The anatomy of bot traffic: 4 species and their defenses

"Bot traffic" is not one thing. There are at least four major species that behave similarly but rely on very different infrastructure. Each has its own economics, technical signature and defense playbook. Here we look at each one in turn.

Species 1: Datacenter bots

What it is

Automated scripts running from cloud provider IP pools — AWS, Google Cloud, DigitalOcean, OVH, Hetzner. They drive headless browsers (Puppeteer, Playwright) and each one can fire hundreds of requests per second.

Who runs them

Three main groups: (1) data companies doing content scraping (clicks are a side effect), (2) monitoring tools watching competitor sites, (3) outright malicious actors running competitor click fraud.

Detection difficulty: Low

Datacenter ASNs are public. You can identify the owning provider instantly via APIs like ipinfo.io or ipdata.co. Detection is easy; the catch is that excluding all datacenter IPs may also affect legitimate visitors (e.g. real users behind a VPN).

Defense

• Mark every known datacenter ASN with a +60 risk score
• Auto-block on datacenter IP + headless signature match
• Keep VPN provider pools separate (user VPN can be legitimate)
• Push the riskiest ASNs into the Google Ads IP exclusion list

Species 2: Residential proxy networks

What it is

Bot traffic routed through real users' home IPs. Operators share IPs either knowingly (people selling proxy access) or unknowingly (devices infected with malware). As a result the bot looks like it is coming from a normal Türk Telekom or Vodafone IP.

Who runs them

The market has professionalized with players like Bright Data, Smartproxy, Oxylabs. Proxy networks rented for click fraud target advertisers at USD 500-5,000 per month and tend to focus on competitive verticals (legal, insurance, finance, e-commerce).

Detection difficulty: High

ASN data does not help (it's a real ISP IP). Geo is consistent (Turkey → Istanbul). Detection depends on behavioral signals and frequency patterns.

Defense

• Track abnormal click frequency from the same IP (5+ in one hour)
• Device fingerprint repetition (same hash, different IPs)
• Zero mouse / scroll behavior + short session duration
• Subscribe to paid threat-intel feeds for known residential proxy lists
• TLS fingerprint (JA3 hash) — most proxy networks leave a characteristic TLS signature

Species 3: Click farms — human operators

What it is

Operations in low-cost geographies (Bangladesh, Pakistan, Vietnam, Philippines) where real workers click ads from dozens of phones. They run at USD 0.01-0.05 per click, organized through micro-task platforms.

Who runs them

Usually service sellers promising "more site traffic". But competitors sometimes use this channel too — specifically to exhaust a target campaign's budget.

Detection difficulty: Medium

There is a strong geographic signature: clicks landing on a Turkey-targeted campaign from Bangladesh or Pakistan are almost always click farms. Behavior is also distinct: real human touch (some mouse, some scroll) but a very short session (3-7s, closing the page without reading).

Defense

• Geo restriction: lock the campaign to your target country
• Set the target country language as the only option (e.g. Turkish-only)
• Auto-flag off-country IPs with sessions under 10 seconds
• Watch phone IP pools (mobile ISP, prepaid SIM) — click farms typically arrive from these

Species 4: Manual competitor clicks

What it is

An employee of a competitor deliberately clicking your ads to drain your budget. The lowest-volume but most insidious category, because individual clicks are indistinguishable from real users.

Detection difficulty: Very high

A single click is not damning. Pattern analysis catches it: if a user clicks your ad on five different days within a week — always during business hours — but never converts, you are looking at a researcher or competitor. 5+ clicks in 7 days from the same IP/device hash is a good threshold.

Defense

• Frequency cap: flag any IP with 3+ clicks in 7 days
• Device fingerprint persistence: even with IP changes, the browser fingerprint likely stays the same
• Exclude business-hours-only IPs with no conversion
• Watch IPs near the competitor's known office geography

Which species hits you the most?

Distribution varies dramatically by vertical. Legal services and insurance see a high share of manual competitor clicks. E-commerce and retail are dominated by datacenter and residential proxy traffic. Mobile app installs get bombarded by click farms.

wall.click scores every click for which of the four species it most likely belongs to. So you don't just see "blocked", you also see "which kind of attack is hitting you". You can rearchitect your campaign accordingly.