I've accepted an answer, but sadly, I believe we're stuck with our original worst case scenario: CAPTCHA everyone on purchase attempts of the crap. Short explanation: caching / web farms make it impossible to track hits, and any workaround (sending a non-cached web-beacon, writing to a unified table, etc.) slows the site down worse than the bots would. There is likely some pricey hardware from Cisco or the like that can help at a high level, but it's hard to justify the cost if CAPTCHA-ing everyone is an alternative. I'll attempt a more full explanation later, as well as cleaning this up for future searchers (though others are welcome to try, as it's community wiki).

情况

这是关于woot.com上的垃圾销售。我是Woot Workshop的总统,Woot Workshop是Woot的子公司,负责设计,撰写产品描述,播客,博客文章,并主持论坛。我使用CSS/HTML,对其他技术几乎不熟悉。我与开发人员密切合作,在这里讨论了所有的答案(以及我们的许多其他想法)。

可用性是我工作的重要组成部分,而让网站变得令人兴奋和有趣则是剩下的大部分工作。这就是下面三个目标的来源。验证码损害了可用性,机器人从我们的垃圾销售中偷走了乐趣和兴奋。

机器人一秒钟就会在我们的首页上猛击数十次屏幕抓取(和/或扫描我们的RSS),以寻找随机垃圾销售。他们一看到这个,就会触发程序的第二阶段登录,点击“我要一个”,填好表格,然后买下这些垃圾。

评价

lc:在stackoverflow和其他使用此方法的站点上,他们几乎总是处理已验证(登录)的用户,因为正在尝试的任务需要这样。

在Woot上,匿名(未登录)用户可以查看我们的主页。换句话说,撞击机器人可以不经过身份验证(除了IP地址之外基本上无法跟踪)。

所以我们又回到了扫描IP, a)在这个云网络和垃圾邮件僵尸的时代是相当无用的,b)考虑到来自一个IP地址的业务数量,捕获了太多无辜的人(更不用说非静态IP isp的问题和试图跟踪它的潜在性能影响)。

还有,让别人给我们打电话是最糟糕的情况。我们能让他们给你打电话吗?

布拉德克:内德·巴切德的方法看起来很酷,但它们是专门设计来击败为网络站点构建的机器人的。我们的问题是机器人是专门用来破坏我们网站的。其中一些方法可能只在很短的时间内有效,直到脚本编写人员将他们的机器人进化为忽略蜜罐,从屏幕上抓取附近的标签名称而不是表单id,并使用支持javascript的浏览器控件。

 

lc再次说道:“当然,除非炒作是你们营销计划的一部分。”是的,绝对是。当物品出现时的惊喜,以及当你设法得到一件物品时的兴奋,可能比你实际得到的垃圾一样重要,甚至更重要。任何消除先到/先得的东西都不利于“赢”的快感。

 

novatrust:就我个人而言,欢迎我们新的机器人霸主。我们实际上提供RSSfeeds,允许第三方应用程序扫描我们的网站的产品信息,但不是在主站HTML之前。如果我的理解正确的话,你的解决方案通过完全牺牲目标1来帮助目标2(性能问题),并放弃机器人将购买大部分垃圾的事实。我给你的回答投了赞成票,因为你最后一段的悲观情绪对我来说是准确的。这里似乎没有什么灵丹妙药。

其余的响应通常依赖于IP跟踪,这似乎是无用的(僵尸网络/僵尸/云网络)和有害的(捕获许多来自相同IP目的地的无辜的人)。

还有其他方法/想法吗?我的开发人员一直在说“让我们只做验证码”,但我希望有更少的侵入性方法,让所有真正想要我们的垃圾的人。

最初的问题

假设你卖的东西很便宜,但有很高的感知价值,而你的数量非常有限。没有人确切地知道你什么时候会卖这个东西。超过一百万人经常来看你卖什么。

你最终会发现脚本和机器人试图通过编程方式[a]找出你何时出售该道具,[b]确保他们是第一批购买该道具的人。这很糟糕,有两个原因:

你的网站被非人类攻击,拖慢了所有人的速度。 编剧最终“赢得”了产品,让常客感到被骗了。

一个看似显而易见的解决方案是为用户在下单前设置一些障碍,但这至少有三个问题:

The user experience sucks for humans, as they have to decipher CAPTCHA, pick out the cat, or solve a math problem. If the perceived benefit is high enough, and the crowd large enough, some group will find their way around any tweak, leading to an arms race. (This is especially true the simpler the tweak is; hidden 'comments' form, re-arranging the form elements, mis-labeling them, hidden 'gotcha' text all will work once and then need to be changed to fight targeting this specific form.) Even if the scripters can't 'solve' your tweak it doesn't prevent them from slamming your front page, and then sounding an alarm for the scripter to fill out the order, manually. Given they get the advantage from solving [a], they will likely still win [b] since they'll be the first humans reaching the order page. Additionally, 1. still happens, causing server errors and a decreased performance for everyone.

另一种解决方案是经常监视ip攻击,阻止它们进入防火墙,或以其他方式阻止它们排序。这个可以解2。和阻止[b],但扫描ip对性能的影响是巨大的,可能会导致更多像1这样的问题。比编剧自己造成的还要严重。此外,云网络和垃圾邮件僵尸的可能性使得IP检查相当无用。

第三个想法,强迫订单表单加载一段时间(比如半秒),可能会减慢快速订单的进度,但同样,脚本编写人员仍然是第一个进入的人,在任何速度下都不会对实际用户造成损害。

目标

将道具卖给非脚本人。 保持网站运行的速度不被机器人减慢。 不要让“正常”用户完成任何任务来证明他们是人类。


当前回答

这里有很多建议,所以如果这已经发布了,请原谅我。

我要做的第一件事是把订购分成两步。第一步将在记录IP地址时传回一个GUID。第二步将接收GUID,并将其与已记录的IP地址进行比较。结合阻止垃圾邮件的IP地址(IE:比人类点击刷新的速度还快),这种技术可以阻止垃圾邮件发送者成功购买,从而解决1和3。

第二项是有问题的,但我会保持一个常规用户IP地址的运行列表,并限制任何新用户的流量。这可能会让首次访问者和拨号用户(由于IP地址的变化)受到冷落,但我认为这只是通过优先考虑回头客而在糟糕的情况下做出最好的选择……而拨号用户,即使没有任何垃圾邮件发送者,他们是否会“获胜”也是值得怀疑的。

其他回答

免责声明:这个答案完全与编程无关。但是,它确实试图从一开始就攻击使用脚本的原因。

另一个想法是,如果你的销售数量确实有限,为什么不改变先到先得的方法呢?当然,除非炒作是你营销计划的一部分。

还有很多其他的选择,我相信其他人也能想到一些不同的选择:

an ordering queue (pre-order system) - Some scripts might still end up at the front of the queue, but it's probably faster to just manually enter the info. a raffle system (everyone who tries to order one is entered into the system) - This way the people with the scripts have just the same chances as those without. a rush priority queue - If there is truly a high perceived value, people may be willing to pay more. Implement an ordering queue, but allow people to pay more to be placed higher in the queue. auction (credit goes to David Schmitt for this one, comments are my own) - People can still use scripts to snipe in at the last minute, but not only does it change the pricing structure, people are expecting to be fighting it out with others. You can also do things to restrict the number of bids in a given time period, make people phone in ahead of time for an authorization code, etc.

首先,让我回顾一下我们需要做的事情。我意识到我只是在转述最初的问题,但重要的是我们要百分之百地理解这个问题,因为有很多很好的建议,4个中有2个或3个是正确的,但正如我将演示的那样,您将需要一个多方面的方法来满足所有的需求。

要求1:摆脱“机器人抨击”:

首页的快速“猛击”正在损害网站的性能,这是问题的核心。这种“猛击”既来自单ip机器人,也可能来自僵尸网络。我们想把两者都去掉。

要求二:不要破坏用户体验:

我们可以通过实施一个讨厌的验证程序来有效地解决机器人的情况,比如打电话给操作员,解决一堆验证码,或类似的问题,但这就像强迫每个无辜的飞机乘客跳过疯狂的安全圈,只是为了抓住最愚蠢的恐怖分子的渺茫机会。哦,等等,我们真的这么做了。但让我们看看在woot.com上能否做到这一点。

要求三:避免“军备竞赛”

正如您所提到的,您不希望卷入垃圾邮件机器人军备竞赛。因此,您不能使用隐藏或混乱的表单字段、数学问题等简单的调整,因为它们本质上是可以简单地自动检测和规避的模糊度量。

需求4:挫败“警报”机器人:

这可能是您的要求中最困难的。即使我们可以进行有效的人类验证挑战,机器人仍然可以在你的首页上投票,并在有新报价时提醒编剧。我们也想让那些机器人变得不可行。这是第一个需求的更强版本,因为机器人不仅不能发出破坏性能的快速请求——它们甚至不能发出足够多的重复请求来及时向脚本人员发送“警报”以赢得报价。


好,让我们看看是否能满足这四个条件。首先,正如我提到的,没有一种测量方法能达到目的。你将不得不结合一些技巧来实现它,你将不得不忍受两个烦恼:

少数用户将被要求经历重重考验 少数用户将无法获得特别优惠

我知道这些都很烦人,但如果我们能让“小”的数字足够小,我希望你会同意利大于弊。

第一个措施:基于用户的节流:

这个很简单,我相信你已经做过了。如果用户已登录,并保持每秒刷新600次(或其他),您将停止响应并告诉他冷却。事实上,你可能会更早地限制他的请求,但你明白我的意思。这样,一个登录的机器人将被禁止/节流一旦它开始投票你的网站。这是简单的部分。那些未经验证的机器人才是我们真正的问题,下面就来谈谈它们:

第二个措施:某种形式的知识产权限制,正如几乎所有人都建议的那样:

No matter what, you will have to do some IP based throttling to thwart the 'bot slamming'. Since it seems important to you to allow unauthenticated (non-logged-in) visitors to get the special offers, you only have IPs to go by initially, and although they're not perfect, they do work against single-IP bots. Botnets are a different beast, but I'll come back to those. For now, we will do some simple throttling to beat rapid-fire single-IP bots. The performance hit is negligable if you run the IP check before all other processing, use a proxy server for the throttling logic, and store the IPs in a memcached lookup-optimized tree structure.

第三种方法:用缓存的响应掩盖油门:

With rapid-fire single-IP bots throttled, we still have to address slow single-IP bots, ie. bots that are specifically tweaked to 'fly under the radar' by spacing requests slightly further apart than the throttling prevents. To instantly render slow single-IP bots useless, simply use the strategy suggested by abelenky: serve 10-minute-old cached pages to all IPs that have been spotted in the last 24 hours (or so). That way, every IP gets one 'chance' per day/hour/week (depending on the period you choose), and there will be no visible annoyance to real users who are just hitting 'reload', except that they don't win the offer. The beauty of this measure is that is also thwarts 'alarm bots', as long as they don't originate from a botnet. (I know you would probably prefer it if real users were allowed to refresh over and over, but there is no way to tell a refresh-spamming human from a request-spamming bot apart without a CAPTCHA or similar)

第四项措施:

You are right that CAPTCHAs hurt the user experience and should be avoided. However, in _one_ situation they can be your best friend: If you've designed a very restrictive system to thwart bots, that - because of its restrictiveness - also catches a number of false positives; then a CAPTCHA served as a last resort will allow those real users who get caught to slip by your throttling (thus avoiding annoying DoS situations). The sweet spot, of course, is when ALL the bots get caught in your net, while extremely few real users get bothered by the CAPTCHA. If you, when serving up the 10-minute-old cached pages, also offer an alternative, optional, CAPTCHA-verified 'front page refresher', then humans who really want to keep refreshing, can still do so without getting the old cached page, but at the cost of having to solve a CAPTCHA for each refresh. That is an annoyance, but an optional one just for the die-hard users, who tend to be more forgiving because they know they're gaming the system to improve their chances, and that improved chances don't come free.

第五种方法:诱饵废话:

Christopher Mahan had an idea that I rather liked, but I would put a different spin on it. Every time you are preparing a new offer, prepare two other 'offers' as well, that no human would pick, like a 12mm wingnut for $20. When the offer appears on the front page, put all three 'offers' in the same picture, with numbers corresponding to each offer. When the user/bot actually goes on to order the item, they will have to pick (a radio button) which offer they want, and since most bots would merely be guessing, in two out of three cases, the bots would be buying worthless junk. Naturally, this doesn't address 'alarm bots', and there is a (slim) chance that someone could build a bot that was able to pick the correct item. However, the risk of accidentally buying junk should make scripters turn entirely from the fully automated bots.

第六项措施:僵尸网络节流:

(删除)

Okay............ I've now spent most of my evening thinking about this, trying different approaches.... global delays.... cookie-based tokens.. queued serving... 'stranger throttling'.... And it just doesn't work. It doesn't. I realized the main reason why you hadn't accepted any answer yet was that noone had proposed a way to thwart a distributed/zombie net/botnet attack.... so I really wanted to crack it. I believe I cracked the botnet problem for authentication in a different thread, so I had high hopes for your problem as well. But my approach doesn't translate to this. You only have IPs to go by, and a large enough botnet doesn't reveal itself in any analysis based on IP addresses.

所以你知道了,第六小节是零。没什么。邮政编码。除非僵尸网络很小,或者足够快,可以被通常的IP限制,否则我不认为有任何有效的措施可以对抗僵尸网络,而不涉及明确的人类验证,如CAPTHAs。我很抱歉,但我认为结合以上五种方法是你最好的选择。你可能只需要abelenky的10分钟缓存技巧就可以了。

我很确定你的服务器已经记录了所有传入请求的ip(大多数都是这样)——所以数据已经在那里了。

也许你可以:

只需验证“获胜者”,验证它的IP在日志中显示的值小于某个阈值(我使用“grep | wc -l”来获得计数)。如果它超过你的阈值,暂时阻止该IP(一个小时左右?)

取消任何与“上一位”中奖者有相同收货地址或付款信息的“中奖者”的资格,或者在一定时间内中奖的“中奖者”,以分散“中奖”。

机器人不会把他们弄到那里的。

把刮刀惹毛: 当“随机垃圾”条目出现时,通过“代码混淆器”运行该页面的HMTL输出……这不会改变页面的“显示”…只是用随机生成的id打乱代码等。

更阴险的:

根据获胜IP在日志中出现的次数,增加“获胜”项目的价格。即使机器人赢了,你也赢了。: -)

让机器人用户无利可图,他们很快就会离开——也就是说,偶尔卖一些人类不可能想要的东西(可能是一袋字面上的垃圾)。

将道具卖给非脚本人。 保持网站运行的速度不被机器人减慢。 不要让“正常”用户完成任何任务来证明他们是人类。

你可能不想听这个,但是第一条和第三条是相互排斥的。

Well, nobody knows you're a bot either. There's no programatic way to tell the whether or not there's a human on the other end of the connection without requiring the person to do something. Preventing scripts/bots from doing stuff on the web is the whole reason CAPTCHAs were invented. It's not like this is some new problem that hasn't seen a lot of effort expended on it. If there were a better way to do it, one that didn't involve the hassle to real users that a CAPTCHA does, everyone would be using it already.

我认为你需要面对这样一个事实,如果你想让机器人远离你的订购页面,一个好的验证码是唯一的方法。如果对你的随机垃圾的需求足够高,人们愿意付出这些代价来获得它,合法用户就不会被验证码吓跑。