views:

166

answers:

4

I have a blog aggregation website

the stories are ordered by the number of visits

I think I am facing a spam of visits

because some blogs' stories receive a lot of visits in the same second with efferent ip address

my website does not allow visits from the same ip; however, my visitors somehow changing their ips.

is their any solution to detect this spam visits?, I wonder how Google adSense solves such a problem?

Thanks

+5  A: 

The short answer is that it's impossible to stop a determined attacker if a single unverified visit is the only thing required to alter the order of your story. You may want to think about implementing a registered user voting system.

However, You can collect several pieces of information and combine all of them:

1) User Agent
2) IP Address
3) X-Forwarded-For header (if available)

Often times attackers will be lazy and not cycle through different user agents. If you setup your system to process visit information at a certain interval (and not in real-time), you could potentially filter out large collections of visits occuring at the same time with the same exact user agent.

You could always download databases of proxies from websites such as antiproxy.com, but the truth is that most well planned attacks today come from botnet nodes which have yet to be documented. It is fully possible for your website to be targeted by an attack with heterogeneous traffic which is indistinguishable from normal visitors.

At the very least, I would suggest changing your implementation so that users can vote on stories and require a captcha.

Robert Venables
@novatrust Thanks for explaining, I have changed my code to treat all users with same "user agent" as spam and also all users with same ip as spam and I will try use x-forwarded-for as well. changing the system to voting system will make it very complicated in my case.but the that thing I am not sure about? do we have unique users agents?Thanks
ahmed
User agents are not unique, though often times they can be unique enough. Example: 300 hits within one minute all advertising the same exact version of firefox, browser toolbars, and installed .NET framework, with the same exact formatting. This is unlikely, and may indicate malicious activity.
Robert Venables
+1  A: 

With PHP you can check the $_SERVER ["HTTP_X_FORWARDED_FOR"] variable against the IP adress for a little more assurance that the client is who he says he is. This will help identify people through some proxies.

Sam152
A: 

You cannot reliably detect an IP.

It may be coming through a proxy or it may be spoofed.

Konstantinos
Or - let's face it - it may just be real! Imagine a team of nerds behind a single gateway. One of them tosses a nice URL into IRC...
innaM
+1  A: 

I use this function sometimes. But as others have said, it can be tough to get the correct IP 100 per cent of the time.

I can't remember where I got the function from, but it seems to be fairly common on the internet.

function getRealIpAddr()
{
    if (!empty($_SERVER['HTTP_CLIENT_IP']))   
    {
      $ip=$_SERVER['HTTP_CLIENT_IP'];
    }
    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
    {
      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
    }
    else
    {
      $ip=$_SERVER['REMOTE_ADDR'];
    }
    return $ip;
}
Coffee Cup
I don't think that is going to get you the real IP - simply the first one that is set from the order of testing. It is not even comparing $_SERVER['HTTP_X_FORWARDED_FOR'] to $_SERVER['HTTP_CLIENT_IP'] for a match, a suggested in some answeres.
BrynJ