On this site if you do too many clicks or post comments too fast or something like that you get redirected to the "are you a human" screen. Does anybody know how to do something similar?
+1
A:
just check how many hit / minutes you get from a specific ip or session or whatever and decide what are your preferred threshold and your good to go
Fredou
2010-03-04 15:55:57
Just be sure that the time period is right b/c otherwise quick users will be very annoyed and you might drive away some of the more useful users.
Brian T Hannan
2010-03-04 17:26:52
Or users from an organisation that uses a single proxy to access the internet
Kirschstein
2010-03-05 11:59:18
Now I do. I think. :-) But more importantly, others seem to do and produce answers accordingly.
Amigable Clark Kant
2010-03-19 08:35:39
+2
A:
At a guess...
Write a HTTP handler that records requests and store them in session.
When a new request comes in, check to see how many requests are stored (and expire old ones).
If the amount of requests in the past few minutes exceeds a given threshold, redirect the user.
If you're doing this in ASP.NET webforms, you could do this check on the site master page, ( or write a IHttpHandler).
If you're using an MVC framework, you could write a base controller that does this check for every action.
With rails, you could write a before_request filter.
With asp.net MVC, you could write a [ActionFilterAttribute] attribute
Kirschstein
2010-03-04 15:58:08
A:
I'd also check the user agent header of the request - if it doesn't look like a popular browser (or is empty) then throw the "are you a human?" page.
Andy Shellam
2010-03-04 15:58:34
Links being linx (the text-based browser?) If so I'm fairly sure that sends a proper user-agent header, so wouldn't be affected. I'm talking about headers like GoogleBot, MSNSpider etc.
Andy Shellam
2010-03-07 09:01:28
This is a really bad idea - it's what leads to things like apps that require ie6 because ie7 was not a valid browser at the time, or what paypal does if you try to buy something using a mobile browser.
Tom Clarkson
2010-03-21 22:55:17
@Tom - the original question was how to tell if someone is a human. It's easy to tell using the User-Agent header if someone is using an actual browser, or if it's a bot. Yes some nasty bots make themselves look like a browser, so this has to be used in combination with other security tactics - but that's the same in any case - IT or non-IT related. You don't just rely on a lock on your door to keep people out. You also have an alarm system. And a locked gate etc.
Andy Shellam
2010-03-22 08:49:43
It's easy to tell if it is a known browser or a known bot, but relying on that will cause problems with either unknown browsers or unknown bots. Since the known bots are things like google that you want to give full access, and the ones you need to block will pretend to be browsers, you are introducing bugs without gaining any security.In terms of physical security it's more like nailing the locked door shut and leaving an open window next to it.
Tom Clarkson
2010-03-22 22:37:24
+9
A:
It's almost certainly a heuristic that tries to "guess" that a user is some form of automated process, rather than a person, for example:
- More than "x" requests to do the same thing in a row
- More than "x" actions in a "y" period of time
Ordinarily the "x" and "y" values would be formulated to be ones that it would be unlikely for a "real person" to do, like:
- Editing the same answer 5 times in a row
- Downvoting 10 questions within 1 minute
Once you've got your set of rules, you can then implement some code that checks them at the start of each request, be it in a method that's called in Page_Load, something in your masterpage, something in the asp.net pipeline, that's the easy bit! ;)
Rob
2010-03-04 15:58:53
@Earlz, I undeleted my answer. I'm assuming that the migration process deleted it. As I disagreed with the migration, and the site gave me an "undelete" link, I "protested" against the migration by undeleting my answer.
Rob
2010-03-04 16:05:58
+1 yes, I think I saw some of the code on meta. They just cache the user+ip+action and set it to expire for whatever period of time. It would be madness to hit database for all these checks.
dotjoe
2010-03-05 14:30:41
@Aristos's answers has a link to an implementation of this, and it also uses the cache, and setting it to expire
Omu
2010-03-20 21:48:57
@Omu - It looks to me like an asp.net webforms control, so not something you'd really use in MVC? :) It might give you some ideas for an MVC implementation though!
Rob
2010-03-21 11:42:25
+2
A:
You should have a session to track the user activity.
In session you can have counter for commenting and posting like:
(pseudo code instead of C#, sorry :)
if (post_event) {
posts_during_1_minute_interval++;
if (time_now-reference_time > 1_minute) {
reference_time = time_now;
posts_during_1_minute_interval=0;
}
}
...
if (posts_during_1_minute_interval > 10) redirect("/are-you-human.htm");
where on are-you-human.htm page you can have recaptcha, as they have here on StcakOverflow.com
see also:http://blog.stackoverflow.com/2009/07/are-you-a-human-being/
Halst
2010-03-18 00:43:48
+1
A:
Here is a very nice Captcha Control for asp.net that first of all you need
http://www.codeproject.com/KB/custom-controls/CaptchaControl.aspx
Then you can use it together with this idea that try to find the dos attacks
be ware of a bug in this code in line if( context.Request.Browser.Crawler ) return false;, its must return true, or totally remove it for sure.
and make it your compination for the clicks, or submits.
If a user make too many clicks on a period of time, or many submits, then you simple open the capthaControl, and if the clicks are by far too many, then triger the dos attact. This way you have 2 solution in one, Dos attact prevent, with captcha at the same time.
I have made somthing similar my self, but I have change the source code of both, a lot to feet my needs.
One more interesting link for a different code for the dos attack.
http://madskristensen.net/post/Block-DoS-attacks-easily-in-ASPNET.aspx
Hope this help you.
Aristos
2010-03-18 14:35:08