根据您想要进入的复杂程度，您可以采取一些解决方案。

这些都是基于IP跟踪，在僵尸网络和云计算下有些崩溃，但应该能挫败绝大多数的僵尸。乔·兰登拥有大量机器人的可能性远远低于他只是运行一个从某处下载的Woot机器人来获取他的垃圾的可能性。

普通的节流

At a very basic, crude level, you could throttle requests per IP per time period. Do some analysis and determine that a legitimate user will access the site no more than X times per hour. Cap requests per IP per hour at that number, and bots will have to drastically reduce their polling frequency, or they'll lock themselves out for the next 58 minutes and be completely blind. That doesn't address the bot problem by itself, but it does reduce load, and increases the chance that legitimate users will have a shot at the item.

自适应调节

An variant on that solution might be to implement a load balancing queue, where the number of requests that one has made recently counts against your position in the queue. That is, if you keep slamming the site, your requests become lower priority. In a high-traffic situation like the bag of crap sales, this would give legitimate users an advantage over the bots in that they would have a higher connection priority, and would be getting pages back more quickly, while the bots continue to wait and wait until traffic dies down enough that their number comes up.

废料验证码

Third, while you don't want to bother with captchas, a captcha at the very end of the process, right before the transaction is completed, may not be a bad idea. At that point, people have committed to the sale, and are likely to go through with it even with the mild added annoyance. It prevents bots from completing the sale, which means that at a minimum all they can do is hammer your site to try to alert a human about the sale as quickly as possible. That doesn't solve the problem, but it does mean that the humans have a far, far better chance of obtaining sales than the bots do currently. It's not a solution, but it's an improvement.

以上的组合

实施基本的、慷慨的限制来阻止最滥用的机器人，同时考虑到单个公司IP背后的多个合法用户的潜力。截止数字将非常高——你引用了bot攻击你的网站10次/秒，即216万次/小时，这显然远远高于任何合法的使用量，即使是最大的公司网络或共享ip。

实现负载平衡队列，这样如果占用的服务器连接和带宽超过自己的份额，就会受到惩罚。这将惩罚共享公司池中的人，但不会阻止他们使用站点，而且他们的违规行为应该远没有您的装瓶者那么可怕，因此他们的惩罚应该不那么严重。

最后，如果您超过了每小时请求的某个阈值(这个阈值可能远远低于“自动断开连接”的截止值)，那么就要求用户使用验证码进行验证。

这样，合法使用网站的用户每小时只有84个请求，即使他们非常兴奋，也不会注意到网站速度变慢了。然而，乔·波特发现自己陷入了两难境地。他可以:

Blow out his request quota with his current behavior and not be able to access the site at all, or Request just enough to not blow the request quota, which gives him realtime information at lower traffic levels, but causes him to have massive delays between requests during high-traffic times, which severely compromises his ability to complete a sale before inventory is exhausted, or Request more than the average user and end up getting stuck behind a captcha, or Request no more than the average user, and thus have no advantage over the average user.

只有滥用的用户才会受到服务降级或复杂性增加的影响。合法用户不会注意到任何变化，除了他们更容易购买他们的垃圾包。

齿顶高

以远低于注册用户的速率限制未注册用户的请求。这样，机器人所有者就必须通过一个经过身份验证的帐户来运行机器人，以通过应该是相对严格的节流率。

然后，有创造力的装瓶者将注册多个用户id，并使用这些id来实现他们想要的查询率;您可以通过将给定时间段内来自同一IP的任何ID视为相同的ID，并接受共享节流来解决这个问题。

这使得装瓶商别无选择，只能运行一个机器人网络，每个IP一个机器人，每个机器人注册一个Woot账户。不幸的是，这实际上无法与大量未关联的合法用户区分开来。

您可以将此策略与上述一种或多种策略结合使用，目的是为没有滥用使用模式的注册用户提供最佳服务，同时根据他们的状态(匿名或已注册)以及由流量指标决定的滥用程度逐步惩罚其他用户，包括注册用户和未注册用户。

以下是你可以做的一些合理假设:

Any automated solution can and will be broken. Making the site completely require human input (eg CAPTCHA) will greatly increase the difficulty of logging in/checking out/etc. You have a limited number of Bandoliers of Cabbage to sell. You can track users by session via a client-side cookie. You aren't dealing with extremely hardcore criminals here; these are simply technical people who are bending, but not breaking, the law. Successful orders via bots will go to the person's home, and likely not some third-party mail drop.

解决方案不是技术上的。这是一个政策问题。

在web服务器上记录所有客户端会话id。 制定“限制机器人”政策;比如，每X秒刮一次屏幕，让使用普通浏览器的用户能够点击刷新。任何被发现超过这个限制的用户都不会被开除。 接下来，向已知的机器人所有者发送一堆leakfrog。

大多数纯技术解决方案已经提供。因此，我将提出这个问题的另一种看法。

据我所知，这些机器人是由真正想买你卖的包的人设置的。问题是——

其他不操作机器人的人应该有购买的机会，而你提供的是有限数量的包。 你想要吸引人们到你的网站，而只是销售包包。

你可以让潜在的包包买家订阅电子邮件，甚至短信更新，以便在交易发生时收到通知，而不是试图避开机器人。你甚至可以给他们一到两分钟的时间(一个销售开始的特殊URL，随机生成，并随邮件/短信发送)。

当这些买家去购买他们在你的网站上，你可以向他们展示你想要的任何东西。那些运行机器人将更喜欢简单地注册到您的通知服务。

机器人运行者可能仍然会在你的通知中运行机器人以更快地完成购买。一些解决方案可以提供一键购买。

顺便说一下，你提到你的用户不是注册的，但听起来那些购买这些包的人不是随机的买家，而是期待这些销售的人。因此，他们可能愿意注册，以便在试图“赢得”一个包时获得优势。

从本质上讲，我的建议是试着把这个问题看作一个社会问题，而不是一个技术问题。

Asaf

I think that sandboxing certain IPs is worth looking into. Once an IP has gone over a threshold, when they hit your site, redirect them to a webserver that has a multi-second delay before serving out a file. I've written Linux servers that can handle open 50K connections with hardly any CPU, so it wouldn't be too hard to slow down a very large number of bots. All the server would need to do is hold the connection open for N seconds before acting as a proxy to your regular site. This would still let regular users use the site even if they were really aggressive, just at a slightly degraded experience.

您可以使用这里描述的memcached，以较低的成本跟踪每个IP的命中数。

让机器人在公平的场地上竞争。加密时间戳并将其粘贴在隐藏表单字段中。当您收到提交文件时，解密它并查看已经过了多长时间。如果它超过了人类打字能力的阈值，则拒绝它。现在机器人和人类只能以同样的速度购买这袋垃圾。

为什么不将内容设置为CAPTCHA?

On the page where you display the prize, always have an image file in the same location with the same name, when a bag o crap sale is on, dynamically generate and load an image with the text etc advertising the prize, when no sale is on just have some default image that integrates well with the site. Seems like its the same concept as CAPTCHA... if the bot cannot figure out the meaning of the image they will not be able to "win" it, if they can they would have been able to figure out your CAPTCHA images anyways.