Crushing Bot Traffic with a Web Application Firewall
Real-World Results from DGI Clients
We’re constantly working to keep our clients’ digital repositories and websites secure, accessible, and reliable. One of the biggest threats institutions face today isn’t always obvious; it’s the surge of AI-driven bots that flood websites with false traffic, inflate usage metrics, and put unnecessary strain on infrastructure.
To test the effectiveness of modern defences, we recently ran a pre-/post-analysis of AWS Web Application Firewall (WAF) for two of our on-premises clients. The results speak for themselves.
The Test
Over a 28-day period, we looked at average daily visitor counts 14 days before and 14 days after implementing AWS WAF. The goal was to understand how much of their website traffic was genuine versus bot-driven.
The Results
Client A
- Pre-WAF: 20,241 average daily visits
- Post-WAF: 1,040 average daily visits
- Reduction: 1,947% fewer bots
Client B
- Pre-WAF: 23,115 average daily visits
- Post-WAF: 604 average daily visits
- Reduction: 3,825% fewer bots
In both cases, AWS WAF reduced automated traffic to almost zero, leaving only real human visitors. The improvement was staggering, with thousands of percent reductions in false traffic.
Why This Matters
Left unchecked, bot traffic can:
- Distort your analytics and usage metrics
- Drive up hosting costs
- Open doors for DDoS attacks and malicious exploitation
- Slow down or even crash websites during peak demand
With DDoS attacks up more than 358% year-over-year, relying on outdated or purely host-based security is no longer an option (Cloudflare, 2025).
How AWS WAF Fits Into a Broader Security Strategy
As we explored in our Future Proof Repositories webinar on Hosting and Digital Preservation, effective repository hosting today requires a layered security approach. At Discovery Garden, that means combining:
- AWS GuardDuty for continuous threat detection
- Crowdstrike EDR and Taegis VDR for endpoint and vulnerability protection
- AWS WAF for real-time bot filtering and DDoS mitigation
- SOC2-compliant practices through our partnership with Canadian security leader Carbide
This stack not only reduces bot traffic but also ensures your collections stay secure, scalable, and accessible—whether you’re hosting on-prem, in AWS, or through a hybrid model.
Future-Proof Your Digital Repository
The evidence is clear: smart bot management is no longer a nice-to-have; it’s a must-have. AWS WAF is proving to be a game-changer for repositories, allowing institutions to focus on serving their real users instead of fighting against endless waves of bots.
If you’re ready to secure your repository against today’s evolving threats, contact Discovery Garden to schedule a demo or discuss your hosting options. Together, we’ll help you build a repository that’s not just preserved, but protected for the future.
Ready to see what Islandora can do for your organization?
Whether you’re managing a single repository or supporting a multi-institution consortium, Islandora offers the flexibility, scalability, and support you need. Contact Discovery Garden to schedule a demo, start a project discovery session, or learn more about how we can help you build a future-proof digital repository.
