Loveholidays Protects its APIs & Improves Conversions with Real-Time Bot Defense
How AI Changes the Role of Privileged Access in Cybersecurity
Loveholidays is the fastest-growing online travel agency in the UK. Aggressive scraper bots were driving up third-party API calls to the point of sometimes exceeding limits, preventing real customers from booking their holidays, and causing direct revenue loss. Plus, the company faced vulnerability scanning and payment fraud attempts. After deploying DataDome’s real-time, AI-powered protection, bad bot noise became negligible and alert fatigue disappeared. The engineering team no longer spends time and effort mitigating bot attacks, and genuine visitors enjoy a smooth booking experience.
“We wanted to just turn something on and never think about it again. Both bot protection solutions we tested met that criterion, but the competitor didn’t have quite as robust a detection system as DataDome does.”
David Annez
Head of Engineering at Loveholidays
The challenge: Bots deplete APIs so that real customers can’t book
In holiday selling, price competitiveness is of prime importance. Monitoring competitors’ prices is a common business practice in the industry, but some operators do it less respectfully than others.
“We were starting to see some very strange spikes in traffic, which created issues with our conversion rate reporting,” explains David Annez, Head of Engineering at Loveholidays. “It didn’t look normal, so we dug a bit deeper into it, and what we discovered was a lot of scraping activity on our website.”
As it turned out, the scraper bot traffic didn’t only affect reporting; it had direct consequences on the company’s sales and revenue.
“There are limits on many of the API calls we make,” David points out. “The large volume of bot traffic would sometimes exhaust those limits, and as a consequence, real customers weren’t able to book.”
In addition, the company was being targeted by vulnerability scanners and payment fraud attempts. “Misbehaving bots also increased alerts engineers had to deal with, and that wasted time we could spend delivering business value,” explains Chris Couzens, Staff Software Engineer at Loveholidays. “Those noisy alerts also wasted engineering time and prevented us from focusing on our OKRs,” Chris notes.
As the Engineering team started to gain a better understanding of what was happening and who was attacking, they found patterns they could easily block. But the more they dug into it, the clearer it became that the attackers were very smart.
“It was a continuous chicken and egg situation,” David says. “Every time we did something, the bots would come back with a different strategy. We needed a solution that could learn from our traffic patterns and block proactively, rather than just using known criteria.”
“One of our primary goals is fast responses. When users get quick responses, they’re more likely to convert into paying customers,” Chris adds. “When bot traffic is high, we’re less likely to see genuine sales.”
The solution: Efficient client-side and server-side bot detection
When bot mitigation was becoming a full-time job for an engineer who would rather have been building a better product, the team called it a day and started to look for an external server-side bot detection solution. Enter DataDome, a solution offering Fastly and NodeJS bot protection.
“Fastly recommended DataDome, but we did compare a few providers,” David notes.“What I liked about DataDome was the active monitoring of our patterns and our traffic, and being able to understand what was happening both client side and server side. Client side was key here, because we’d observed that the bots would learn from the changes we made and pretend to be real users. It was the sort of behavior that many other bot detection services can’t really cater for, because they’re only looking at requests into the APIs.”
The team also trialed a competing solution, but found that it didn’t capture all of Loveholidays’ bad bot traffic, which at the time represented between 20% and 40% of the total traffic.
“Configuration and all that is useful to a degree, but frankly, we wanted to just turn something on and never think about it again,” David observes. “Both the solutions we tested met that criterion, but we really care about performance too, and the competitor didn’t have quite as robust a detection system as DataDome does.”
Loveholidays now benefits from AI-powered, real-time detection across web and APIs—quietly integrated with their stack—while the team engages DataDome only when needed.
The results: Stable traffic and normal API call volumes
The team was already well aware of the intense bot activity on the site, but when the DataDome dashboard revealed the true scope of automated traffic, it was an eye-opener.
“It was shocking in terms of the numbers it showed, even hard to believe at points,” David observes. “So much of our traffic was generated by bots, including good bots. Understanding that was very interesting, because then we can have conversations about how we can save bandwidth costs by not having good bots call us quite so much.”
In the early phase, the two teams collaborated closely to optimize the implementation on Loveholidays’ complex Fastly infrastructure, and to perfect the detection of some particularly sophisticated bots which resulted in a new set of machine learning algorithms.
“DataDome’s engineers were super helpful,” David attests. “There was always someone available to go through things, discuss our best options, and make any necessary amendments.” Collaboration has remained light-touch and proactive since the implementation: “On Slack, the DataDome team sometimes tells us about an issue before we even know it. They’re very responsive to our concerns,” Chris adds.
“Before implementing DataDome, we were seeing fairly continuous bad traffic, and that led to fairly continuous alerts, that we can describe as alert fatigue. After the implementation, we almost never see bad bot traffic.”
Chris Couzens
Staff Software Engineer at Loveholidays
*** This is a Security Bloggers Network syndicated blog from DataDome authored by Paige Tester. Read the original post at: https://datadome.co/customers-stories/loveholidays-improves-customer-experience-datadome/
About Author
