Bots - where are they coming from?

Human versus bots and botnets

Geolocation of machines (not of attacks) that have intended a bad action against a website.

The above illustration is refreshed every hour, based on data collected from a real live website having around 10 000 visitors per day. Data is kept for a duration depending on the importance of action. For instance, if a script kiddie is trying to download all your webpages using an automated tool, IP will be kept for only a few hours/days. If a botnet is doing a ddos, IPs will be remembered for a few days. The duration can be up to 1 year for intrusion detection or recurrent access from a server. The values exclude friendly bots that respect the robots.txt file.
Identified machines include the following:

Useless search engine bots
Useless bots that harvest for brand detection or SEO
Email harvesters
Spie detection (bots that want to identify site structure and vulnerabilities)
Comment spam bots
Hacking tool usage
Scrapers
Machine identified as a botnet member during a DDOS
Machine used for many login attempts to identify passwords through brute force
Machine used for intrusion attempt

A machine identified in a country does not mean that an attack is coming from this country, the attack can be initiated by another country. This is especially true for attacks using botnets (multiple machines).