如何应对僵尸网络和自动提交

发布于 2024-11-27 14:17:15 字数 927 浏览 2 评论 0原文

短篇故事:我有一个网络应用程序,它具有巨大的参与动机。因此,我们正成为脚本编写者和机器人的重点攻击目标。根据提交内容的 IP 地址(超过 1000 个,并且还在不断增长,没有任何模式),我倾向于相信提交内容是由机器人网络生成的。更糟糕的是,控制自动提交的人正在积极地追求事情,以至于每次我们做出更改时,他们都会在几个小时内赶上。

我们已经尝试过的一些措施:

  • 验证码,第三方和本地开发的,具有不同程度的可读性
  • 通过 cookie 发送的防请求伪造令牌和提交时进行比较的隐藏表单字段
  • 隐藏的空蜜罐字段,导致如果字段包含数据,则提交将静默失败
  • 隐藏的蜜罐字段,默认情况下包含数据,如果未运行一段 javascript 来清除字段的值,则会导致静默失败
  • 在特定时间段内按 IP 地址限制提交
  • 阻止电子邮件已知自动脚本使用的域
  • 在防火墙上根据同时连接数或每分钟连接数来阻止主机
  • 在防火墙上阻止最明显的 IP 地址
  • 使用外部地址验证服务来验证传入地址

即使采取了所有这些措施,提交的内容不仅持续不断,而且频率似乎还在增加,每天大约有 100,000 多个。

伪造的条目现在使用完全有效的名字和姓氏,并且显然已经诉诸使用某种目录列表来确保他们使用的地址(顺便说一句,这些地址看起来完全随机且根本不一致)实际上是有效的美国邮政地址。此外,我已将传入的表单值记录到调试日志中,并验证它们实际上提交了有效的验证码,表明它们具有足够好的 OCR 来破译图像(代码本身永远不会发送到客户端,只有代表存储在后端其他地方的代码)

事实上,我们甚至可以判断条目是否伪造的唯一方法是通过他们提交的电子邮件地址和域的模式。我们已尝试阻止最活跃的域进入,但垃圾邮件发送者只是创建或查找新域,从中生成一次性电子邮件地址并继续前进。

我现在已经很累了,但我确信一定有一些东西我还没有尝试过。这里有人有什么好主意吗?

Short story: I have a web application that has a huge incentive for participation. As such, we're being targeted heavily by the scripters and bots. Based on the IP addresses the submissions are coming from (1000+ and growing, no pattern whatsoever), I'm inclined to believe the submissions are being generated by a bot network. Even worse, the person(s) controlling the automated submissions are actively persuing things to the point that every time we make a change, they catch up within a few hours.

Some of the measures we've tried already:

  • Captcha, both third party and home-grown, with varying degrees of readability
  • An anti-request forgery token sent via cookie and hidden form field that is compared upon submit
  • A hidden empty honeypot field that causes the submission to fail silently if the field contains data
  • A hidden honeypot field that contains data by default and results in a silent fail if a piece of javascript does not run to clear the field's value
  • Limiting submissions by IP address over a certain time period
  • Blocking email domains known to be used by the automated scripts
  • Blocking hosts based on simultaneous connections or connections per minute at the firewall
  • Blocking the most flagrant IP addresses at the firewall
  • Using an external address verification service to verify incoming addresses

Even with all of these measures in place, the submissions have not only continued, but seem to be increasing in frequency, on the order of 100,000+ per day.

The bogus entries are now using completely valid first and last names, and apparently have resorted to using some sort of directory listing to ensure that the addresses they use (which appear totally random and not at all consistent, btw) are actually valid US postal addresses. Additionally, I have logged the incoming form values to a debug log and verified that they are actually submitting valid captcha codes, indicating they have OCR good enough to decipher the images (the code itself is never sent to the client, only a GUID representing a code that is stored elsewhere on the back end)

In fact, the only way we can even tell the entries are bogus is by the pattern of email addresses and domains they are submitting. We've tried blocking the most active domains from entering, but the spammers just create or find new domains from which they can generate disposable email addresses and keep on going.

I'm pretty exhausted at this point, but I'm sure there's got to be something I haven't tried. Does anyone here have any bright ideas?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

明明#如月 2024-12-04 14:17:16

问题是:由于仅“注册”到您的网站,用户一次获得了太多权利。用户被信任“太快”了。

看看stackoverflow——你可以注册,一开始你几乎没有获得任何权利。一段时间后,用户权限级别会增加,因为对用户的信任会增加,因为用户正在做什么,并且其他用户会接受这一点。

我将专注于让用户“信任”一种“可构建的资源”,其他用户必须确认特定用户的“权限级别”。那么用户的自动注册就没有任何意义——他们什么也做不了。

我不知道你的网站是关于什么的 - 这可能会让我的建议不被接受......但我希望我能让你的想法继续下去:)

The problem is: because of only 'registering' to your site, the user receives too many rights at once. The user is trusted "too fast".

Look at stackoverflow - you can register, and you gain almost no rights at the beginning. User permissions level increases after some time, because the trust to the user increases, because of what the user is doing, and other users accept that.

I would focus on making users "trust" a kind of "build-able resource" where other users have to confirm "authority level" of a particular user. Then auto-registering of users would make no meaning - they can do nothing.

I don't know what your site is about - that probably makes my suggestion not acceptable... But I hope I made your thoughts go forward :)

微凉 2024-12-04 14:17:16

您是否考虑过图片验证码,例如,您有一张杯子的图片,下面带有 C _ _ ?花费大量时间创建大量图像来实现它是很乏味的,但这确实会考验他们花费所有时间手动识别 1000 个图像的决心。当然,我不知道你的奖品有多好,也许值得。

Have you considered a picture captcha, where you have a picture of a cup, for example, with C _ _ underneath? Tedious to spend a bunch of time creating a ton of images to implement it, but it'll really test their resolve to spend all that time manually identifying 1000 images. Of course, I don't know how good your prizes are, it might be worth it.

超可爱的懒熊 2024-12-04 14:17:16

我不确定您是否仍在寻找问题的答案 - 但您是否考虑过验证用户一起提交的信息?例如,如果您需要他们输入姓名、实际地址、电话号码和电子邮件地址,请检查电话簿或地址簿以确保他们输入的所有信息都是一致的。这样,您不仅可以使用格式良好的数据来验证条目,还可以使用真实的人来验证条目。

您可以考虑的另一件事是向用户发送一条短信,通知他们中奖了,而不是通过电子邮件进行。

不确定它是否适合您的情况,但可能会有所帮助。

I'm not sure if you're still looking for an answer to your question - but have you considered validating the information the user has submit together? Like if you need them to put in their name, physical address, phone number, and email address, checking a phone directory or address book to make sure that all the information they've entered is consistent. That way you could validate an entry with more than just well formed data, but an actual person.

Another thing you could consider is sending the user a text message informing them that they've won, instead of doing it via email.

Not sure how appropriate it is for your case, but it might help.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文