Distil Networks Finds 95% of Top Websites Cannot Protect Against Advanced Persistent Bots

June 20, 2017

New Study in Conjunction with OTA Honor Roll Reveals Bot Defense Performance Across Top Websites

SAN FRANCISCO, CA – June 21, 2017Distil Networksthe global leader in bot detection and mitigation, today released findings from a study of how top websites perform against sophisticated, moderate, simple and crude bots. This data is being provided with the Online Trust Alliance’s (OTA) Online Trust Audit, which recognizes excellence in consumer protection, security, and responsible privacy practices. The ninth annual audit, powered in part by Distil, evaluated the top 1,000 websites in retail, banking, consumer services, government, news media, internet service providers and OTA members. The findings reveal that while an average of 16 percent of websites across all industries can thwart simple bot attacks, only five percent can properly protect against sophisticated attacks.

Bots are used by competitors, hackers and fraudsters and are the key culprits behind web scraping, account take over, competitive data mining, online fraud, data theft, unauthorized vulnerability scans, spam, digital ad fraud and downtime. Bots vary in volume and sophistication, but all place an increasing burden on IT security and web infrastructure teams across the globe, wreaking havoc across online operations big and small.

“While top websites do a better job protecting against simple bots, they continue to miss the mark in more sophisticated bots that can mimic human behavior,” said Rami Essaid, CEO and co-founder of Distil Networks. “Our annual Bad Bot Report found that 75 percent of today’s bad bots are advanced persistent bots that can either load JavaScript, hold onto cookies, and load up external resources, or randomize their IP address, headers and user agents. These new findings show that no industry is immune to such attacks and, along with the OTA, we are committed to raising awareness about the risks posed by bad bots.”

Distil tested each website included in the OTA Online Trust Audit on their ability to defend against bot attacks of different sophistication levels, including:

  • Sophisticated Bots – “Low-and-slow” bots coming in from dozens of IP addresses, using browser automation tools that can hold cookies and maintain state
  • Moderate Bots – Bots with normal browser user agents and headers, coming in slowly from one IP
  • Simple Bots – Non-browser user agents and headers, coming in fast from one IP
  • Crude Bots – Basic script that behaves like a bot, coming fast from one IP address

The findings show that while most industries tested can adequately protect against crude bots, they struggle to effectively block simple, moderate and sophisticated bots. For example, federal websites block 22 percent of simple bots, but only protect against one percent of sophisticated bots, performing below any other industry tested. Despite poor performance, this year’s findings reveal a marked improvement from Distil’s 2016 study, which found that websites tested could protect against only 0.7 percent of sophisticated bots. Such improvement can be attributed to gradual movement toward greater awareness and adoption of more advanced bot detection and mitigation solutions.

2017 Bot Detection Rates by Sector

For more information regarding this study, visit: https://resources.distilnetworks.com/all-distil-blog-posts/bad-bot-partnership-with-ota

Additional Resources


About Distil Networks
Distil Networks, the global leader in bot detection and mitigation, is the only proactive and precise way to mitigate bad bots across web applications, mobile and APIs. With Distil, you automatically mitigate 100% of OWASP Automated Threats without impacting legitimate users. Slash the high tax that bots place on your internal teams and web infrastructure and make your online applications more secure with API security, real-time threat intelligence, an analyst managed service, and complete visibility and control over human, good bot, and bad bot traffic. Distil Bot Defense for Web defends websites against web scraping, competitive data mining, account takeovers, transaction fraud, unauthorized vulnerability scans, spam, digital ad fraud, and denial of service. Distil Bot Defense for APIs protects public and partner-facing APIs against developer errors, integration bugs, automated scraping, and web and mobile hijacking. For more information on Distil Networks, visit us at https://www.distilnetworks.com or follow @DISTIL on Twitter.

Previous Article
Prominent Technology Organizations Drive Diversity in Technology with Women Forward in Technology Scholarship Program
Prominent Technology Organizations Drive Diversity in Technology with Women Forward in Technology Scholarship Program

Distil Networks, Foundry Group, Techstars, Cooley, Yesware, Help Scout, Cloudability, Kulesa Faul, FullCont...

Next Article
Distil Networks Enables Websites to Filter Bot Traffic and Clean up Google Analytics for Free
Distil Networks Enables Websites to Filter Bot Traffic and Clean up Google Analytics for Free

Google Analytics plugin lets users filter bot data that Google misses from reports providing deeper insight...