Cloudflare TV

Latest and Greatest with Bot Management

Presented by Dan Gould , Ben Solomon
Originally aired on 

Cloudflare will discuss the latest trends in global bot activity along with recent advances to better deter bots.


Transcript (Beta)

Hey, everyone. Hello. Welcome. My name is Dan. I'm joined by my esteemed colleague, Ben Solomon.

We're here to talk a little bit about bots, which, as you may well know, Cloudflare thinks a lot about.

Ben, what's going on? Not much. I'm excited to be here.

Hi, everyone. I'm Ben Solomon. I'm the product manager for our bots team. We are thrilled.

We're thrilled to talk about bots. Dan and I were saying before this session that we have so many just casual conversations and day-to-day about bots and the trends we see and all these different things.

So we can't wait to talk about this stuff.

And we've got a lot of cool stuff to show you. Yeah, honestly, Ben and I talk every day about bots.

Like we were on a call like an hour ago. So we're glad to actually be able to talk to you about this, too.

So just very quickly, by way of background, Ben, who are you and what keeps you busy at Cloudflare?

Yeah, I gave a little bit of a hint here, but I work on our bots product.

And so that includes bot management, which is a product we sell to enterprise companies, larger companies that have these different needs in the bot space.

Often they are trying to block bots from meeting their websites.

And these bots are not doing good things.

They're trying to take down sites, to steal inventory, to do all these different things.

And then I also work on SuperBot Fight Mode, which is a slightly more self-serve product that does the exact same thing.

If you've got an individual site or a blog or something, SuperBot Fight Mode can help you block those bots as they're showing up.

I am based right now in San Francisco. And so I love this stuff, right?

It's what I do day to day. How about you, Dan? So how about me?

So my name is Dan. So I'm on the product marketing team. Ben and I partner together closely on bots.

But, you know, in addition, if you've been following Cloudflare over the past couple of years, you now know that we've got a very broad, well-rounded application security portfolio.

And I support much of that. And, you know, I think we're well known for our DDoS protections, both at the network layer and application layer, our WAF, right?

And then other things like bot management, of course, that we'll talk about today, like API Shield, right?

To keep APIs secure and productive, like our PageShield product.

We think about the risk that comes from third party JavaScript dependencies.

Things like TLS, SSL, something we've thought a lot about.

So I support a lot of these products in application security.

But today in particular, we're talking here about bots. Now, Ben Solomon, are you ready?

I'm ready. So just for the viewers, Ben and I have challenged each other to share a fun fact.

We would not share it if we're going on air.

And so the reveal is happening now. Ben, do you want to go first? Sure. I have a hunch that your fun fact is going to be even more fun than mine.

So I'll go first.

So here, I was thinking briefly before we did the call here. A couple, well, actually almost two years ago, I was living in Los Angeles and trying to find something to sort of occupy myself in between the period when I was in college and when I started my job here at Cloudflare.

And what I ended up doing was I went to a bunch of different TV show recordings at different studios in L.A.

and sat in the audience.

And so the fun fact about me is you can go take a look at any of these shows that were filmed right around like February, March 2020, right before COVID hit.

And you can see me in the audience. I'm in the audience at Beat Shazam.

I went to Celebrity Family Feud, all that good stuff. Okay. I knew it. So Celebrity Family Feud, who hosts that?

Steve Harvey. Steve Harvey. And then what else?

Beat Shazam. Jamie Foxx is on that one. I went to The Masked Singer, which I forget who hosts that one, but there's all sorts of stuff.

But it's crazy, too, because so many of these episodes were filmed before COVID, right, like a month before COVID.

And then they sat with these different companies and they're now airing.

And I'm watching myself sitting in groups of thousands of people without a mask going, oh, my God.

It feels so dangerous, right? It feels so dangerous. But yes, that's my fun fact.

Tell me about yours. Okay. So just a quick question. How did you decide, hey, this is a good idea, a good way to spend my time?

Honestly, I was just looking to make use of the fact that I was in L.A.

And I was there to write music and do all sorts of other things.

But one of the things you realize is when you know you're going somewhere else, when you know you're starting an exciting job in bots, right, at Cloudflare, it's really hard to commit to music or anything else.

And so I ended up doing just a lot of fun stuff that I'd want to do.

Did you corner Jamie Foxx? He could have been your big break. I wish I could have.

The dude is very talented. I mean, in between, like in commercial breaks, I would just like riff and sing all sorts of songs.

It was unbelievable. He may have been your big break.

Next time, next time you go and go to the show. Okay.

Very quickly. And by the way, again, we will talk about bots here. My fun fact is in high school, I was voted most likely to.

And Ben, I mentioned yesterday, this is like in retrospect, the biggest insult anyone has ever sort of issued you've given me.

Most likely to become a politician. Really? Dude, think about the past 15 to 20 years, the intervening years.

Like that's not a compliment, is it?

No. So, okay. I agree that in some circumstances, particularly like recent, recent times, it might not be a compliment.

I think it does speak volumes about your character, though, because you have something that's very personable.

And I think it's meant to be a compliment, right?

Like I've talked to folks who have interviewed you, especially right before you started at Cloudflare.

And they said it's something about the way you talk where you sort of I can talk to you for the first time.

And it feels like I've known you for a while, which is probably why you're getting that politician vibe.

I don't mean to make this a compliment fest, but I think it's I think it's a good thing.

Yeah. So anyways, I was thinking about that.

It's like, gosh, is that compliment? Maybe it's not. Anyways, most likely to become a politician.

So anyways, instead of doing that, I thought we're going to talk about automated traffic on the Internet.

How's that sound? You know, in retrospect, it should have been most likely to discuss automated traffic on the Internet.

For me, too. Exactly. Exactly. So that actually is a segue into what we're going to discuss today.

And, you know, it won't be to anybody. Cloudflare thinks a lot about bots, automated traffic.

So we'll talk about some recent insights we've seen in those insights as they pertain to particular attacks that we're all familiar with.

Right. And what those those tend to look like. And even some things like captions, which can be kind of an annoyance.

And then maybe if there's time, we'll talk about how mobile fits into all of this.

So that said, Ben, in the first half of 2021, what was the overall global stat of Internet traffic?

Here's what we found.

We looked at all of the traffic, like Dan said, from the first half of 2021, January through June.

And we found that 44 percent of all of those requests that we saw on our network came from bots.

Right. If you think about it, what does what does that really mean?

Right. Well, when I get on the Internet and I'm just a normal human being, I will make some click or some request using my computer to access a website.

Maybe I'm looking at articles. Right. Maybe I'm checking my email or doing something else.

And that's typical human activity. There is a human being on the end of that request who is trying to access something on the Internet.

There are also systems out there which can do this in an automated way.

Right. And so maybe it's a software program running on your computer. Maybe it's something else we can get into that.

Those systems are making automated requests, which we have come to know as bots.

And so what this stat tells us, 44 percent of global traffic is automated.

Is that almost half of all of the requests we see at Cloudflare are automated?

That's what we found. Interesting. So, you know, there's a lot of talk when you think about bots or automated traffic.

We hear about the Googles and the things of the world.

Right. Like the good bots. Like what? It's my impression, it's not a very big part of that traffic.

Is that right? So it's hard to say.

Right. I think everything is relative. What we have found is that about four and a half, maybe five percent of all the traffic we see comes from what's known as verified bots.

Right. And these are the good bots on the Web. So, again, the Googles and the things, but also smaller services that we have verified.

Right. Plenty of these companies that have their own good services, which are automated and not trying to do anything bad to sites.

They've come to us and said, look, we don't want to get blocked.

Can you go ahead and approve us? Can you verify us in some way so that we're able to access these sites?

Even though there's not a human on the end of the request.

Right. And so that's it's about five percent of everything we see globally.

And even though one in 20 requests maybe doesn't seem like a lot across the scale of our network, which is more than 25 million sites.

It turns out to be a lot. Right. And so everything's relative in this space.

Right. Right. Right. So, OK, so we said, what, what, 40, 40 percent was automated.

Right. Four to four and a half percent was good. So it was 40 percent that we basically don't want anywhere near Webhooks.

Right. That's that's right. Yeah.

It's it's really when you start to break this down and break out the other groups as well, there's a certain portion of traffic we choose not to compute or to calculate at all just because it's reaching error pages or something like that.

You'll find that less than half of the global traffic we see even comes from humans, which this is the first time we've run this data and found that in the past, human traffic has been more than 50 percent.

Yes. So let me actually share my screen in a second.

And I did want to ask, and this might be obvious to a lot of people watching, but maybe not like the why.

Like, why do we need to block bots if we don't like and we'll get to attacks in a second.

But even if, you know, attacks decide why, why do we want to stop?

I mean, think about it this way. Right. I can get how bots are this sort of theoretical digital threat.

Right. And so maybe I find out that half of my site traffic is coming from bots, but maybe it doesn't matter because my site seems to be doing just fine and there's no issue.

But if you take a step back.

Right. And from a financial perspective, think about everything you're paying for, for your website.

Maybe you work at a company that's paying for infrastructure.

You're paying for security. You've got all these other things, including support folks who are trying to make sure the site continues to work.

Cut all of those expenses in half. Right. Because remember, half of your site is going to serve bots, which usually are completely worthless.

They're just garbage traffic that's showing up.

When you think about cutting those financial expenses in half, that's why it's worth getting something like a bot management solution or something that's going to help block those requests as they show up.

Because the back end is basically overwhelmed or dealing 40% of the back end is garbage.

It's just deep processing bots that you don't want anywhere near. So you're paying for servers and that's, you know, CPU usage, all of that.

And if we sort of, I guess, think that through to the worst case scenario, it actually can not only slow down a site, which is obviously a lousy experience for your customers coming to your website.

That's bad. Worse yet, there have been instances where it can actually take down, bot traffic can effectively take down sites.


And that's exactly what you don't want to happen. I talked to plenty of folks who are like, you know, it's great you have this bot management product, but I'm not sure I need it right now because we haven't come under attack yet.

And what I always tell them is that is solid reasoning, right?

You don't want to buy something you definitely don't need.

But plenty of companies then come under attack, suffer much worse damage than they would have suffered otherwise and say, you know what, I wish I had gotten bot management or I put some set of rules in front of my site to prevent this from happening in the first place.

You don't want to look back with regret on these on these different situations.

Totally, totally, totally.

And, you know, people may know this about us and to be, you know, we'll get to attacks in a second, but getting our bot management in place is not on us.

Particularly if you're a Cloudflare customer, it's easy. But we'll get to that in a second.

I did, Ben and I, and we talk about this a lot, but I wanted to make sure we share this with viewers, is our Cloudflare Radar site.

And these are insights as seen by the Cloudflare network, which, you know, as Ben mentioned, is something that's really powerful, something we're proud of and we constantly invest in.

And we can see all sorts of trends, right? E -commerce, right, around the holidays, Internet traffic worldwide.

Here is bot traffic, right?

And we'll scroll down. Ben and I constantly joke every time we log in, it turns out TikTok is still the most popular global domain.

Still, there it is. But scrolling down, we see, you know, attacks worldwide.

You can see that as observed by Cloudflare.

And we get down here to automated traffic. And, you know, Ben, we see here a couple of things I wanted to focus on.

So bot traffic right now is 54%.

This is even higher than we saw early in 2021, right? Yeah, it definitely.

So there's a couple of things that could be happening here, right? One of them is exactly what you just said, which is maybe bot traffic is continuing to go up, right?

Maybe we saw it was 44% earlier this year, and it's now at 54%. And who knows where it's going in the future, right?

It could just continue to climb.

What's also possible is there are some sort of daily changes here, right? Maybe we are in the middle of some period of time where there are a lot of automated services running and there's some kind of fluctuation.

The really interesting pattern, which you brought up here, and I know we've talked about before, Dan, is this sort of like wave pattern we're seeing on the screen, right?

And so if you zoom in on it, you can see that human traffic looks like it kind of dips, and then it comes back up, and then it goes back down.

And there's a relationship here where the bot traffic seems to go up when the human traffic goes down.

Now, why is that, right?

Why would bot traffic suddenly go up? And we see it happening every single day.

That's what's so interesting here. It is a very clear pattern that doesn't seem to be random.

What we're actually looking at here, these are percentage values.

We are looking at the percentage of global traffic that comes from bots and the percentage of global traffic that comes from humans, right?

And so it actually makes sense that when humans tend to go to sleep at night, they would start to occupy less of that 100% of traffic.

And correspondingly, that means bots are then taking up more of the 100%.

It doesn't necessarily mean that bot traffic is going up at night.

It just takes up a larger share of the pie. Does that make sense?

It totally makes sense. And as a matter of fact, what's interesting here is we can look at these timestamps, Dan, and we can see precisely when this traffic spikes.

What we see in this timestamp here is 5 a.m. Universal Time, which is what, 9 p.m.

Pacific Time, right? I believe so. Yeah, so I remember we tried to calculate this out.

Neither Dan or I are experts in shifting time zones here.

But I think it was something like 9 p.m. Pacific Time. And when you look at this, what it really is, is a lot of folks are logging on at night, whether they're watching Netflix or doing something else.

And so we tend to see Internet traffic peak right after dinner.

It obviously goes really far down by the time you hit 2 or 3 a.m.

And so that's why you're seeing those human numbers peak sort of right before bedtime.

Of course, this can this can shift across different days.

And as Cloudflare becomes a more global company, right, and as we start to look at other regions around the world, you're going to see this start to stabilize that those graphs are going to kind of compress because someone will always be up.

Right. If it's the morning in the U.S., it might be the evening in Europe.

Right. And so these things will start to change and will no longer be indicative of just the U.S.

Indeed. So, you know, I learn new stuff every day going to it.

So I'd encourage people to to check it out. But we, you know, changing gears a little bit.

We've spoken about attacks. Right. And we looked at the state of automated traffic and we actually wanted to get a better understanding for things like credential stuffing.

Right. And we probably have all heard about this.

Oftentimes it's carried out by automated bots. Right. And there will be a maybe, you know, a data breach.

You know, credentials, user credentials, sensitive information will be stolen and up in the dark web, purchased by some general wildlife.

And then they'll use that to carry out credential stuffing attacks.

Eventually we'll get a match. This is all automated traffic hitting login pages.

And that turns into account takeover, which is like a worst case scenario.

Right. And this is something we think a lot about. So we want to just, you know, understand what we could learn by looking at the data we have about credential stuffing.

And so, you know, Ben, by and large, we started with our login pages.

Right. When we think about credential stuffing. Yeah. Yeah, that's right.

Have you. I'm wondering if this is coming from a personal place. If you have you had your password stolen before, Dan, or had something over your account?

Once. Once.

Yeah. OK. OK. It's funny. Dude, I'm not going to name my mobile carrier, but they've had like five big breaches.

So, yeah, I've had a yeah. Email or password. Look, it happens to the best of us.

And I think it says something that this has happened to me before, too.

I've gotten plenty of those alerts that you've got a weak password or it's been stolen somewhere.

Right. And Dan and I both work in application security.

It is our day to day job to look at this stuff, to understand it.

Who's the password manager, everybody? They're free or at least have your Chrome or your Safari do it.

Yes. It's so. Well, it's fairly easy to do, but it will save you a lot of headache in the long run.

It's just like putting bot management in front of your site.

Right. Better to do it now than to like go through the incident and have to look back on it.

And I think I've shared this like one of my biggest wins of 2020 is getting my mom on one password.

Incredible Internet sort of security and safety.

Yeah. Yeah. It's great. But it is related. Right.

It is. It is related. So here's what we did. As Dan mentioned, credential stuffing is a really hot topic for us.

Right. It's something we look at all the time.

And we wanted to understand how bots are affecting different login pages across Cloudflare.

Because we've seen 44 percent of global traffic is automated. We started to wonder if we look just at login pages, just these places where credential stuffing is going to happen.

What does that percentage look like? Is it higher? Is it lower?

Makes sense to think it would be higher. And so we ran the same query on our login pages and found that 71 percent of the traffic that reaches login pages on Cloudflare's network is automated, which is a lot.

This isn't like we've gone from 44 percent to 50.

It's not like we've gone to 55. It's all the way up into the 70 percent.

It means that more than one out of every two requests is going to be showing up to do something which we can only assume is probably malicious.

I mean, Ben, are there any legitimate reasons why automated traffic would hit a login page?

Because you and I log into our bank or whatever.

That's human traffic. Sure. And we asked a lot of these questions when we were starting to pull this data.

It was interesting because plenty of these different login pages rely on APIs.

And for those of you who aren't as familiar, APIs are often automated services that are kind of governing and helping us work through the different Internet services we have.

And so we thought maybe login pages just rely more on APIs and it's going to show up on our network as automated and therefore we'll see a higher percentage.

Well, we actually graphed this out and we looked at the pattern of the automated requests showing up to login pages.

It did not look like it was coming from an API. It wasn't sort of steady day to day.

It didn't look like these services were just routinely doing their job.

The automated traffic goes way up and it comes way back down and it sort of spikes.

It looks like someone is hitting these different pages with attacks.

And so we're pretty confident that bot traffic is just way up on login pages.

I mean, that's that's where money is. Right. Like you can take over somebody's account, elicit purchases.

You know, it's awful. Right. Yeah. And so important.

Right. This is why you'd be concerned if your password is stolen or whatever, because the actual we talked about the infrastructure costs of having bots show up to your site and that's fine.

But the actual hit here is if someone gets into an account, which is almost like a gateway into all the stuff that's that's valuable to you.

Right. Your social security number, your bank account. That's the stuff you do not want someone getting into.

Exactly. Exactly. We've actually spoken to customers about this and done webinars on this about, you know, one key reason they deploy bot management is the fear of account takeover via credential stuffing.

And I did want to talk about just sort of some of the manual mitigations that companies will often resort to, at least initially.

I guess they're better than nothing, but oftentimes they're effective for two hours or two days and then it's back to the drawing board.

Right. So when somebody is seeing a ton of automated traffic they don't want, they tend to start IP block listing.

Yeah, it's it's really whatever you can get to work. We see plenty of companies that look at their logs and they say, OK, I see this IP address making tons of requests to my site.

Doesn't look like it's doing anything. I'm just going to block.

Right. And what happens over time is you block that IP. Suddenly there's another one.

Right. I'm going to block that one, too. OK. I'm starting to see all of these different IPs and maybe I've blocked 30 at this point.

I'm going to block an ASN, an autonomous system number.

Right. This is more of a network. And companies will put together these kind of piecemeal solutions.

They're playing whack -a-mole, trying to knock things down.

And at a certain point, you just hit a breaking point.

Right. It's just too much. And so plenty of companies will try these different manual approaches.

They often will work well, but they are very, very difficult to maintain.

And, you know, we think about, you know, we talk about bots sort of in the abstract.

Well, a bot really is just a developer. Right. With some automated tools at their disposal.

Right. And automated tools are actually very legitimate.

It should be said. Right. Headless browsers, for example, for web testing.

Right. So honestly, it's not hard to get these bots up and running. What's more, they lose effectiveness in a couple of days because there are some very low hanging adjustments attackers make.

Using proxies, rotating their IP addresses, rotating their user agents so you can't really filter on those reliably.

And of course, making sure that their automated traffic looks human.

Right. Timeouts. They just, you know, navigate slowly.

They don't, you know, fire through a Web page. So because there's a lot of sort of behaviors that can be detected.

And honestly, those rudimentary sort of mitigations, they don't hold up for very long.

Yeah. Yeah. And look, bots are bots are getting more sophisticated. They see what we do and they try to work around it often.

And so we will sort of pivot with them and try to follow them in this game of cat and mouse.

But yeah, like you were saying, not all bots look like my background.

Right. Exactly. No, no bots look like my background.

There's no there's no actual robot showing up and trying to hit through your site.

And that's where I bring it up. Like, it's just a clever developer.

Clever is somebody who's just, you know, familiar with with, you know, getting automated tools drawn up.

And there are plenty of like off the shelf plug in stuff, plug ins like to, you know, make it easy.

And they're doing their level best to evade, you know, all sorts of detections.

Right, right.

By the way, my I've used this background a couple of times before for different bot events.

And my biggest fear is that when I turn off the computer or I log off of Zoom, the background follows me.

So I go into the kitchen and the bots are still there, starting to feel like it's becoming a part of my personality.

I can't shake them.

So that's, you know, what I want to talk about. We've got about eight minutes left and want to talk about a couple of other things.

Let's talk a little bit about, you know, just how to how to deal with bots from a high level sort of five resolutions.

And then there's something that if there's time, I want to talk about caches a little bit, since that is something everybody knows about because it interrupts our experience.

But for starters, how do we think about mitigating bots with Cloudflare?

So there's a couple of different things you can do. And I touched on this earlier.

But if you're a larger company, right, and you have pretty sophisticated security needs, one of the things you can do is get our bot management product.

Right. And the idea here is every request that comes into your site, we look at and then we issue a score.

Now, that score can be one through ninety nine.

If it's a low score means it's really likely to have come from a bot.

It's a high score like ninety nine. It's really likely to have come from a human.

And so we are giving you this information on a request basis. Right. And saying this request got a score of two.

This one got 77. All of these different things.

And you get to set a policy that says I'm going to block everything below maybe 30.

Right. Or I'm going to issue a capture in response to everything below some other number.

And so that's the way our bot management product works. It's designed to put a lot of this power into your hands.

We're taking the data we have and then letting you set up different policies based off of that and based off of what's right for your website.

Maybe you only want to put something on your login page because 71 percent of your traffic is automated there.

Right. And so that's that's part of it.

Of course, it comes with analytics and all this other good stuff to help you make the right decision.

And I should know, you know, Ben and team, we put a lot of thinking into the right layer detections.

To to best stop us.

We know they're constantly evolving. You know, these clever attackers are making adjustments all the time.

So we've got layers of machine learning, of fingerprinting heuristics, of unsupervised machine learning.

Right. Really specific to a particular site.

And then all sorts of flexibility on on challenges. Right. And that can be something like in our JavaScript challenges, which I don't think we have time to go into now, which actually are very, very accurate.

But also something like a CAPTCHA.

Right. And let's talk about those a little bit. We are thinking a lot in the short term, in the long term about CAPTCHAs.

And so when do you know we're all familiar with those right where for whatever reason that website thinks you could be automated.

So you're issued a CAPTCHA. You have to select the planes and trains.

We all love that. By love I mean hate. You know when. Why do do those CAPTCHAs get triggered initially?

First of all, great transition into CAPTCHAs.

Well handled. Second of all, the CAPTCHAs show up often when either we are unsure whether you are a bot or a human or the site owner is maybe not totally confident they want to block someone out.

Right. And so think about this.

Right. A lot of what we're doing is educated guesswork. We are looking at traffic as it shows up to us.

The bots are not screaming, I am a bot. They're trying to pretend like I'm here to credential stuff.

Right. Right. Right. They are not proclaiming their intent.

And as they show up, we are we are assigning some score based off of that.

Now, some of our customers are really, really confident they know what to do and they just want to block those bots as soon as they show up.

But others will tell us, you know, I'd like to reduce some of the friction here.


And offer a way out if that really is a human who's being categorized as a bot.

And so the reason we will sometimes show CAPTCHAs is because our customers have chosen to issue a CAPTCHA and provide you with a way out if a mistake has been made.

Right. And that's when you see those CAPTCHAs. And so, you know, I hear a lot of something called CSR, Challenge Solve Rate.

How do those relate to CAPTCHAs? So a CAPTCHA is a type of challenge and we track the solve rate of those different CAPTCHAs.

Right. And it turns out to be a really, really useful metric. If we see the CAPTCHAs are solved 50 percent of the time, we assume that means we are screwing up 50 percent of the time.

Right. Because half of the time, a real human is seeing a CAPTCHA despite us saying that they are a bot.

And so this is why this metric is so useful, because we want to drive the solve rate down over time as close to zero as possible.

Now, a lot of our customers will say, well, what's a good solve rate? What's a good CSR?

And it's hard to say. Again, a lot of these things are relative. If you're below 5 percent, you're getting into good territory.

If you're below 1 percent, you're in really, really good territory.

And so what we've seen across our network is that CAPTCHAs actually have a 0.1 percent solve rate across every request that Cloudflare serves, which is really, really good.

It's very rare that a human sees one of these.

So let's say I want to set up a sort of bot attack framework and my automated traffic is issued a CAPTCHA.

What then? Ben Solomon, what then?

I've got a couple of ideas, like a CAPTCHA farm maybe I can sort of farm out my CAPTCHA solves.

This is one of those cool situations where I think you know the exact answer to this one, Dan.

You have some options, right? First of all, you may not be able to do anything at all.

The reason we show these CAPTCHAs is because they're fairly robust.

And as a bot operator, if you see one of these things, you're kind of screwed, right?

It's going to slow down your role a little bit and there's not a lot you can do.

What has happened in some cases is these folks who are operating bots will pay someone else to solve the CAPTCHAs for them.

And this is really annoying to us because our whole platform is built around detecting automated versus human traffic.

If you're a bot and you're going to pay a human to do your job, this is I have nightmares about this stuff, right?

But these groups of folks who will solve CAPTCHAs on behalf of bots are called CAPTCHA farms.

And they're showing up all over the world and sometimes throwing off our solve rate.

This is one of those reasons that the 0.14 % solve rate may actually be too high because we think some of those solves are just coming from CAPTCHA farms, which aren't really representative of good human traffic.

So how do we think about, you know, if it's sort of a semi-Internet urban legend CAPTCHA farms, you know, we've thought about trying to sort of identify if this could be the case by looking at solve rates by country, correct?

That's right. We, you know, it's tough because it's very difficult to define categories within the different solves, right?

And to try and figure out who's actually responsible for these CAPTCHA farms.

One of the things we can do is look at the origin country of a request and start to see where these different challenges are being solved.

And we look at it, we sort of break it down by country.

If you look at the United States, the solve rate is a little bit lower than average.

So we think there are probably fewer CAPTCHA farms in the U.S.

than in other countries, but it's not that much lower.

But if you start to look at certain countries, the CAPTCHA solve rates are off the charts, right?

In the Philippines, the solve rate is something like 3%, which is orders of magnitude higher than the 0.14%, right?

And so that starts to tell us, okay, in the Philippines, we see this as an issue.

We've seen that there are a lot of CAPTCHA farms in Brazil, but there are also countries where we see that there are almost no CAPTCHA farms, right?

And there is no common thread between these countries.

It just seems to be sort of a random thing. Hmm. Yeah, yeah. Interesting stuff.

And so let's think about longer term CAPTCHAs a little bit. Nobody likes them.

And at Cloudflare, we've been thinking about just life after CAPTCHAs. Cryptographic attestation of personhood is the simple, straightforward term we've come up with, correct?

Yeah. It's CAP. C-A -P. Very easy to remember. There are some blogs about this on the Cloudflare blog if you're really interested in this.

There are a lot of things we are doing, including we have an internal team that is literally called the no CAPTCHA team.

We are trying to get rid of these CAPTCHAs because we believe even if you want to issue a challenge on your site or you want to start gathering a CSR of some sort, you don't necessarily have to do it with a CAPTCHA.

It doesn't have to be a puzzle, right, that's showing up there. And so we've launched all these alternatives, whether you're using Touch ID or Face ID instead of a CAPTCHA, all these different ways you can sort of approach this and start to solve that problem.

So, yes, there are plenty of alternatives. So we are right about to wrap up.

If you'll allow me to share a fun fact to end up, it turns out humanity on CAPTCHAs waste 500 years a day solving CAPTCHAs.

That's why we're thinking about life beyond CAPTCHAs.

We've got 10 seconds. Everybody, thank you.

Ben, it's a pleasure working with you. Hopefully you've had fun. I've had so much fun and thank you for sharing the fun fact.

We've got to stop these CAPTCHAs.