Hello, I'm sorry if I'm posting in the wrong area.

There's a big issue: it appears that someone is sending fake traffic to our website, and it shows up as direct traffic in Google Analytics.

The amount of this traffic is ten times more than the previous numbers from our direct channel.

We can't block the IPs because they come from various addresses and a lot of them are ISPs.

This traffic is directed to just one page on our site from desktop users (even though the majority of our visitors are on mobile), and they only stay for about 3 seconds.

What can I do about this?

How can I protect myself from this issue?

And can you explain why they might be sending this traffic?

Thanks a lot for your assistance!

You should analyze the user agent strings in your logs. Often, bots or automated scripts may use identifiable user agents. You can create filters in your Google Analytics to exclude certain user agents and prevent them from affecting your data.

Another approach is setting up a honeypot page. This is basically a hidden page that normal users wouldn't likely access, while bots or malicious traffic might. By monitoring this page, you can ascertain the extent of the fake traffic and analyze its patterns.

Since you're unable to block IPs effectively due to their variability, consider implementing rate limiting. This restricts the number of requests from a specific range of IP addresses, which can reduce the impact of fake traffic. Additionally, using a Web Application Firewall (WAF) might help in filtering out suspicious requests before they even reach your server.

Regarding why this traffic might be sent, there are several possible reasons. Some organizations use fake traffic to mimic popularity, potentially impacting your site's SEO ranking. Others may have malicious purposes, like scraping data or conducting denial-of-service tactics.

You might also want to regularly audit your analytics tools to ensure they're correctly tracking real user behavior. This can help create a baseline for genuine traffic and highlight unusual spikes.

Keeping your site secure and up to date with the latest security patches is vital. Regularly review your hosting environment and ensure that it's capable of handling unexpected loads.
Analyze user agents, set up honeypots, implement rate limits, consider a WAF, and stay vigilant with regular audits. Addressing bot traffic can be complex, but taking these steps will put you in a stronger position.

If your main focus is just on Google, it might not be worth your time to worry too much. When you're looking at your analytics metrics, make sure to set up tight filters to refine your data.

Using Google Analytics complicates the matter further since tracking conversions can become quite tricky and involved, among other things.

But rest assured, there won't be any penalties from Google for manipulating these metrics in that way. Just keep that in mind when analyzing your website's performance.

I wouldn't recommend relying on Cloudflare for your situation. I feel like it probably won't be effective, given that the IP addresses are, as you mentioned, "civilian," especially from the people you are trying to reach. You could give it a shot though; it won't take long to set up. It's hard to speculate without seeing other alternatives on the table.

When I encountered something similar, the traffic attacking my site came from outside my main audience, so the solution was simpler — there were not so many IPs involved.

Initially, I ended up blocking entire subnets, and soon after, I had to restrict access by country too.

Your situation seems quite intriguing; if I were in your shoes, I would definitely dive deep into the logs once more.

Also, one possibly silly question: have you checked if your page loads within an iframe?