For the 5th straight year, impersonator bots were the most active bad bots, making up 24.3 percent of all bot activity. Both cheap and effective, impersonator bots are most commonly used to launch DDoS attacks, including October’s attack against DNS provider Dyn.

That’s among the key findings of Imperva’s Bot Traffic Report 2016, which is based on analysis of over 16.7 billion visits to 100,000 randomly-selected domains on the Imperva content delivery network from August 9, 2016 to November 6, 2016.

The Nitol malware was “the single most common bad bot responsible for 0.12 percent of all website traffic,” the report notes. “In 2016 the majority of Nitol assaults were launched by impersonator bots browsing using older versions of Internet Explorer.”

“It should be mentioned that the identities used by impersonator bots are highly fluid. Case in point, when collecting data for this report we recorded Nitol impersonators using over 14,000 different user-agent variants and 17 different identities,” the report adds.

But the news isn’t all bad:

  • Good bot activity grew by 4.4 percent from 2015 to 2016
  • Good bots (28.9 percent) outnumber bad (22.9 percent)
  • Feed fetchers were the most active good bot in 2016, and their increased activity reflects users’ shift to mobile

Register to learn more about bot trends, based on Imperva’s research.