我不知道是否有人建议这样做，但与其保留机器人的IP列表，还不如设置一个cookie或会话变量来跟踪机器人呢?下面是一个PHP的例子:

<?php
// bot check
$now = microtime(true);
// bot counter var
$botCounter = 0;
if (array_key_exists('botCheck_panicCounter', $_REQUEST))
{
  $botCounter = $_REQUEST['botCheck_panicCounter'];
}

// if this seems to be a bot
if ($botCounter > 5)
{
  die('Die()!!');
}

// if this user visited before
if (array_key_exists('botCheck_lastVisit', $_REQUEST))
{
  $lastVisit = $_SESSION['botCheck_lastVisit'];
  $diff = $now - $lastVisit;

  // if it's less than a second
  if ($diff < 1)
  {
    // increase the bot counter
    $botCounter += 1;
    // and save it
    $_REQUEST['botCheck_panicCounter'] = $botCounter;
  }
}

// set the var for future use
$_SESSION['botCheck_lastVisit'] = $now;

// ---------------
// rest of the content goes here
?>

我没有检查语法错误，但您可以理解。

I think that sandboxing certain IPs is worth looking into. Once an IP has gone over a threshold, when they hit your site, redirect them to a webserver that has a multi-second delay before serving out a file. I've written Linux servers that can handle open 50K connections with hardly any CPU, so it wouldn't be too hard to slow down a very large number of bots. All the server would need to do is hold the connection open for N seconds before acting as a proxy to your regular site. This would still let regular users use the site even if they were really aggressive, just at a slightly degraded experience.

您可以使用这里描述的memcached，以较低的成本跟踪每个IP的命中数。

将页面的某些部分转换为图像，这样机器人就无法理解它们。

例如，创建整数0-9、美元符号和小数点的小图像。当页面加载时将图像缓存到客户端计算机上…然后显示价格使用通过运行服务器端代码选择的图像。大多数人类用户不会注意到其中的差别，机器人也不知道任何商品的价格。

不管纳粹认为他们的通信有多安全，盟军经常会破坏他们的信息。无论你如何试图阻止机器人使用你的网站，机器人所有者都会想出一个方法来解决它。如果这让你成为纳粹，我很抱歉:-)

我认为需要一种不同的心态

不要试图阻止机器人使用你的网站 不去寻求立即见效的解决办法，打持久战

要有这样一种心态:不管你网站的客户是真人还是机器人，他们都只是付费客户;但其中一个比另一个有不公平的优势。一些没有太多社交生活的用户(隐士)可能会像机器人一样让你的网站的其他用户讨厌。

记录您发布报价的时间和帐户选择购买的时间。

这可以让你记录下速度 客户在买东西。

改变你发布优惠的时间。

例如，设置3小时的窗口 从某个不知名的时间开始 天(午夜?)只有机器人和隐士 会不断刷新一个页面3 好几个小时才拿到订单 秒。不要改变基准时间， 只有窗户的大小。

随着时间的推移，一幅图景就会浮现出来。

01:你可以看到哪些账户经常在产品上线后几秒钟内购买产品。这表明他们可能是机器人。

02:你也可以看看促销的时间窗口，如果窗口是1小时，那么一些早期买家将是人类。然而，人类很少会在4小时内恢复精神。如果发布/购买之间的运行时间相当一致，而不考虑窗口持续时间，那么这就是一个bot。如果发布/购买时间对于小窗口很短，而对于大窗口很长，那就是隐士!

现在不是阻止机器人使用你的网站，你有足够的信息告诉你哪些账户肯定被机器人使用，哪些账户可能被隐士使用。你如何处理这些信息取决于你，但你当然可以用它来让你的网站对有生活的人更公平。

我认为禁止机器人账户是毫无意义的，这就像打电话给希特勒说“谢谢你的u艇的位置!”你需要以一种账户所有者不会意识到的方式使用这些信息。让我们看看我是否能想出什么.....

在队列中处理订单:

当客户下订单时，他们会立即收到一封确认电子邮件，告诉他们他们的订单已被放入队列中，并将在处理完毕时收到通知。我在亚马逊上的订单/发货就经历过这种事情，这一点也不困扰我，我不介意几天后收到一封电子邮件，告诉我我的订单已经发货了，只要我立即收到一封电子邮件，告诉我亚马逊知道我想要这本书。在你的情况下，这将是一封电子邮件

您的订单已经下单，正在排队。 您的订单已经处理完毕。 您的订单已发出。

用户认为他们排在一个公平的队列中。每1小时处理一次队列，让普通用户也经历一次队列，以免引起怀疑。只有在机器人和隐士账户排队超过“人类平均下单时间+ x小时”后，才会处理他们的订单。有效地减少机器人对人类的影响。

I'm not seeing the great burden that you claim from checking incoming IPs. On the contrary, I've done a project for one of my clients which analyzes the HTTP access logs every five minutes (it could have been real-time, but he didn't want that for some reason that I never fully understood) and creates firewall rules to block connections from any IP addresses that generate an excessive number of requests unless the address can be confirmed as belonging to a legitimate search engine (google, yahoo, etc.).

此客户端运行一个web托管服务，并在三台服务器上运行此应用程序，这三台服务器总共处理800-900个域。峰值活动在每秒1000次的范围内，从来没有性能问题-防火墙在从黑名单地址丢弃数据包时非常有效。

是的，DDOS技术确实存在，可以击败这个计划，但他没有看到这种情况在现实世界中发生。相反，他说这大大降低了他服务器的负载。

假定原则:

第一个屏幕必须是非常简单的低开销HTML，带有一个易于识别的按钮(游戏邦注:无论是机器人还是玩家)，以明确表示“我想要我的垃圾”。因为我们假设了最坏的情况-你有来自机器人和非机器人组合的DOS攻击，所有人都首先点击网站(就可识别性而言)。所以让我们尽快把这些从缓存，良性回声机器人等中分发出去。

(注:就追求者而言，这就是发生的事情;这对用户和Woot来说都是痛苦的，所以任何有助于吸收或缓解首次屏幕获取的内容都符合三方的利益。)

然后，对于非机器人来说，这个过程不需要比现在更糟糕，对于正版机器人来说，不需要额外的步骤(或痛苦)。(关于当前设计的背景说明:当前的wooters通常已经签约，或者可以在购买过程中签约。新买家需要在购买时进行注册。所以实际上已经注册和已经登录会更快。)

为了完成垃圾销售，需要导航一系列交易屏幕(比如5个正负，取决于具体情况)。获胜者是第一个完成全部导航的人。当前进程奖励那些最快完成整个5个屏幕序列的机器人(或其他人);但整个进程都偏向于快速响应(即机器人)。

毫无疑问，机器人将在第一个屏幕上占据优势;无论他们在这一点上取得了什么优势，他们都会在剩下的屏幕上保持下去，再加上身体在其他阶段提供的任何优势。

What if Woot were to intentionally decouple the queuing process after the first screen, and feed every session from that point into a sequence of fixed-minimum-time steps? The second screen wouldn't even be presented until 30 seconds had passed; after it was submitted, same for the following screens. I bet wooters would have no problem if they were told that, after the first screen, they would wait in a queue (which is already true) that would spread the load over time in a way that should take no longer than before, be more robust, and help weed out the bots. At this point you can throw in some of the bot speedbumps listed above (subtle variations in DOM objects, etc.) Just the benefit from the perception that Woot is a little more in control of things would help.

If a much higher proportion of the BOC initial hits could segue into a bot-unfriendlier non-time-critical process on their first hit (or close to it), rather than retrying, then real people who get past that point would have more confidence. For sure it would be less hostile than the current situation. It might cut down on the background-noise-ambient-bot-rate that's going on all the time even under normal Woot-Off circumstances. And the bots would lay off the main page and sit in the queue with each other (and everyone else) where they have no advantage.

Hmmm... The concept "apartment-threaded" comes to mind. I wonder if the pattern is approximately useful? A useful core concept here is being able, after the first screen, to track accumulated total time in queue and be able to adjust to standard. As a bot-mitigation strategy, you would have a little bit of flexibility to maybe fudge the very earliest sessions by maybe 5-10 seconds; doing so would probably be undetectable, but would result in a richer non-bot purchase mix. I'm sure you have statistics to help evaluate stuff like this after the fact. Just for fun, you could (at least for one wootoff) put together your own bot that combines the best features you've seen, and then hand it out to everyone the day before. Then at least everyone would be equally armed. (Then duck ... incoming ...)