47% of all internet traffic came from bots in 2022

[Eric]

47% of all internet traffic came from bots in 2022

A new report reveals that in 2022, 47.4% of all internet traffic came from bots, a 5.1% increase over the previous year.

www.securitymagazine.com

A new report reveals that in 2022, 47.4% of all internet traffic came from bots, a 5.1% increase over the previous year. The same report showed that human traffic, at 52.6%, decreased to its lowest level in eight years.

Other report highlights include​

• In 2022, the proportion of bad bots classified as “advanced” accounted for 51.2% of all bad bot traffic. In comparison, the level of bad bot sophistication in 2021 was 25.9%.
• Account takeover (ATO) attacks increased 155% in 2022 and 15% of all login attempts in the past 12 months — across all industries — were classified as account takeover.
• In 2022, 17% of all attacks on APIs came from bad bots abusing business logic. In addition, 35% of account takeover attacks in 2022 specifically targeted an API.
• Travel (24.7%), retail (21%) and financial services (12.7%) experienced the highest volume of bot attacks. Gaming (58.7%) and telecommunications (47.7%) had the highest proportion of bad bot traffic on their websites and applications.
• Of the 13 countries analyzed in the report, seven had bad bot traffic levels that exceeded the global average of 30.2%. Germany (68.6%), Ireland (45.1%) and Singapore (43.1%) ranked in the top three, while the U.S. also exceeded the average at 32.1%.
• One-in-five bad bots used Mobile Safari as their browser of choice in 2022, up from 16.1% in 2021.

 

[Yoused]

It is like some sort of universal DDoS.

 

[throAU]

I weep for humanity really... we have something nice and then (every damn time) a select subset of people decide to shit all over it.

First it was telemarketing ruining the telephone, then it was email spam ruining email, now its botnets and malware ruining general network connectivity. You'd think that by now we would have figured out that mutual authentication for any sort of communication would be critical but i guess every time there's a new platform it gets fleshed out in a simple unauthenticated manner by the next generation of engineers who didn't make/experience all the mistakes of the previous engineers building the previous platform. So they make them all again.

 

[Nycturne]

First it was telemarketing ruining the telephone, then it was email spam ruining email, now its botnets and malware ruining general network connectivity. You'd think that by now we would have figured out that mutual authentication for any sort of communication would be critical but i guess every time there's a new platform it gets fleshed out in a simple unauthenticated manner by the next generation of engineers who didn't make/experience all the mistakes of the previous engineers building the previous platform. So they make them all again.

In fairness, it’s not like the IP stack is new. A lot of what we use today was developed back when the network was meant for research groups, not for mass public consumption. Sometimes part of the problem is developing something with a particular scope in mind, with tech of the day, and then having the scope of deployment exceed anything the engineers were tasked with doing. I agree that sometimes we tend to repeat mistakes because of time, budget, or simply wanting to keep learnings to ourselves as a sort of business trade secret. But sometimes, we just make the mistakes because what we build and what it winds up being 40 years later are two very different things.

TCP/IP was deployed to ARPANET around the time I was born. And I remember when access was starting to trickle out to folks not at a college or other institutions via SLIP and PPP. Back when this type of authentication was expensive to do on the desktops of the era. Now we’ve got hardware accelerated AES and RSA and can chew through this stuff easily enough that we should be using it more consistently.

I just get reminded of how quickly computing hardware can upend assumptions as well. Right now RSA minimum recommendations are 2048-bits to avoid factorization attacks. But in 1999 we saw the first factorization of 512-bit keys that took supercomputers months to do, and yet it seems we might be starting to see real world attacks on 512-bit keys in the wild these days. How rapidly one can attack a system has grown considerably over the years too. Stuff happening today was unthinkable in the 90s, let alone when this stuff got built.

 

[throAU]

In fairness, it’s not like the IP stack is new.

True, but we've had a long time to fix services running on it....

 

[Nycturne]

True, but we've had a long time to fix services running on it....

And folks have and are trying, but the whole “you need everyone to adopt the change” aspect makes herding actual cats seem like a reasonable goal compared to retrofitting an entrenched design you have to be backwards compatible with.

That said, FIDO is finally making inroads, and maybe in another 5-10 years we will actually see password-less login become more commonplace.