Stopping DDOS attacks by bots

Recently, local council and government websites have increasingly become targets of aggressive DDOS attempts carried out by bots and malicious activists. Alongside the denial of service, these attacks can also pose a significant risk to the personal data held by these organisations, creating additional risks of GDPR breaches and Reputational Risk.  

Bradford, Eastleigh, Hastings, Keighley, Medway, Middlesborough, Plymouth, Salford, Tameside, and Trafford have all been rendered inaccessible in the last few months. When the sites returned, they carried warnings of lingering technical difficulties. Banks and even football clubs have also been targeted recently. 

In recent years, automated bot traffic has surged dramatically. Once primarily used by search engines, bots now serve a wide range of purposes—both beneficial and harmful. 

Estimates are that almost 50% of web traffic in 2023 was generated by bots, an increase of 2% from the previous year (Thales 2024 Bad Bot Report). Sadly, just 16% of this was generated by known good bots. Good bots include search engine crawlers, social network crawlers, aggregator crawlers, and monitoring bots. These bots follow the rules set by website owners via the robots.txt file, provide verification methods, and operate in a way that minimises disruption to websites and applications. 

On the other hand, bad bots are designed for malicious activities. They range from basic scrapers that extract data (and are relatively easy to block) to highly sophisticated bots that mimic human behaviour to evade detection. These bots execute attacks such as web scraping, price scraping, inventory hoarding, account takeovers, and distributed denial-of-service (DDoS) attacks. Today, bad bots make up a substantial portion of website traffic, making detection and mitigation crucial for businesses. 

Modern bots are highly advanced, often mimicking human behaviour to bypass security measures. Traditional defences, like Google reCAPTCHA, are largely ineffective—image-based CAPTCHAs are usually easier for bots to solve than humans. An entire industry has emerged around bots, from developers creating sophisticated automation tools to services offering “high-reputation” Google accounts for bypassing CAPTCHAs and residential IPs to evade detection. Even escrow services exist to protect buyers from fraud. 

With more people turning to bots for profit, have you tried to buy concert tickets for a big international act? Bots have become mainstream, posing a growing challenge for businesses and consumers. 

Traditional defences and firewalls no longer provide sufficient protection against ever-more-sophisticated cyber-attacks. The increasing deployment of public-facing APIs has exasperated this situation. APIs facilitate faster development but are often deployed with direct access to sensitive data, and security hasn’t kept up.  

Qual Limited has delivered innovative and bespoke IT solutions for over 30 years, and our cyber security partner, Barracuda, is a renowned expert in its field. Together, our WAF (Web Application Firewall) solution will protect you from these attacks and much more. 

A WAF should form a fundamental component of your defense against cyber criminals. A traditional firewall’s primary objective is to separate a secured zone from a less secure zone and control communications between the two. Firewall policies define the traffic allowed onto the network and block any other access attempts. This will prevent unauthorised users and attacks from users or devices in less secure zones. 

A WAF specifically targets application traffic. It protects HTTP and Hypertext Transfer Protocol Secure (HTTPS) traffic and applications in internet-facing zones of the network, protecting businesses against threats like cross-site scripting (XSS) attacks, SQL injection attacks, and distributed denial-of-service (DDoS) attacks.

For more information, please contact Qual’s Cyber Security Team at 01293 400729, email cybersecurity@qual.co.uk, or complete this form to request a callback at a time that works for you.