CONCEPT Cited by 1 source

Coordinated bot network¶

Definition¶

A coordinated bot network is a fleet of browser-automation instances controlled by a single operator that share operator-controlled properties — browser-telemetry fingerprint shape, behavioural patterns, session-script — while diverging on operator-uncontrollable properties — source IP (proxy-rotated), timing (jittered), request path (per-target).

The intersection of the two — stable fingerprint across diverse-proxy IPs — is the detection signal that defeats the network's stealth. See concepts/proxy-node-correlation-signal.

Canonical wiki instance¶

From Vercel's 2026-04-21 BotID Deep Analysis post:

"What we were witnessing was likely a brand-new browser bot network spinning up for the first time... Around 40-45 new browser profiles appeared, each presenting fingerprints and behavioral patterns that hadn't been seen before."

And:

"The same browser fingerprints appearing across multiple proxy nodes indicated coordinated bot activity, not organic human behavior."

Key attributes of the canonical network:

Size: 40-45 browser profiles.
Volume: "thousands of requests" across a ~3-minute analysis window.
Traffic multiplier: 500 % above baseline for the customer's project.
Evasion posture: real browser automation tools, carefully crafted telemetry, proxy-node IPs.
Coordination evidence: same fingerprints reused across proxy IPs.

Structural properties¶

A coordinated bot network is characterised by:

Operator singular, fleet plural. One actor runs many instances. The actor faces the classic control-plane-vs- data-plane trade-off: centralise automation script (efficient, but creates detectable commonality) or decentralise per-instance (more resilient, but cost- multiplies setup).
Shared tooling. Browser automation (Puppeteer, Playwright, stealth plugins, proprietary tools) with shared profile templates. Per-instance randomisation reduces fingerprint commonality but adds complexity.
Proxy infrastructure. Residential proxies, mobile-carrier CGNAT, datacenter proxies, or compromised-device residential networks. Rotation hides origin but introduces the cross-session correlation surface.
Time-boxed operation. Often a coordinated network runs for a specific short-duration attack (credential stuffing, inventory purchase at drop time, price scraping at publish time). The attack's own deadline bounds how long the operator can accept slow reclassification.
Short-lifetime per-profile. Each browser profile is disposable; the operator expects detection and rotation rather than indefinite reuse.

Contrast with single-source bots¶

A single browser-automation script making N requests from one IP is easy — one fingerprint + one IP, high correlation.
Distributed non-coordinated bots — many unique fingerprints, many IPs, no shared structure — are harder to detect because no cross-session key exists. But they're also harder for operators to build at scale.
Coordinated networks are the middle ground the operator often falls into: shared tooling for build-time efficiency, rotation for run-time evasion — producing exactly the fingerprint-across-proxies signal.

Contrast with stealth crawlers¶

A concepts/stealth-crawler (cf. Cloudflare's 2025-08-04 Perplexity post) is a subset — a coordinated bot network whose primary evasion layer is operator-declaration mismatch (UA spoofing, declaration-vs-behaviour mismatch) rather than primarily correlation evasion. Both are coordinated networks; they differ on which detection surface the operator is most aggressively defending against.

The operator's impossible trade-off¶

A coordinated bot operator faces three tensions:

Fingerprint uniqueness vs toolchain efficiency. Unique per-instance fingerprints are expensive; shared fingerprints are cheap but trip correlation.
IP diversity vs IP reputation. Diverse-enough proxy pools are expensive; cheap proxies come with bad IP reputation that itself is a signal.
Attack velocity vs detection evasion. Running fast lets the network complete before detection catches up; running slow gives fingerprint-evasion tooling time to work but lets rate-based signals accumulate.

The Deep Analysis design thesis is that at least one of these tensions will expose a correlation signal in minutes.

Detection surface¶

The primary detection surface is cross-session coordination, not per-session anomaly:

concepts/proxy-node-correlation-signal — the named signal from the canonical instance.
Temporal correlation — sessions with similar time-of- origin, request-pattern sequences, target-path selection.
Behavioural-pattern similarity — automation tooling produces subtly shared interaction signatures even when fingerprints are randomised.
Target correlation — many sessions hitting the same protected endpoint within a short window.

Seen in¶

sources/2026-04-21-vercel-botid-deep-analysis-catches-a-sophisticated-bot-network-in-real-time — canonical wiki instance. 40-45 browser profiles, shared fingerprints, proxy-node IP rotation, "thousands of requests" in ~3 minutes, detected by cross-session correlation within ~10 minutes.

concepts/browser-telemetry-fingerprint — the shared signature the network reuses.
concepts/proxy-node-correlation-signal — the detection surface.
concepts/adaptive-bot-reclassification — the response posture.
concepts/bot-vs-human-frame — the asymmetric-cost frame.
concepts/stealth-crawler — a close relative with different primary evasion layer.
concepts/ml-bot-fingerprinting.
patterns/correlation-triggered-reverification — the defender's response pattern.
systems/vercel-botid-deep-analysis — the canonical detecting system.