14 DAY TRIAL // It may be strange, but there are Black Hat SEO campaigns these days that provide so much (fake) traffic that even the customers that paid for them may think they're under a DDoS (Distributed Denial of Service) attack.
Something as strange as this happened to Sucuri, a company that provides cyber-security services, among which a Web Application Firewall (WAF) service.
Recounting one past incident they investigated, Sucuri said that they were called in to assess an ongoing DDoS attack, which the company had a hard time mitigating.
Since their WAF was specifically designed to deal and mitigate DDoS attacks, the company's employees were quite curious to see what "huge" DDoS attack hit the client's servers that their product couldn't handle.
Huge traffic in the analytics dashboard, not a peep from the website's firewall
To their surprise, checking their firewall, they didn't find any DDoS warning, but they did see a huge amount of traffic. All traffic requests looked normal and weren't malformed HTTP or DNS requests that you usually see in DDoS assaults.
Trying to get to the bottom of the issue, Sucuri's team got permission to access their client's Google Analytics account and sip through some of the traffic.
What they found is that, somewhere in the company's past, traffic increased sharply from one day to another. Additionally, all traffic was coming from only a few networks, and while put together it looked like regular (but increased) activity, when analyzing the traffic for each network's IPs, it began to dawn on the researchers that they may be looking at Web traffic that was generated automatically.
So-called SEO experts were generating huge amounts of fake traffic
"The new traffic always had a session length of 3:40 - 4:00 minutes, viewed on average 4.2 pages per session and had a 50% bounce rate," Sucuri's Keir Desailly explains. "However the real giveaway was that 100% of these sessions were new, 100% were direct traffic and nearly all of them started in a URL other than the home page."
Piecing all this together, it appeared that someone was taking all the site's URLs and generating traffic for each one, sending it directly to their client's server.
Following clues left in each of these networks' names in the Google Analytics dashboard, to nobody's surprise, Sucuri's staff landed on the sites of some shady SEO "miracle workers."
At this point, Sucuri could not tell if the company, their client, requested the services of one of these SEO companies, or if they were paid by the company's competitors to mess with their traffic. What was truly surprising was that a Black Hat SEO firm could generate DDoS-level traffic on a regular basis.