How to block bots or DDOS attacks?

We got a sudden spike in traffic on our homepage for the last month. Based on our Google Analytics data, we’re pretty sure these are not real users. We don’t know whether they are some random bots or somebody is running a script to make loads of requests to our page.

This is not only affecting our analytics data quality but it’s also affecting our bandwidth usage on Netlify since we received an email about it.

Please help us identify what this issue is and what to do to fix it.

Here’s a screenshot from analytics data:

Can anyone assist here please? We’re really stuck with this.

Is there any pattern to any of the suspected bots/bad actors? Locations/countries, user agents, et cetera?

Have you looked into filtering bot and spider traffic from Google Analytics, then you can 1) see analytics clearly and 2) Actually see if these are bots. I would imagine google is pretty good at detecting spiders scrapers etc. :slight_smile:

hey Seif,

i wrote an in depth response to this question some time ago, and its applicable here:

If you have specific questions, please do let us know and we can try to assist.

Hey @perry, thanks for the detailed reply. We fall in the first case: we’re a small business (Frontend agency) and we have a free account.

@Scott Patterns we observed:

  • All these visits come from new visitors.
  • They all hit the homepage only.
  • Browser is Chrome
  • Operating system Linux

@AaronP Thanks for the recommendation. I added a filter for bots, it removed quite some traffic but we’re still getting a huge part of suspicious traffic.

thanks for your patience! I just reviewed the traffic for your domain and it seems like it stopped around 9 days ago.

I see about a dozen “main” IP’s involved in the spike, all with that same user agent:

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36

Did you find the source of the traffic? Seems like it might have been a monitor or similar?

@fool Thanks for your reply. Indeed, the traffic reduced during the last period, not sure why.
The only monitoring tool we have is Google Analytics and we don’t have access to the IPs there. What information do you like me to provide you about the source?

@fool any update on this?

Sorry for the delay, @seif - I have been out of the office.

Tis unfortunate but we can’t share IP’s generally speaking due to the GDPR. I guess in this case if you’re sure you didn’t have any monitors, seems like it was an attack, though a pretty useless one.

I looked at the total bandwidth used and it was around 15Gbyte, not enough to cause you to get charged on its own.

In the future you’ll be able to use our edge handlers feature to handle blocking traffic you don’t like yourself:

…but we don’t intend to get too judgmental about which traffic we serve by default:

  • we aim to serve your site to all visitors since “super bowl ad” traffic is pretty hard to tell apart from “misconfigured scanner” which is impossible to tell apart from “intentionally configured scanner” in many cases.
  • we do block attacks whose traffic levels impact our system; this traffic was not at that level though (it would have needed to be about 300x as much to probably cause any alarms to go off here).

Sorry I don’t have better news for you today on blocking that traffic, but that’s what our system supports right now.