ASP.net AJAX控件工具包中的NoBot控件呢?

它做了一些自动javascript请求和计时技巧，以防止机器人在没有用户交互的情况下访问网站。

抱歉，如果这不符合要求，我得打个电话 tl;博士> D

我将要描述的方法有两个要求。1) Javascript被强制执行2)一个具有有效http://msdn.microsoft.com/en-us/library/bb894287.aspx浏览器会话的web浏览器。

如果没有其中任何一个，你就是“故意”倒霉的。互联网被设计成允许匿名客户查看内容。简单的HTML没有办法解决这个问题。哦，我只是想说，简单的，基于图像的验证码很容易被击败，甚至作者也承认这一点。

Moving along to the problem and the solution. The problem is in two parts. The first is that you cannot block out an individual for "doing bad things". To fix this you setup a method that takes in the browsers valid session and generate a md5sum + salt + hash (of your own private device) and send it back to the browser. The browser then is REQUIRED to return that hashed key back during every post / get. If you do not ever get a valid browser session, then you reply back with "Please use a valid web browser blah blah blah". All popular browsers have valid browser session id's.

现在我们至少有了该浏览器会话的标识(我知道它不会永久锁定，但是通过简单的脚本很难“更新”一个浏览器会话)，我们可以有效地锁定一个会话(例如;让脚本编写人员很难访问你的网站，而不会对有效用户造成任何惩罚)。

Now this next part is why it requires javascript. On the client you build a simple hash for each character that comes from the keyboard versus the value of the text in the textarea. That valid key comes over to the server as a simple hash and has to be validated. While this method could easily be reverse engineered, it does make it one extra hoop that individuals have to go through before they can submit data. Mind you this only prevents auto posting of data, not DOS with constant visits to the web site. If you even have access to ajax there is a way to send a salt and hash key across the wire and use javascript with it to build the onkeypress characters "valid token" that gets sent across the wire. Yes like I said it could easily be reversed engineered, but you see where I am going with this hopefully.

现在为了防止不断的交通滥用。有几种方法可以在给定有效的会话id后建立模式。这些模式(即使使用Random来抵消请求时间)的epsilon比人类试图重现相同的误差范围时要低。由于您有一个会话ID，并且您有一个“看起来像一个bot”的模式，那么您可以用一个简单的轻量级响应屏蔽该会话，该响应是20字节而不是200000字节。

You see here, the goal is to 1) make the anonymous non-anonymous (even if it's only per session) and 2) develop a method to identify bots vs. normal people by establishing patterns in the way they use your system. You can't say that the latter is impossible, because I have done it before. While, my implementations were for tracking video game bots I would seem to think that those algorithms for identifying a bot vs. a user can be generalized to the form of web site visits. If you reduce the traffic that the bots consume you reduce the load on your system. Mind you this still does not prevent DOS attacks, but it does reduce the amount of strain a bot produces on the system.

首先，让我回顾一下我们需要做的事情。我意识到我只是在转述最初的问题，但重要的是我们要百分之百地理解这个问题，因为有很多很好的建议，4个中有2个或3个是正确的，但正如我将演示的那样，您将需要一个多方面的方法来满足所有的需求。

要求1:摆脱“机器人抨击”:

首页的快速“猛击”正在损害网站的性能，这是问题的核心。这种“猛击”既来自单ip机器人，也可能来自僵尸网络。我们想把两者都去掉。

要求二:不要破坏用户体验:

我们可以通过实施一个讨厌的验证程序来有效地解决机器人的情况，比如打电话给操作员，解决一堆验证码，或类似的问题，但这就像强迫每个无辜的飞机乘客跳过疯狂的安全圈，只是为了抓住最愚蠢的恐怖分子的渺茫机会。哦，等等，我们真的这么做了。但让我们看看在woot.com上能否做到这一点。

要求三:避免“军备竞赛”

正如您所提到的，您不希望卷入垃圾邮件机器人军备竞赛。因此，您不能使用隐藏或混乱的表单字段、数学问题等简单的调整，因为它们本质上是可以简单地自动检测和规避的模糊度量。

需求4:挫败“警报”机器人:

这可能是您的要求中最困难的。即使我们可以进行有效的人类验证挑战，机器人仍然可以在你的首页上投票，并在有新报价时提醒编剧。我们也想让那些机器人变得不可行。这是第一个需求的更强版本，因为机器人不仅不能发出破坏性能的快速请求——它们甚至不能发出足够多的重复请求来及时向脚本人员发送“警报”以赢得报价。

好，让我们看看是否能满足这四个条件。首先，正如我提到的，没有一种测量方法能达到目的。你将不得不结合一些技巧来实现它，你将不得不忍受两个烦恼:

少数用户将被要求经历重重考验 少数用户将无法获得特别优惠

我知道这些都很烦人，但如果我们能让“小”的数字足够小，我希望你会同意利大于弊。

第一个措施:基于用户的节流:

这个很简单，我相信你已经做过了。如果用户已登录，并保持每秒刷新600次(或其他)，您将停止响应并告诉他冷却。事实上，你可能会更早地限制他的请求，但你明白我的意思。这样，一个登录的机器人将被禁止/节流一旦它开始投票你的网站。这是简单的部分。那些未经验证的机器人才是我们真正的问题，下面就来谈谈它们:

第二个措施:某种形式的知识产权限制，正如几乎所有人都建议的那样:

No matter what, you will have to do some IP based throttling to thwart the 'bot slamming'. Since it seems important to you to allow unauthenticated (non-logged-in) visitors to get the special offers, you only have IPs to go by initially, and although they're not perfect, they do work against single-IP bots. Botnets are a different beast, but I'll come back to those. For now, we will do some simple throttling to beat rapid-fire single-IP bots. The performance hit is negligable if you run the IP check before all other processing, use a proxy server for the throttling logic, and store the IPs in a memcached lookup-optimized tree structure.

第三种方法:用缓存的响应掩盖油门:

With rapid-fire single-IP bots throttled, we still have to address slow single-IP bots, ie. bots that are specifically tweaked to 'fly under the radar' by spacing requests slightly further apart than the throttling prevents. To instantly render slow single-IP bots useless, simply use the strategy suggested by abelenky: serve 10-minute-old cached pages to all IPs that have been spotted in the last 24 hours (or so). That way, every IP gets one 'chance' per day/hour/week (depending on the period you choose), and there will be no visible annoyance to real users who are just hitting 'reload', except that they don't win the offer. The beauty of this measure is that is also thwarts 'alarm bots', as long as they don't originate from a botnet. (I know you would probably prefer it if real users were allowed to refresh over and over, but there is no way to tell a refresh-spamming human from a request-spamming bot apart without a CAPTCHA or similar)

第四项措施:

You are right that CAPTCHAs hurt the user experience and should be avoided. However, in _one_ situation they can be your best friend: If you've designed a very restrictive system to thwart bots, that - because of its restrictiveness - also catches a number of false positives; then a CAPTCHA served as a last resort will allow those real users who get caught to slip by your throttling (thus avoiding annoying DoS situations). The sweet spot, of course, is when ALL the bots get caught in your net, while extremely few real users get bothered by the CAPTCHA. If you, when serving up the 10-minute-old cached pages, also offer an alternative, optional, CAPTCHA-verified 'front page refresher', then humans who really want to keep refreshing, can still do so without getting the old cached page, but at the cost of having to solve a CAPTCHA for each refresh. That is an annoyance, but an optional one just for the die-hard users, who tend to be more forgiving because they know they're gaming the system to improve their chances, and that improved chances don't come free.

第五种方法:诱饵废话:

Christopher Mahan had an idea that I rather liked, but I would put a different spin on it. Every time you are preparing a new offer, prepare two other 'offers' as well, that no human would pick, like a 12mm wingnut for $20. When the offer appears on the front page, put all three 'offers' in the same picture, with numbers corresponding to each offer. When the user/bot actually goes on to order the item, they will have to pick (a radio button) which offer they want, and since most bots would merely be guessing, in two out of three cases, the bots would be buying worthless junk. Naturally, this doesn't address 'alarm bots', and there is a (slim) chance that someone could build a bot that was able to pick the correct item. However, the risk of accidentally buying junk should make scripters turn entirely from the fully automated bots.

第六项措施:僵尸网络节流:

(删除)

Okay............ I've now spent most of my evening thinking about this, trying different approaches.... global delays.... cookie-based tokens.. queued serving... 'stranger throttling'.... And it just doesn't work. It doesn't. I realized the main reason why you hadn't accepted any answer yet was that noone had proposed a way to thwart a distributed/zombie net/botnet attack.... so I really wanted to crack it. I believe I cracked the botnet problem for authentication in a different thread, so I had high hopes for your problem as well. But my approach doesn't translate to this. You only have IPs to go by, and a large enough botnet doesn't reveal itself in any analysis based on IP addresses.

所以你知道了，第六小节是零。没什么。邮政编码。除非僵尸网络很小，或者足够快，可以被通常的IP限制，否则我不认为有任何有效的措施可以对抗僵尸网络，而不涉及明确的人类验证，如CAPTHAs。我很抱歉，但我认为结合以上五种方法是你最好的选择。你可能只需要abelenky的10分钟缓存技巧就可以了。

不管纳粹认为他们的通信有多安全，盟军经常会破坏他们的信息。无论你如何试图阻止机器人使用你的网站，机器人所有者都会想出一个方法来解决它。如果这让你成为纳粹，我很抱歉:-)

我认为需要一种不同的心态

不要试图阻止机器人使用你的网站 不去寻求立即见效的解决办法，打持久战

要有这样一种心态:不管你网站的客户是真人还是机器人，他们都只是付费客户;但其中一个比另一个有不公平的优势。一些没有太多社交生活的用户(隐士)可能会像机器人一样让你的网站的其他用户讨厌。

记录您发布报价的时间和帐户选择购买的时间。

这可以让你记录下速度 客户在买东西。

改变你发布优惠的时间。

例如，设置3小时的窗口 从某个不知名的时间开始 天(午夜?)只有机器人和隐士 会不断刷新一个页面3 好几个小时才拿到订单 秒。不要改变基准时间， 只有窗户的大小。

随着时间的推移，一幅图景就会浮现出来。

01:你可以看到哪些账户经常在产品上线后几秒钟内购买产品。这表明他们可能是机器人。

02:你也可以看看促销的时间窗口，如果窗口是1小时，那么一些早期买家将是人类。然而，人类很少会在4小时内恢复精神。如果发布/购买之间的运行时间相当一致，而不考虑窗口持续时间，那么这就是一个bot。如果发布/购买时间对于小窗口很短，而对于大窗口很长，那就是隐士!

现在不是阻止机器人使用你的网站，你有足够的信息告诉你哪些账户肯定被机器人使用，哪些账户可能被隐士使用。你如何处理这些信息取决于你，但你当然可以用它来让你的网站对有生活的人更公平。

我认为禁止机器人账户是毫无意义的，这就像打电话给希特勒说“谢谢你的u艇的位置!”你需要以一种账户所有者不会意识到的方式使用这些信息。让我们看看我是否能想出什么.....

在队列中处理订单:

当客户下订单时，他们会立即收到一封确认电子邮件，告诉他们他们的订单已被放入队列中，并将在处理完毕时收到通知。我在亚马逊上的订单/发货就经历过这种事情，这一点也不困扰我，我不介意几天后收到一封电子邮件，告诉我我的订单已经发货了，只要我立即收到一封电子邮件，告诉我亚马逊知道我想要这本书。在你的情况下，这将是一封电子邮件

您的订单已经下单，正在排队。 您的订单已经处理完毕。 您的订单已发出。

用户认为他们排在一个公平的队列中。每1小时处理一次队列，让普通用户也经历一次队列，以免引起怀疑。只有在机器人和隐士账户排队超过“人类平均下单时间+ x小时”后，才会处理他们的订单。有效地减少机器人对人类的影响。

我不知道这是否可行:……主动出击。

搞清楚机器人在扫描什么数据。给他们提供他们正在寻找的数据，当你不卖垃圾时。以一种不会打扰或迷惑人类用户的方式进行此操作。当机器人触发第二阶段时，他们将登录并填写表格，购买100美元的roomba，而不是BOC。当然，这是假设机器人不是特别健壮。

另一个想法是在促销期间随机降价。当你明确声明它只值20美元时，谁会花150美元买一袋垃圾?没有人，只有狂热的机器人。但9分钟后就变成了35美元…17分钟后是9美元。之类的。

当然，僵尸国王能够做出反应。关键是要让他们的错误变得非常昂贵(并让他们付钱给你来与他们战斗)。

所有这些都假设你想要惹恼一些机器人领主，这可能不是100%可取的。

那么使用Flash呢?

是的，我知道使用Flash的开销，加上一些用户将无法购买这些垃圾(即iPhone用户)，这可能会造成不利影响，但在我看来，Flash可以防止屏幕抓取或至少使其变得困难。

我错了吗?

编辑添加

在你的提交表单上添加几个“隐藏”字段怎么样，就像我下面发现的那样:

Actually, best practice seems to be to use two hidden fields, one with an initial value, and one without. It's the rare bot which can ignore both fields. Check for one field to be blank, and the other to have the initial value. And hide them using CSS, not by making them "hidden" fields: .important { display : none ; } Please don't change the next two fields. Bots tend to like fields with names like 'address'. The text in the paragraph is for those few rare human beings who have a non-CSS capable browser. If you're not worried about them, you can leave it out. In the logic for processing the form, you'd do something like: if (address2 == "xyzzy" and address3 == "") { /* OK to send / } else { / probably have a bot */ }