如何处理僵尸网络和自动提交 [英] How to deal with botnets and automated submissions
问题描述
小故事:我有一个 Web 应用程序,它具有巨大的参与动机.因此,我们成为脚本编写者和机器人的严重攻击目标.根据提交的 IP 地址(1000+ 并且不断增长,没有任何模式),我倾向于相信提交是由机器人网络生成的.更糟糕的是,控制自动提交的人员正在积极推动事情,以至于每次我们做出更改时,他们都会在几个小时内赶上.
Short story: I have a web application that has a huge incentive for participation. As such, we're being targeted heavily by the scripters and bots. Based on the IP addresses the submissions are coming from (1000+ and growing, no pattern whatsoever), I'm inclined to believe the submissions are being generated by a bot network. Even worse, the person(s) controlling the automated submissions are actively persuing things to the point that every time we make a change, they catch up within a few hours.
我们已经尝试过的一些措施:
Some of the measures we've tried already:
- 验证码,包括第三方和本土,具有不同程度的可读性
- 通过 cookie 发送的反请求伪造令牌和提交时进行比较的隐藏表单字段
- 一个隐藏的空蜜罐字段,如果该字段包含数据,则会导致提交失败,无提示
- 一个隐藏的蜜罐字段,默认包含数据,如果一段 javascript 没有运行来清除该字段的值,则会导致静默失败
- 在特定时间段内通过 IP 地址限制提交
- 阻止已知被自动化脚本使用的电子邮件域
- 基于同时连接数或防火墙每分钟连接数阻止主机
- 在防火墙阻止最明显的 IP 地址
- 使用外部地址验证服务来验证传入地址
即使采取了所有这些措施,提交的内容不仅还在继续,而且频率似乎还在增加,大约每天 100,000+.
Even with all of these measures in place, the submissions have not only continued, but seem to be increasing in frequency, on the order of 100,000+ per day.
虚假条目现在使用完全有效的名字和姓氏,并且显然已经使用某种目录列表来确保他们使用的地址(看起来完全随机并且根本不一致,顺便说一句)实际上是有效的美国邮政地址.此外,我已将传入的表单值记录到调试日志中,并验证它们实际上提交了有效的验证码,表明它们的 OCR 足以破译图像(代码本身从未发送给客户端,只有代表存储在后端其他地方的代码)
The bogus entries are now using completely valid first and last names, and apparently have resorted to using some sort of directory listing to ensure that the addresses they use (which appear totally random and not at all consistent, btw) are actually valid US postal addresses. Additionally, I have logged the incoming form values to a debug log and verified that they are actually submitting valid captcha codes, indicating they have OCR good enough to decipher the images (the code itself is never sent to the client, only a GUID representing a code that is stored elsewhere on the back end)
事实上,我们甚至可以通过他们提交的电子邮件地址和域的模式来判断条目是伪造的唯一方法.我们曾尝试阻止最活跃的域进入,但垃圾邮件发送者只是创建或查找新域,他们可以从中生成一次性电子邮件地址并继续前进.
In fact, the only way we can even tell the entries are bogus is by the pattern of email addresses and domains they are submitting. We've tried blocking the most active domains from entering, but the spammers just create or find new domains from which they can generate disposable email addresses and keep on going.
此时我已经筋疲力尽了,但我确信一定有一些我没有尝试过的东西.这里有人有什么好主意吗?
I'm pretty exhausted at this point, but I'm sure there's got to be something I haven't tried. Does anyone here have any bright ideas?
推荐答案
问题是:由于只注册"到您的站点,用户一次获得了太多权限.用户太快"被信任.
The problem is: because of only 'registering' to your site, the user receives too many rights at once. The user is trusted "too fast".
看看stackoverflow——你可以注册,一开始你几乎没有任何权利.一段时间后,用户权限级别会增加,因为对用户的信任增加,因为用户正在做什么,而其他用户也接受了.
Look at stackoverflow - you can register, and you gain almost no rights at the beginning. User permissions level increases after some time, because the trust to the user increases, because of what the user is doing, and other users accept that.
我将专注于让用户信任"一种可构建资源",其他用户必须确认特定用户的权限级别".那么自动注册用户就没有意义了——他们什么也做不了.
I would focus on making users "trust" a kind of "build-able resource" where other users have to confirm "authority level" of a particular user. Then auto-registering of users would make no meaning - they can do nothing.
我不知道你的网站是关于什么的 - 这可能使我的建议不被接受......但我希望我让你的想法向前发展:)
I don't know what your site is about - that probably makes my suggestion not acceptable... But I hope I made your thoughts go forward :)
这篇关于如何处理僵尸网络和自动提交的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
