Defending Against Bot Attacks: Art of War

12 min readMay 18, 2020

Whether you are building a large application, or a small form for your running club, bot attacks are an annoying reality. If you’ve found your way to this page, it’s likely that your beloved sites and APIs are under some form of attack. I’ve written this guide to teach you some of the defensive moves I’ve learned over the last decade working as a software engineer for security companies (BlackBerry), companies with large volume bot detection issues (Facebook) and most recently a small startup with direct security focus (UnifyID).

Understand the Terrain / Vocabulary

Quickly square on some definitions that I’ll use below. If your use case doesn’t fit into these definitions, this post may not help you, however feel free to comment below as I’d like to include most variations in my guide.

  • You — The reader of this document. I’ve written it so that it should be useful for software developers like myself, but made it simple enough that brave PM’s or non-engineering types should be able to understand ;)
  • App — You’ve got an app, whether it is a Web-App, a Desktop App, a Mobile App or some combination.
  • Data — Your app needs this to function, and it’s either too dynamic, user specific, private, or too large to bundle with your app
  • API — This is the battlefield. Your App needs to get to your data, and so it must travel the Internet to get it. Your API is the gate that protects your data and ideally, only lets your App in.
  • User — A legitimate user of your App and Data, whether authenticated (logged in) or not, through a public App

Forms to Perceive / Ways You Can Be Attacked

A little more vocabulary for a common understanding, here is a broad (and probably not fully complete) list of the ways that your API can be attacked over the internet:

  • Targeted — An individual or group of individuals are focusing their attention on your API and business specifically, hallmark will likely be extra high or unusual web traffic from a specific IP or Region
  • BotNet — Attackers often have access to BotNets, or a distributed group of computers from which they can attack from. Hallmark here will be an increase in API traffic from a broad variety of IP’s and Regions, and is harder to differentiate from genuine traffic

Kevin Lohman, Software Engineer, Father, Story Teller, and former US Navy Sailor (who never set foot on a ship)