Bots - where are they coming from?

Human versus bots and botnets

Geolocation of machines (not of attacks) that have intended a bad action against a website.
The above illustration is refreshed every hour, based on data collected from a real live website having around 10 000 visitors per day. Data is kept for a duration depending on the importance of action. For instance, if a script kiddie is trying to download all your webpages using an automated tool, IP will be kept for only a few hours/days. If a botnet is doing a ddos, IPs will be remembered for a few days. The duration can be up to 1 year for intrusion detection or recurrent access from a server. The values exclude friendly bots that respect the robots.txt file.
Identified machines include the following:
  • Useless search engine bots
  • Useless bots that harvest for brand detection or SEO
  • Email harvesters
  • Spie detection (bots that want to identify site structure and vulnerabilities)
  • Comment spam bots
  • Hacking tool usage
  • Scrapers
  • Machine identified as a botnet member during a DDOS
  • Machine used for many login attempts to identify passwords through brute force
  • Machine used for intrusion attempt
A machine identified in a country does not mean that an attack is coming from this country, the attack can be initiated by another country. This is especially true for attacks using botnets (multiple machines).

© 2020 Jean-Luc Antoine, All Rights Reserved