alt.hn

6/3/2026 at 5:43:00 PM

Bot vs human traffic

 https://radar.cloudflare.com/traffic#bot-vs-human

by jmsflknr

6/3/2026 at 7:28:10 PM

One funny thing I've discovered as a result of certificate transparency logs is that the second your host gets given an SSL cert, you are immediately blasted with ai crawlers.

I put a project online - it was online for a month, and the second I added an SSL cert it went from 0 traffic to 1000 requests/min.

by nemothekid

6/3/2026 at 11:37:17 PM

> One funny thing I've discovered as a result of certificate transparency logs is that the second your host gets given an SSL cert

I've been thinking of using wildcard certs for Caddy in regards to this.

by 8cvor6j844qw_d6

6/4/2026 at 1:54:08 AM

and then what? serve your app under some obscure / customer unfriendly subdomain?

by jgalt212

6/4/2026 at 4:30:14 AM

Even if you use a common subdomain, anecdotally I get orders of magnitude less bot traffic than not using a wildcard cert.

by sadeshmukh

6/4/2026 at 12:21:44 AM

Today AI crawlers, years ago vulnerability scanners from Russia or China.

Either way! People monitor cert registries for targets.

by RajT88

6/3/2026 at 8:24:49 PM

Make a new certificate, let crawlers blast you and add those IPs to a block list.

by CyberDildonics

6/3/2026 at 8:30:59 PM

these old network security techniques don't really work anymore. the common bots are at known IP ranges, the problem bots are all on datacenter + residential proxies.

by nikcub

6/3/2026 at 9:01:59 PM

Why would blocking those be a problem?

by CyberDildonics

6/3/2026 at 11:40:31 PM

because you are blocking all of Comcast, Verizon, T-Mobile, British Telecom, ....

at the end you have blocked every network with human visitors and only datacenter IPs can access your site.

The proxies rotate IP every day, so you either have ineffective blocking or you block the whole network.

by chadgpt3

6/4/2026 at 2:37:41 AM

My site is not for americans so I don't care about blocking american isps

by efilife

6/4/2026 at 11:30:08 AM

You think they only use American networks?

by chadgpt3

6/3/2026 at 9:30:12 PM

there are 150M+ of them and you'll be taking out a lot of human users with it

modern blocking is behaviour / heuristic based

by nikcub

6/4/2026 at 3:53:34 AM

There are 150 million bots all using residential IP addresses?

by CyberDildonics

6/3/2026 at 8:32:47 PM

In my experience, these aren't the crawlers from legit companies, so they have infinite IPs via residential botnets/proxies.

edit: 'nikcub beat me to it by 30 seconds :)

by mh-

6/3/2026 at 6:27:21 PM

It's a silly metric. There could be only one master bot that pings every known endpoint multiple times a second, and that would probably surpass all human activity, too. It doesn't really tell us much about intention or the ability to masquerade as humans.

Where I would start to worry is if there's evidence that bot access patterns are starting to become harder to distinguish from human access patterns, which would suggest that they are, in fact, mimicking or masquerading as humans. I don't care how many search bots are indexing web content, but I do worry about how many social bots are attempting to manipulate or mislead people.

by jawns

6/3/2026 at 6:33:47 PM

Looking at the verified bots section, all the top bots are web crawlers, which have been around for decades, to your point.

by al_borland

6/3/2026 at 6:43:46 PM

Thales Bad Bot Report categorizes the traffic between "good" and "bad" bots.

I would add that AI dramatically blurs the line between legitimate and malicious, and the intent generally speaking.

In regards to social bots, there's a 2024 study of over 1 million accounts on X and over 60% were found likely to be bots. Curiously, when Musk took over Twitter, the "Blue Checkmark" became something that can be bought for several bucks a month (with crypto, even), without any sort of verification.

by 01284a7e

6/3/2026 at 6:44:32 PM

>but I do worry about how many social bots are attempting to manipulate or mislead people.

You should browse reddit sometime. The easy ones to spot just autocreate accounts using the autoname at signup, which is of the formfactor [word1][word2]/d{4}

Regex nazis please spare me, I am doing my bestest

by RobRivera

6/3/2026 at 7:56:08 PM

your bestest if just fine as your point is clear. i'd actually be just fine with pseudo code. maybe it'll poison the LLM training data if we all did it more.

by dylan604

6/4/2026 at 6:57:26 AM

..... I like my auto generated username it's a funny one

by willx86

6/3/2026 at 6:39:12 PM

[flagged]

by axegon_

6/3/2026 at 6:12:31 PM

“First time”

The graph seems like it only goes back to April 27 and on that day it was 57% bot…

by ryanschaefer

6/3/2026 at 6:22:26 PM

Maybe "first time on a weekday"? Asit seems it's been above 60% every weekend since they started monitoring it.

by embedding-shape

6/3/2026 at 6:21:47 PM

I think it’s meant as “for the first time in history..”. Not today in particular, but as a milestone.

by sheepscreek

6/3/2026 at 8:08:02 PM

> Percentage of HTTP requests classified as bot (automated) or human. Filtered to HTML responses, representing web page traffic.

(Emphasis mine)

I realize that this is likely an inherent limitation, but there is a difference between "bot vs human traffic" and "traffic that CF thinks is bot/human". Every time CF blocks me, I assume it claims I'm a bot in this chart.

by yjftsjthsd-h

6/3/2026 at 8:51:35 PM

I do sometimes get blocked as a bot. I have no idea how many false positives there are, but there are some and CF does assume there are none in all their numbers (e.g. email saying they block x bots).

by graemep

6/3/2026 at 9:08:20 PM

Yes, one of my favorite memories of CF is getting blocked and then almost immediately getting an email where they bragged how many bad actors they blocked. Like... do you? Are you sure?

by yjftsjthsd-h

6/3/2026 at 8:33:18 PM

Cloudflare are more likely to be undercounting bots - they don't really pick up many of the modern browser-driven bots and crawlers.

by nikcub

6/3/2026 at 8:48:04 PM

I'm quite happy to believe that it's unreliable in both directions.

by yjftsjthsd-h

6/3/2026 at 6:23:01 PM

According to the Thales Bad Bot Report, in 2025 >53% of traffic came from bots. 2024 was 50 - 50, and in 2013, it was measured at 43%.

AI-driven* bot activity has increased more than tenfold however in the past 12 months so I'm confident this will grow to a very solid majority.

by 01284a7e

6/3/2026 at 6:29:15 PM

> and in 2013, it was measured at 43%.

Do you mean 2013 or 2023?

by pixelesque

6/3/2026 at 6:32:24 PM

I mean, just for a reference point, 2013. 2013 was the first year they did the report.

by 01284a7e

6/3/2026 at 6:14:27 PM

If they were truly this accurate at identifying sources of bot traffic, you'd think they'd be better at blocking them without inconveniencing the rest of us.

by EarlKing

6/3/2026 at 6:12:53 PM

For the first time? No way. People were saying this 5, 10, 15+ years ago.

by asdff

6/3/2026 at 7:01:16 PM

This feels like a vibe-coded dashboard that someone made just because they could and with AI it is much cheaper/quicker to create. But they didn't actually put too much thought into how it would/could actually be used. This doesn't really provide much value over "well that's kind of interesting to know". There aren't really actionable points that one can take from looking at these charts.

Some of my opinion above is formed from my own experience making similar charts just because I wonder what something would look like graphed out :)

by jmaw

6/3/2026 at 6:09:14 PM

Given how many rounds of captchas I have to fight through, I'm not sure if these numbers are accurate.

by vaylian

6/3/2026 at 6:28:29 PM

Funny how I get captcha looped with my adblocking in firefox but you can just get through easily with a few puppeteer plugins controlling headless chrome.

by asdff

6/3/2026 at 11:17:45 PM

Average Firefox experience right here

by ntcho

6/5/2026 at 2:10:59 AM

It does feel like being a second class citizen in a lot of ways. But I press on. Chrome is adware and safari is often just as broken.

by asdff

6/3/2026 at 6:13:00 PM

You have to fight, for some bots it might not be a real fight anymore...

by elaus

6/3/2026 at 7:59:06 PM

That's why the human traffic numbers are so low. They just get frustrated with the CAPTCHAs and close the tab. So maybe accurate after all???

by dylan604

6/3/2026 at 6:30:06 PM

Trivial to bypass though, the big players just haven't gone that far yet.

by dawnerd

6/3/2026 at 6:23:52 PM

Captchas are part of the traffic. ;)

by layer8

6/3/2026 at 7:17:01 PM

Bot traffic

  Share of HTTP requests
  
  Ranking   Location   Percentage
  1.        Gibraltar    92.0%
  2.        Iran         76.9%
  3.        Singapore    76.4%
  4.        Ireland      72.9%
  5.        Netherlands  68.8%
Lol, what is happening?

by BugsJustFindMe

6/3/2026 at 7:36:10 PM

Gib probably has a handful of servers scraping, but the place is so small, it almost it eclipses normal traffic

by oh_fiddlesticks

6/3/2026 at 8:36:25 PM

I'm also quite skeptical of the IP databases ability to get this correct in border regions. All of Gibraltar is, necessarily, near its borders.

by mh-

6/3/2026 at 8:26:09 PM

I do understand why all of those bot scores are so high. But netherlands? Are there big datacenter providers I dont know of that are used by bots?

by tpetry

6/3/2026 at 8:41:31 PM

[dead]

by prolly97

6/3/2026 at 6:28:52 PM

I was tracking this as part of an older job and this has been the case for some years now - started around the Covid time with all the scalping bots etc and has just been building up.

This sorta mirrors the early-mid 2010's when people[1] were worried about how much of the internet was streaming traffic.

[1] Mostly ISP's annoyed at not being able to monetize it and folks trying to sell monetization solutions to them - https://www.sandvine.com/hubfs/Sandvine_Redesign_2019/Downlo...

by tushar-r

6/3/2026 at 6:10:58 PM

Dead internet theory

by InfiniteVortex

6/3/2026 at 6:28:23 PM

what comes after death? more like dead -> dead -> dead internet

by tonymet

6/3/2026 at 6:32:50 PM

It's been mostly dead all morning.

by nocman

6/3/2026 at 11:42:08 PM

Undead? Shambling along with the body of its former, living self?

by Mezzie

6/4/2026 at 10:09:07 AM

Wikipedia no longer calls it a 'conspiracy theory'. I guess it's confirmed then.

by sph

6/3/2026 at 6:13:32 PM

Automated systems that don’t sleep and are often programmed to aggressively scrape and are limited only by compute capacity outstripped humanity? I am not surprised by this at all.

by Shank

6/3/2026 at 6:18:29 PM

We're the "retail users" of the Web.

by Waterluvian

6/3/2026 at 7:44:36 PM

Saw this play out firsthand this week. Launched a small developer tool and within 48 hours had traffic from 38 countries — Netherlands and Singapore near the top, which matches the bot-heavy regions in this data.

The SSL cert observation in another comment here is accurate too. The second a domain goes live it gets discovered.

by devdoc83

6/3/2026 at 6:27:43 PM

Any thoughts on why ~30% of HTTP request are in US? I know we had first mover advantage for awhile but I'd expect this to have been diluted by larger populations by now. It doesn't appear to be AI/bot driven either.

by conductr

6/3/2026 at 11:45:09 PM

Network effect feedback. Cheap hosting in the US because servers are there, more servers are there because of demand for hosting. AWS is there - similar reasons. Big Tech had more time to develop there and eclipsed other countries' tech.

by chadgpt3

6/3/2026 at 6:35:38 PM

my first guess would be a decent chunk of things bot operators want to scrape are in the US. might as well have your bot nearer to the source.

by yacin

6/3/2026 at 6:50:53 PM

Is it not just a case of most of their clients being US based?

by arbol

6/3/2026 at 6:42:07 PM

Not shocking if CF is now trying really hard to keep me out of the internet

by dietr1ch

6/3/2026 at 9:26:05 PM

In this graph, "api request" traffic looks like to be conflated to be "bot".

by greatgib

6/3/2026 at 6:39:51 PM

Would love to see it go further back and some meaningful metric of how much is web scrapers vs bots.

by giancarlostoro

6/3/2026 at 6:59:32 PM

Can bot traffic cause ad revenue to go up by any chance? Or false clicks that cost advertisers?

by system2

6/3/2026 at 11:46:30 PM

Only if the bot is designed to commit ad fraud. Normal bots are obvious to ad networks.

by chadgpt3

6/3/2026 at 6:11:25 PM

Given how most of the internet is on mobile, I wonder how much that would skew this.

by giancarlostoro

6/3/2026 at 6:19:35 PM

Dead internet theory gaining more credibility with every passing day.

by deafpolygon

6/3/2026 at 6:36:03 PM

I'm looking forward to the fraud lawsuites for ad companies

by vinyl7

6/3/2026 at 6:22:05 PM

Only for HTML content. Total traffic would have been surprising.

by layer8

6/3/2026 at 6:40:14 PM

CF posts metrics which reinforces their business... shocking

by 0x59

6/3/2026 at 6:47:58 PM

It's not Cloudflare's title, the submitted invented it.

by Symbiote

6/3/2026 at 8:13:54 PM

The submitter submitted a link to #bot-vs-human , the tile of which is

> Bot vs. Human

by yjftsjthsd-h

6/4/2026 at 12:10:04 PM

The original submitted title (when I commented) was something like "Bots overtake human traffic for the first time".

by Symbiote

6/4/2026 at 5:34:47 PM

Ah, I missed that. Then yes, I'm with you. I wish HN showed an edit history on titles:/

by yjftsjthsd-h

6/3/2026 at 6:55:01 PM

Sorry for the confusion, I was pointing out that the submitter submitted something silly and not that CF is boosting its business.

by 0x59

6/3/2026 at 6:27:12 PM

OP: please add [2012] to the title

by tonymet

6/4/2026 at 12:00:48 PM

Ha! More electricity than candles and gaslight. More steam power and automobiles than horses…more bicycles and pedestrians than cars and trucks—-well.

by xtiansimon

6/3/2026 at 7:49:55 PM

[flagged]

by dmaso191