Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

Re^2: Another way to get around automated bots

by adrianh (Chancellor)
on May 17, 2004 at 09:31 UTC ( #353904=note: print w/replies, xml ) Need Help??


in reply to Re: Another way to get around automated bots
in thread Another way to get around automated bots

A better method is to rely on questions from current events news. Make it multiple choice, and make it so that 3 wrong answers out of 5 blocks the IP for an hour.

In these days of proxies using an IP blocking approach is pretty much a dead end. Blocking IPs will mean that you'll kill of groups of people using proxies, and they're so easy to fake only the technically dull bad people will be affected.

Without a blocking mechanism it then just comes down to a question of odds.

I also think you'll be surprised at the high false-negative you'll get with real humans getting the questions wrong :-)

  • Comment on Re^2: Another way to get around automated bots

Replies are listed 'Best First'.
Re^3 : Another way to get around automated bots (fake IP)
by tye (Sage) on May 17, 2004 at 14:15 UTC
    Blocking IPs [...]:, and they're so easy to fake only the technically dull bad people will be affected.

    Wow. It is easy for you to fake an IP and have the results sent back to you? You'll have to explain that before I believe you.

    If you are using IP for security, then the only risk from faking IPs is that someone can send you data with a forged IP in hopes of getting you to act on it. Simply requiring a minimal dialogue that includes repeating hard-to-predict data is enough to make such extremely unlikely.

    An attacker having control over a block of IP adresses is a separate issue.

    - tye        

      Wow. It is easy for you to fake an IP and have the results sent back to you? You'll have to explain that before I believe you.

      Lack of clarity on my part. I meant that faking a proxy is easy.

      You pretend to be a legitimate caching proxy and fake the Via and X-Forwarded-For headers. Mix in a bot browsing the site with a few legitimate accounts and it becomes almost impossible to tell the difference between good and evil proxies (unless you start hammering the site with thousands of registrations.)

      So you're either faced with blocking proxy IPs, which is bad for legitimate proxy users, or blocking the IPs delivered by the fake proxy headers which will have no effect.

      If you are using IP for security, then the only risk from faking IPs is that someone can send you data with a forged IP in hopes of getting you to act on it.

      Yup.

      A denial of service attack is an especially annoying form of this if one of your possible acts is automated IP blocking. EvilPerson sends bad requests using the faked IP addresses of legitimate users. Legitimate users get banned.

      Adrian & Tye,
      you chaps are quite right, I had forgotten about the whole unreliability thing with IPs for a moment there, it creates a lot of issues. And the danger of blocking proxies, very tricky. Hmmm. What I was attempting to address is the possibility to just brute the form by selecting all the options sequentialy. Or one could just exhaust the list of questions and pay someone to handball the results </blackhat> Hmm, OK. Let's say we immediately change to another question, but we also present the choices in a random order each time, that's an improvement.

      @ Nkuvu, Sorry, it was a flippant example, in reality we would choose something far simpler. Besides it was a trick question, there is one there that you _KNOW_ doesn't have a moustache, but he's not a real dictator. Also all the others were democratically elected in a valid vote at least once in their political careers and _then_ went crazy :)

      I have heard other ideas too, such as getting the client to solve a costly puzzle (in code) so that a bot wouldn't be able to get up much speed. Unfortunately this makes the presumption that the client will let the server instruct it to execute arbitary code, which is obviously bad.

      I think what I am trying to say is, as a general principle you need to find a puzzle that humans can easily solve but a machine cannot. In the end, if you make too many hoops for users to jump through they will just go to another site as Nkuvu says.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://353904]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (2)
As of 2021-07-31 22:27 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?