I'm hot off fighting one of these bot nets. They automatically adapted and spread the calls over a ridiculous number of IPs and all had good JA4 fingerprints at Cloudflare (compromised or nurtured "users"). Gave us nothing to block. We started targeting high count JA4s and blocking those temporarily. This would usually cause them to stop automatically.

Very sophisticated LLM-enabled rented mafia bot net. They crafted attacks of various approaches as we turned up the heat.

In the end we refactored our entire authentication flow. We had a lot of Anon endpoints and ones that would validate card numbers etc from past misguided product and management decisions.

In the end we had to block a lot of legitimate traffic at times.

Reducing friction for users reduces friction for scaled bot attacks.