There are quite a lot of indirect signs of bot DDoS on the site. If your traffic has increased significantly in recent days, be sure to look at the metric to find out the nature of such a sharp spike.
- The most important trigger: the number of direct visits, transitions from recommendation sites (Zen) and transitions from social networks with a mobile user agent increases. Bots are very fond of attacking pages whose results are in the TOP 3 of search results. They are not interested in pages with low traffic and they hardly visit them.
- The number of rejections decreases, but at the same time the time on the site and the depth of views decreases.
- If bots come from direct visits, they spend at least 15 seconds on the site so that the metric does not count the refusal. In the case of search traffic, it is usually different (more on this below). Thus, in Yandex.metrica, we have a huge number of visitors with a 15-second session and a visit to one page
- Imitate human actions, judging by the Webvisor. Bots scroll the page, even stop at some part of the text, but, as many webmasters note, they only get burned, because it doesn’t look like human actions at all: They “read” a completely secondary text, not the main content, the main idea in the text.
Constant jerks with the mouse, movements up and down, incomprehensible turning circles with the cursor around some element on the page
Fast page scrolling. At this speed, a person won’t even have time to read the headlines.
Long sessions (10-20 minutes), but 99% of the time from these sessions is inactivity and convulsive cursor movement in random areas
- Recently, bots have been reorienting a bit and going through the search (not direct visits) for many top queries. As we have already written above, bots attack mainly pages for the most competitive queries, and many bots from the search with high failures come from the same IP addresses from which the attack is carried out by direct calls
- Transitions from strange sites are added to direct visits, on which, allegedly, there is a backlink to your resource. When you go to this site, links to your site are not detected
- Mostly bots settle on sites with good traffic (from 500 to 1000 per day). But there are exceptions and smaller resources are hammered.
- The vast majority of bots come from the IP addresses of the networks of mobile operators in Moscow or the Moscow region. The Metropolitan branch of OJSC MegaFon is particularly popular with bot breeders. Just as many bots come from an IP network that is signed as an IPv4 address block not managed by the RIPE NCC. Another nuance is that everyone has a completely small screen resolution (for example, 375 × 667). Here is the standard bot entry (specifically here – from the social network approx., where links to our resource have never been posted)
- The number of bots is growing steadily. It increases every day a little bit (10-50 visits), but it is growing. And it grows daily. The “normal” indicator is now considered to be up to 20% of bot traffic on the site. This, of course, is not the norm, but supposedly tolerable. But if the share of parasitic traffic exceeds 50%, then you should start sounding the alarm
- Often, along with bots, the number of external links from various spam and murky resources is growing