Skip to content Skip to navigation Skip to footer

What is a Bot? How Do Bots Work?

Enable the SOC with FortiWeb Threat Analytics

Bot Definition

A bot refers to an application that is programmed to perform certain tasks. Bots can run on their own, following the instructions given them without needing a person to start them. Many bots are designed to do things humans normally would, such as repetitive tasks, accomplishing them much faster than a human can. Therefore, according to this bot meaning, not all bots are bad. 

However, many bots are designed to cause harm or benefit their users at the expense of people, computers, or networks. Bots can also be organized into groups as is the case with a botnet. With a botnet, more than one internet bot works to accomplish an attack.

How Do Bots Work?

Bots are made from sets of algorithms that aid them in their designated tasks. These tasks include conversing with a human -- which attempts to mimic human behaviors -- or gathering content from other websites. There are several different types of bots designed to accomplish a wide variety of tasks.

What Are the Different Types of Bots?


Chatbots use one of several methods to operate. A rule-based chatbot interacts with a person by giving predefined prompts for that individual to select. An intellectually independent chatbot uses machine learning to learn from human inputs and scan for valuable keywords that can trigger an interaction.

Spider Bots

A spider bot, also known as a web crawler, is run by a search engine, such as Bing or Google. Spiders are designed to index what is inside websites to help a search engine rank each site properly.

Scraper Bots

A scraper bot takes prices, reviews of products, curated content, and inventory data in an attempt to obtain traffic. Customers get directed to a site different than the one they wanted because the scraper bot harvested this kind of critical data, drawing the traffic to the wrong place.

Spam Bots

Spam bots are designed to spread spam. They often have the ability to scrape information, such as contact details, and use it to create fake accounts. Spambots can also run social media accounts that have been stolen.

Social Media Bots

Social media bots run on social media platforms. They imitate the actions of humans to influence users or markets that rely on social media statistics and impressions.

Download Bots

Download bots are designed to download applications again and again, helping them rise up the charts. Once at the top of the charts, the app can be seen by legitimate users.

Ticketing Bots

Ticketing bots, also referred to as scalping bots, buy up tickets or other items that are in high demand. The bot’s user then sells the item at an inflated price, earning an easy profit.

Parameters To Detect Bot Traffic Hitting a Website

Traffic Trends

If you suddenly get a spike in traffic for no explicable reason, you may be under an attack by a bot. Further, if the traffic spikes during odd times, such as when your target market is asleep, this trend may also indicate a bot attack.

Percentuale non recapitate

When your bounce rate gets really high, it could mean that a bot is visiting your website and then immediately leaving without looking at the other pages on your site. A suddenly high bounce rate, particularly if your website has not significantly changed, may therefore be a sign of a bot attack.

Sorgenti di traffico

Keep an eye out for traffic that comes from an area that you either do not serve or do not have customers. For example, you may get traffic from Afghanistan but you only sell your products in North and South America. This may indicate an attack by a bot or a family of bots.

Server Performance

Bot attacks can sometimes be used to strain servers with the intention of forcing them offline. A large number of requests by a bot can overwork your server and cause your site to malfunction, similar to a distributed denial-of-service (DDoS) attack.

Suspicious IPs

If you are getting traffic from Internet Protocol (IP) addresses from suspicious areas, you could be experiencing a bot attack. If the IP addresses come from countries you do not serve or are unlikely to have customers, this could indicate bots are being launched from that area.

Language Sources

The language a bot uses can often give it away. Because a bot may be centrally programmed, several of them may use the same speech patterns. This could indicate that the language source is a single bot programmer or one from a team of programmers from the same area.

Basic Mitigation Measures To Stop Bot Traffic

Add Captcha

With Captcha, the user has to do something that is very difficult for a bot, such as read text or indicate where certain types of objects are located. This can prevent many different kinds of bots from attacking your site.

Place Robots

You can use robots.txt, which is designed to prevent bots from crawling your websites. You may also want to adjust the settings so it does not prevent legitimate services like Google Ads from gathering necessary data that may help with your marketing.

Set a JavaScript Alert

You can set up JavaScript to send an alert if there is bot activity. When the JavaScript, embedded in your site, detects a bot, it can signal you to the intrusion.

Some Advanced Bot Mitigation Techniques

Static Approach

With a static approach, you use a predetermined range of rules that block traffic. This could include blacklisting suspicious IP addresses or traffic that falls outside of acceptable parameters, such as the number of requests made during a session. You can also block traffic from old browsers, which may be used to launch bots because they have outdated security settings.

Challenge-based Approach

The challenge-based approach can make it hard for a robot to get to a site by forcing it to do something difficult for a robot such as read, do math, or recognize objects within images. The challenge-based approach is the driving principle behind Captcha, which prescribes tasks that are easy for humans but very difficult for robots.

Behavioral Approach

The behavioral approach involves identifying acceptable, harmless behavior and then flagging anomalous behavior that violates the acceptable parameters. Behavioral tactics also include using human traits, such as biometric activity, because it is very hard for a bot to present accurate biometric data.

What Is a Bot: Difference Between Good Bots and Bad Bots

What is a bot in terms of good and bad ones? Good bots are used by legitimate organizations to automate legal, benevolent tasks. Bad bots are those developed with the intention of automating illicit or deceptive tasks.

For example, search engines use good bots to automatically check the contents of web pages. On the other hand, hackers can use a series of bots organized in a botnet to launch a DDoS attack, in which each bot sends false requests to a web server to overwhelm it and disrupt operations.

How Fortinet Can Help

The Fortinet FortiWeb Cloud comes with mitigation tactics to protect your assets from bot attacks. FortiWeb uses threshold-based detection, which checks for known bots, and scans for vulnerabilities as well as several types of bot attacks. FortiWeb also uses biometrics and bot deception to protect your system from bot attacks.


What is a bot?

A bot is an application programmed to perform certain tasks. Bots can run on their own, following the instructions given them without needing a person to start them.

What are the different types of Bots?

The different types of bots include spider bots, scraper bots, spambots, social media bots, download bots, and ticketing bots.

What are the parameters to detect bot traffic hitting a website?

The parameters used to detect bot traffic hitting a website include traffic trends, bounce rate, traffic sources, server performance, suspicious Internet Protocol (IP) addresses, and language sources.

What are the basic mitigation measures to stop bot traffic?

Basic bot mitigation measures include using Captcha, robots.txt, and setting up JavaScript alerts.

What are some advanced bot mitigation techniques?

Some advanced bot mitigation techniques include the static approach, challenge-based approach, and behavioral approach.