25% of bots are good, like the ones used by search engines called “spiders” to crawl content and index for reference.

That means roughly 35% of all web traffic is malicious bots.

Distributed Denial of Service (DDoS) attacks are perhaps the most well-known and aggressive bot attacks. DDoS overloads the host's resources with incredible volume. Most companies are aware of this form of attack and have mechanisms and plans in place to limit access to a given resource (website, service, application) and act to stop an attack if it occurs.

Beyond brute force volume attacks are the stealthier bots sent out to find vulnerabilities and report back to hackers who will show up and finish the attack. Types of vulnerability attacks include:

• Credit card fraud: If hackers can snag card numbers or test validity of stolen cards, your site needs to be more secure.
• Inventory denial: Think of an airline with a limited number of seats and bots gobbling up all the inventory without purchasing…even with a timeout enabled, that's precious time a real customer cannot access available inventory.
• Data theft: Scraper bots can steal a website's data and content, mimic it on a fraudulent site and offer better pricing. This can both hurt the company being impersonated as well as the victims purchasing from the fake site with a non-delivery tactic and potential identity theft.
• Advertising fraud: If your site is paying for ads to be served and is charged “per click,” a bot could rack up your max spend quickly without any real traffic or legitimate conversions.
• Credential stuffing: Have a form or portal on your website where customers can provide lead generation info or log into their account? Bots will attempt to find valid combinations and access accounts, or overload your systems with garbage info if you're not walling it off.