Over half of all internet traffic is generated by bots, both legitimate and malicious. The objectives of bad bots include account take over, web content scraping, data theft, and launching DDoS attacks with the intent of stealing data or causing service disruptions. Sophisticated, large scale attacks often go undetected by conventional mitigation strategies. At the same time, the internet would grind to a halt without the beneficial bots that power search engines and digital assistants.


Bots are ubiquitous. Today’s hackers use bots to launch pre-attack scans, post comment spam, exploit vulnerabilities, and execute code injection attacks, denial of service attacks, and password guessing (Credential Stuffing) hacks against your web facing properties. These bots commit fraud by repetitively making and canceling purchases, holding and/or consuming inventory, scraping sites, stealing information, and a host of other unwanted activities. Malicious bots also cause application outages that impact your customers’ experience, resulting in commercial losses.


To effectively control the damages caused by the bot epidemic, organizations are faced with the challenge of staying ahead of threat actors and their malicious bots. Conversely, legitimate bot traffic is a necessary part of the Internet. Organizations want to detect and allow good bot traffic, while managing the amount, the time-of-day, and the traffic priority. Having the ability to eliminate malicious bot traffic while managing legitimate bot traffic is critical to maintaining uptime.


Limelight’s Bot Manager uses proprietary semi-supervised machine learning capabilities for precise bot management across all channels, combining behavioral modeling for intent analysis, collective bot intelligence and device fingerprinting. This ensures maximum availability and security of web infrastructure to sustain revenue generating web traffic, while managing legitimate bot traffic. Limelight Bot Manager provides protection from a wide variety of threats:

Account Takeover

Credential stuffing and brute force attacks are used to gain unauthorized access to customer accounts.

Web Content and Price Scraping

Use of bots to scrape content and steal price information from websites and illegally reproduce the stolen content on ghost websites.

Data Theft

Gaining access to personal data such as credit card numbers and SS numbers.

Digital Ad Fraud

Malicious bots create false impressions and generate illegitimate clicks on publishing sites and mobile apps.

Skewed Analytics

Automated traffic on web properties skews metrics and misleads decision-making.

Launching DDoS Attacks

With the intent of stealing data or causing service disruptions.

Gift Card Fraud

Use of bots to crack gift cards and identify valid coupon numbers and voucher codes.

Cart Abandonment and Inventory Exhaustion

Using bots to fill shopping carts with product inventory than abandoning them.

Form Spam

Bots that deluge online marketplaces and community forums with spam leads, comments and fake registrations.


Because bots are automated scripts, bot protection starts by determining whether a connection request is coming from a human or machine. A series of challenges is presented to separate good bots from potentially malicious bots.

Device Fingerprinting

Captures visitor device parameters to create a unique fingerprint, then classifies every visitor as human, good bot, or bad bot based on fingerprint tracking.

Human Interaction Challenge

Identifies normal usage patterns and behaviors for each web application based on legitimate user/ visitor behavior analysis, and checks for anomalies in mouse movement and keystrokes.

Detect Headless Browsers

Headless browsers have many malicious uses – scraping web sites for data, perform DDoS attacks, increase ad impressions, credential stuffing, etc.

Mitigating Large Scale Distributed Bots with Interaction Capability

Detecting and blocking these human-like bots requires behavioral analysis using correlation of activity over time across IP addresses, device fingerprints, mobile device attributes, and intent signatures.

IP Whitelisting and Blacklisting

Control access based on IP addresses.


Ability to Handle Bot Traffic in Multiple Ways

Actions are customized based on bot signatures/types, e.g., feeding false pricing and product information to competitor’s bots. CAPTCHA is used for suspected bots, leveraging responses in a closed- loop feedback system to minimize false positives.

Transparent Reporting and Comprehensive Analytics

Granular classification and reporting of different types of bots, such as search engine crawlers and malicious bots, enable efficient traffic management. Limelight’s Bot Manager can be seamlessly integrated with leading analytics platforms, including Google and Adobe Analytics.

No DNS Redirection

Using an API-based approach to protect web assets, the solution doesn’t require DNS redirection, thus allowing complete control over web applications, mobile apps and APIs.

Accuracy and Scalability

Intent-based Deep Behavioral Analysis (IDBA) filters highly sophisticated humanlike bots without causing false positives. Website functionality and user experience remain intact. Bot Manager leverages cutting-edge technologies to maintain high scalability during peaks in network traffic.


Secure All Channels: Web, Mobile APPS, APIs

Defend against bots that target various digital assets, even sophisticated bots designed to attack multiple assets.

Full Coverage of OWASP Automated Threats

Protect from all forms of account takeover, denial of inventory, DDoS card fraud and web scraping.

Nonintrusive Approach

Detect and block highly sophisticated human-like bots in realtime using APIs or out-of-path mode, all with no impact to the technology stack.