget from re-opening on subsequent page loads in that browser session for 30 minutes. It contains a boolean value of True if present.
  • Cookie Name: hs-messages-hide-welcome-message
    Storage duration: 1 day
    Description: This cookie is used to prevent the chat widget welcome message from appearing again for one day after it is dismissed. It contains a boolean value of True or False.
  • Cookie Name: __hsmem
    Storage duration: 7 days
    Description: This cookie is set when visitors log in to a HubSpot-hosted site. It contains encrypted data that identifies the membership user when they are currently logged in.
  • Cookie Name: hs-membershem-csrf
    Storage duration: End of session
    Description: This cookie is used to ensure that content membership logins cannot be forged. It contains a random string of letters and numbers used to verify that a membership login is authentic.
  • Cookie Name: __cfruid
    Storage duration: End of session
    Description: This cookie is set by HubSpot's CDN provider based on their rate limit policies. It expires at the end of the session. Learn more about Cloudflare cookies.
  • Cookie Name: ___cfuvid
    Storage duration: End of session
    Description: This cookie is set by HubSpot's CDN provider based on their rate limit policies. It expires at the end of the session. Learn more about Cloudflare cookies.
Functional cookies

Functional cookies are used by third parties or publishers to display personalised advertisements. They do this by tracking visitors across websites.

External media

Content from video platforms and social media platforms is blocked by default. If cookies from external media are accepted, access to this content no longer requires manual consent.

Changing privacy settings

Imprint

Data protection statement