Movatterモバイル変換

[0]ホーム
URL:

Jump to content
WikipediaThe Free Encyclopedia
Search

Bot prevention

From Wikipedia, the free encyclopedia
Methods used to prevent access by bots
icon
This article'slead sectionmay be too short to adequatelysummarize the key points. Please consider expanding the lead toprovide an accessible overview of all important aspects of the article.(October 2021)

Bot prevention refers to the methods used by web services to prevent access byautomated processes.

Types of bots

[edit]

Studies suggest that over half of the traffic on the internet is bot activity, of which over half is further classified as 'bad bots'.[1]

Bots are used for various purposes online. Some bots are used passively forweb scraping purposes, for example, to gather information fromairlines about flight prices and destinations. Other bots, such assneaker bots, help the bot operator acquire high-demand luxury goods; sometimes these areresold on the secondary market at higher prices, in what is commonly known as 'scalping'.[2][3][4]


According to Imperva Bad Bot Report 2025, bad bots now making up 37% of all internet traffic.[5]

Detection techniques and avoidance

[edit]

Variousfingerprinting and behavioural techniques are used to identify whether theclient is a human user or a bot. In turn, bots use a range of techniques to avoid detection and appear like a human to the server.[2]

Browser fingerprinting techniques are the most common component in anti-bot protection systems. Data is usually collected through client-sideJavaScript which is then transmitted to the anti-bot service for analysis. The data collected includes results from JavaScript APIs (checking if a given API is implemented and returns the results expected from a normal browser), rendering complexWebGL scenes, andusing the Canvas API.[1][6]TLS fingerprinting techniques categorise the client by analysing the supportedcipher suites during theSSL handshake.[7] These fingerprints can be used to createwhitelists/blacklists containing fingerprints of known browser stacks.[8] In 2017,Salesforceopen sourced its TLS fingerprinting library (JA3).[9] Between August and September 2018, Akamai noticed a large increase in TLS tampering across its network to evade detection.[10][8]

Behaviour-based techniques are also utilised, although less commonly than fingerprinting techniques, and rely on the idea that bots behave differently to human visitors. A common behavioural approach is to analyse a client'smouse movements and determine if they are typical of a human.[1][11]

More traditional techniques such asCAPTCHAs are also often employed, however they are generally considered ineffective while simultaneously obtrusive to human visitors.[12]

The use of JavaScript can prevent some bots that rely on basic requests (such as viacURL), as these will not load the detection script and hence will fail to progress.[1] A common method to bypass many techniques is to use aheadless browser to simulate a realweb browser and execute the client-side JavaScript detection scripts.[2][1] There are a variety of headless browsers that are used; some are custom (such asPhantomJS) but it is also possible to operate typical browsers such asGoogle Chrome in headless mode using a driver.Selenium is a common web automation framework that makes it easier to control the headless browser.[6][1] Anti-bot detection systems attempt to identify the implementation of methods specific to these headless browsers, or the lack of proper implementation of APIs that would be implemented in regular web browsers.[1][13]

The source code of these JavaScript files is typicallyobfuscated to make it harder toreverse engineer how the detection works.[6] Common techniques include:[14]

Anti-bot protection services are offered by various internet companies, such asCloudflare,[15]DataDome[16] andAkamai.[17][18]

Law

[edit]

In the United States, theBetter Online Tickets Sales Act (commonly known as the BOTS Act) was passed in 2016 to prevent some uses of bots in commerce.[19] A year later, the United Kingdom passed similar regulations in theDigital Economy Act 2017.[20][21] The effectiveness of these measures is disputed.[22]

References

[edit]
  1. ^abcdefgAmin Azad, Babak; Starov, Oleksii; Laperdrix, Pierre; Nikiforakis, Nick (2020). "Web Runner 2049: Evaluating Third-Party Anti-bot Services". In Maurice, Clémentine; Bilge, Leyla; Stringhini, Gianluca; Neves, Nuno (eds.).Detection of Intrusions and Malware, and Vulnerability Assessment. Lecture Notes in Computer Science. Vol. 12223. Cham: Springer International Publishing. pp. 135–159.doi:10.1007/978-3-030-52683-2_7.ISBN 978-3-030-52683-2.PMC 7338186.
  2. ^abcChiapponi, Elisa; Dacier, Marc; Todisco, Massimiliano; Catakoglu, Onur; Thonnard, Olivier (2021). "Botnet Sizes: When Maths Meet Myths".Service-Oriented Computing – ICSOC 2020 Workshops. Lecture Notes in Computer Science. Vol. 12632. pp. 596–611.doi:10.1007/978-3-030-76352-7_52.ISBN 978-3-030-76351-0.S2CID 232203240.
  3. ^Marks, Tod."Why Ticket Prices Are Going Through the Roof".Consumer Reports. Archived fromthe original on 2021-08-23. Retrieved2021-08-23.
  4. ^"Bad Bot Report 2021"(PDF). Imperva. Retrieved23 August 2021.
  5. ^"Bad Bot Report 2025". Imperva. Retrieved13 November 2025.
  6. ^abcJonker, Hugo; Krumnow, Benjamin; Vlot, Gabry (2019)."Fingerprint Surface-Based Detection of Web Bot Detectors". In Sako, Kazue; Schneider, Steve; Ryan, Peter Y. A. (eds.).Computer Security – ESORICS 2019. Lecture Notes in Computer Science. Vol. 11736. Cham: Springer International Publishing. pp. 586–605.doi:10.1007/978-3-030-29962-0_28.ISBN 978-3-030-29962-0.S2CID 202579603.
  7. ^"Qualys SSL Labs - Projects / HTTP Client Fingerprinting Using SSL Handshake Analysis".www.ssllabs.com.Archived from the original on 2021-08-24. Retrieved2021-08-24.
  8. ^ab"Bots increasingly tampering with TLS to outfox filters".The Daily Swig | Cybersecurity news and views. 17 May 2019.Archived from the original on 24 August 2021. Retrieved24 August 2021.
  9. ^Althouse, John (5 February 2019)."Open Sourcing JA3".Medium.Archived from the original on 27 June 2022. Retrieved24 August 2021.
  10. ^"Bots Tampering with TLS to Avoid Detection - Akamai Security Intelligence and Threat Research Blog".blogs.akamai.com.Archived from the original on 2021-08-24. Retrieved2021-08-24.
  11. ^Wei, Ang; Zhao, Yuxuan; Cai, Zhongmin (2019). "A Deep Learning Approach to Web Bot Detection Using Mouse Behavioral Biometrics".Biometric Recognition. Lecture Notes in Computer Science. Vol. 11818. pp. 388–395.doi:10.1007/978-3-030-31456-9_43.ISBN 978-3-030-31455-2.S2CID 203847308.
  12. ^Chu, Zi; Gianvecchio, Steven; Wang, Haining (2018). "Bot or Human? A Behavior-Based Online Bot Detection System".From Database to Cyber Security. Lecture Notes in Computer Science. Vol. 11170. pp. 432–449.doi:10.1007/978-3-030-04834-1_21.ISBN 978-3-030-04833-4.
  13. ^"2025 Global Bot Security Report".DataDome. Retrieved2025-11-06.
  14. ^"JavaScript Obfuscator Tool".obfuscator.io.Archived from the original on 2021-08-24. Retrieved2021-08-24.
  15. ^"Cloudflare Bot Management".Cloudflare.Archived from the original on 2021-08-26. Retrieved2021-08-23.
  16. ^"Bot Protection Software Datadome".DataDome. Retrieved2025-11-12.
  17. ^"Bot Manager".Akamai Technologies. Retrieved23 August 2021.
  18. ^"Akamai Bot Manager".Akamai Technologies. Retrieved2021-08-23.
  19. ^Sisario, Ben (9 December 2016)."Congress Moves to Curb Ticket Scalping, Banning Bots Used Online".The New York Times.
  20. ^Keepfer, DLA Piper-Francis (10 January 2018)."UK Government criminalises the use of ticket tout bots".Lexology.
  21. ^"New law will ban use of bots to bulk buy tickets".Which? News. 23 April 2018.
  22. ^Elefant, Sammi (2018)."Beyond the Bots: Ticked-Off Over Ticket Prices or The Eternal Scamnation".UCLA Entertainment Law Review.25 (1).doi:10.5070/LR8251039716.ISSN 1073-2896.Archived from the original on 2021-08-23. Retrieved2021-08-23.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Bot_prevention&oldid=1321907230"
Categories:
Hidden categories:
[8]ページ先頭
©2009-2025 Movatter.jp