The invisible war for your Tatkal ticket: Railways blocks 17 billion bot attacks in a month

In October, the system reached its peak load of 24.04 billion requests. Of these, a massive 17 billion were identified as malicious bots and successfully blocked. This means that roughly 70.7 per cent of all traffic during this month was non-human.

In November, the following month, there was a slight dip but overall requests remained high at 20.07 billion. The security systems filtered out 14.03 billion bot requests, maintaining a high defence rate as nearly 70 per cent of attempts to access the site were automated scripts or hacking tools.

In September 2025, the platform handled 19.04 billion total requests. Out of these, 12.05 billion were flagged as bots. Despite the high volume of nearly 63.3 per cent bot traffic, the system’s multi-layered security controls ensured that genuine passengers could still access the booking services.

To combat this, the ministry has deployed “anti-bot” shields (like Akamai) and a Content Delivery Network (CDN) to ensure that while the bots are being blocked, your app doesn’t lag.

Aadhaar: The ultimate ‘speed bump’ for fraudsters

The most significant shift for regular travellers is the introduction of Aadhaar-based OTP verification for Tatkal bookings.

By requiring a thumbprint or a mobile OTP linked to a unique ID, the system has effectively killed the “bulk account” strategy used by unauthorised agents. This “uniqueness constraint” ensures that one person equals one account, making it nearly impossible for hackers to use scripts to book dozens of tickets simultaneously.

Inside the cyber bunker

The Railways is not just playing defence; it is going on the offensive. Key security layers now include:

Honeypot (Madhu-Sanjal): In collaboration with CERT-In, the Railways has set up “decoy” systems to lure in hackers. This allows security teams to monitor their tactics in real time without exposing actual passenger data.

Deep dark web monitoring: Through RailTel, the government is now actively patrolling the underbelly of the internet to catch the sale of illegal booking software before it even hits the market.

Massive deactivations: In a sweeping administrative crackdown, over 3.03 crore suspicious user IDs were deactivated in 2025 alone.

Physical fortification

While the digital battle rages in the cloud, the physical heart of the system is tucked away in a high-security data center in Chanakyapuri, New Delhi. This facility is ISO 27001 certified, monitored by 24/7 CCTV, and protected by “Data Centre Grade” firewalls capable of absorbing massive 30 Gbps DDoS attacks—the digital equivalent of a battering ram.

For the average traveller, these “invisible” wars mean more than just security; they mean availability. By blocking nearly 13,000 suspicious email domains and filtered out billions of bots, the system is finally tilting the scales back toward the common man, said the Railways.

As Minister Vaishnaw’s report suggests, the next time you successfully book a Tatkal ticket at 10.01 am, you might have a “Honeypot” or an Anti-bot filter to thank.

Numbers

376- complaints lodged on the National Cyber Crime Portal pertaining to 3.99 lakh suspicious bookings.

12,819- suspicious email domains have been blocked in 2025.