Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 5 years ago.
Improve this question
I run the technical side of a discussion forum, which is plagued by a troll (a single physical person, as far as I can tell). It seems that the community has exhausted all means of communication (it is, beyond reasonable doubt, a net.troll, not a clueless user), including face-to-face.
I may need to block that person from visiting the site, but I'm not sure how (it already refused to leave of its own accord). The site needs registration with an e-mail address, which gets you a username. I could block the username, but the troll could just as easily register a new one.
Now, there are plenty of Q&A on "how to do an IP ban and at what layer", but is it worth the hassle?
Would an IP ban be useful for blocking a troll? If not, what? Or, could I combine an IP ban with some other form of protection?
The issues I have with IP bans are numerous:
the troll comes in from several different IP blocks (home/school/open wifi/...?)
the IP addresses seem to be dynamically assigned (usual with DSL here)
I suspect sock-puppetting with new accounts, possibly through proxies and/or VPN
at least in one case, there are other users coming in from the same IP (I suspect a large NAT - confirmed: in this case, there's a whole university accessing the web from behind a single public IP addresss)
It seems that I'll be fighting a social issue through technological means, and the prospects of that seem bleak.
Can you implement a "global ignore"? At its finest, this lets the troll see its own posts, but nobody else sees them at all. This gives the troll no feedback from outraged community members, but no clue that the reason is the posts can't be seen. I have seen this work, meaning that the bad behaviour stopped.
Think of as many ways as possible to identify the user, and try to use them all. Also, make it hard for the user to test your systems - e.g. if you detect him, block all signups and posting from that IP block for 60 minutes.
Some ways to identify a user:
E-mail address
IP address
IP address block
Cookies
Flash supercookies
Windows Media Player unique ID (if enabled)
HTTP headers (browser version etc)
See https://panopticlick.eff.org/
Ban all the account information, so when an account is banned, so is for example the email address.
Won't stop them but opening multiple email accounts as well as having to sign up again has to get pretty annoying.. if they create their own mail server, ban the domain?
If you prevent users from registering with free e-mail accounts (create a ban list of e-mail domains), you can cut down on the ability for the troll to re-register every time a username is banned. Of course, that can make it harder for legitimate users to register. If possible, you could combine techniques (require approval for free e-mail addresses).
You could require moderator approval for accounts, but the effectiveness of this depends on how large your community has grown. For a small community, have the trolls queue up at the gates makes them lose interest very quickly, especially if you're looking for patterns in account signup information.
For large communities, the effectiveness of techniques used depends on how well they are used. Shadow banning aka muting the troll, can backfire if it is an innocent bystander. One effective way of handling this is to not mute the troll, but to ensure that bans on accounts are not made public; one wouldnt want to drag the community into it.
Related
I apologise if something like this has been answered before, I just can't figure out a good way to word my question well enough to include all details about my problem.
I'd like users to be able to host servers for my indie game in a way virtually identical to, for example, Minecraft. I don't want any official servers, the game is mostly intended to be played with friends and not random strangers.
I've thought of many ways to accomplish this but I could never solve one important detail - I want the server to be able to remember users and put them where they left off when they reconnect (give them their character, the character's inventory, etc).
But any solution I could find or think of either made it potentially very easy to steal someone's character and connect to the server pretending to be them, or required me to make players have a way to register with accounts, something I can't afford to host myself.
I guess what I need is a way for the server to send a token to a new connecting player, and then have a way to see if the player sending that token back is the same person, and not an attempt to replicate the token. That to me sounds like public key cryptography, but the game engine I'm using doesn't seem to have any libraries for that (unsurprisingly), and I certainly am not qualified to make a library like that myself. But maybe there's an easier solution I'm somehow missing.
This might be a stupid question, but I hope it's worth a try asking. Thank you in advance for any help. Sorry I was so wordy by the way.
TLDR: I want users to host game servers that can remember reconnecting players without risk of players' progress being stolen.
If you have not already, look into sessions. Session cookies. But also setting up a basic log in system with php or whatever server code your server uses is not hard, and most basic hosting provide the mysql and php needed to do a basic log in page, you just have to code it yourself.
I'd like to implement a simple video chat system for students to tutor each other. I'm a one man show, and would like a system I can run in a cost effective way starting with 10 users, and hopefully scale up as needed.
WebRTC seems like a great, low latency, and cheap option to build this feature. However, if clients are communicating, then they must know each other's public IP. Is this a significant privacy or security issue?
What is the worst case scenario of somebody getting my IP address? Wouldn't any malicious actor have to get through my ISP to get my specific location?
Thanks!
If you host it yourself, WebRTC can be extremely cost-effective. I've been running the SFU at galene.org (disclaimer: I'm the main developer), which is used for multiple lectures with up to a hundred students. Even though this is a full-fledged SFU (and not a mere TURN server), hosting amounts to just over €6/month.
If your tutoring sessions involve just two or three people, then peer-to-peer WebRTC might be enough, but even then a TURN server will be required, especially if some of your users are on university networks. For larger groups, you will need to push your traffic through an SFU.
If you do peer-to-peer WebRTC, then any user can learn the IP of any user they are communicating with; this is most probably not an issue, since the IP addresses are most probably already being disclosed (e.g. in mail headers). If you go though an SFU, then the IP addresses are not deliberately disclosed, but they might still leak; for example, the SFU implementation mentioned above (Galene) discloses IP addresses when a user initiates a file transfer since file transfers happen directly between clients, in a peer-to-peer fashion. (It may be possible to avoid this disclosure by setting the iceTransportPolicy field to relay in the PeerConnection constructor, but I haven't tested how effective it is.)
WebRTC doesn't have to be P2P. You could run a SFU. Each user will upload their video to your server, and the server will distribute via WebRTC. Then the users will never know each others IPs.
I don't have any exact numbers, but it isn't expensive either. Your biggest expense will probably be bandwidth. Lots of Open Source SFUs exist, this is a good list to get started.
This question already has answers here:
How can I bypass the Google CAPTCHA with Selenium and Python?
(6 answers)
Closed 2 years ago.
I want to login on a WordPress site. When i try to accesss to login on a WordPress site, it say me "Checking your browser before accessing", why i see the link "DDoS Protection by Cloudflare"? Additionally, a CAPTCHA is required to access this site. How to bypass Captcha verification in order to access sites? Here's the images links:
https://i.stack.imgur.com/Ju3f7.png
https://i.stack.imgur.com/Vrhi4.png
Ways to bypass captcha which come to my mind:
Talk to guys of site or service in question if you have good reason to get exception based on IP or similar
Use some coding to automatically solve captcha for you. Often captcha is made so simple to be solved by some simple algorithm.
If none of the above works (which I think is your case), create porn site where users need to solve captchas to see the content. Make a system which automatically reroutes captchas annoying you to users who want to watch porn. If done properly, all works as charm.
PS: Actually captchas are there with reason and usually it is not nice to cheat here but I explained how it technically possible. Do not judge me for not judging others at this. SO asked me to be nice to newcomer.
PS2: Avoiding, breaking or otherwise messing up with access control security can be illegal in some jurisdictions. Especially if it caused harm to site but overloading it and thus making unavailable. For techie this may look stupid but sometime things go this way in real world.
That is because your IP address is suspicious!
Cloudflare detects your IP address as potential bots or other malicious software.
Don't worry! usually your IP address will change after a while (24 hours or so).
In the mean time you can use another network to access the site or use a VPN service to change your IP address (a VPN extension will be the best choice in your case.)
I am developing a web for my university where users can create an account and upload images. Images are private and can only be seen by the person who uploaded them. For instance, is like a cloud file system.
Each user have a free account with 500MB. I am using Amazon S3 to store the images, that is to say storage implies costs.
How can I avoid that bots upload millions of MB? How can I avoid that a bot creates million of new accounts and upload 500MB per account without affecting the user experience?
On one hand I definitely don't want to put a CAPTCHA in the registration form because it negatively affects the conversion rate. On the other, I don't want to pay thousands of dollars because a bot upload million of dummy images.
Does anyone know whether Dropbox, Google Drive, etc, suffers from this (content uploaded by bots)? It seems that is not a problem because I couldn't find anything about it. All spam related problems I could read about only covered spam in forums. It makes sense also. Spam in forums can be read by other users. Spam in a service like Dropbox or Google Drive reaches no one. Nonetheless I have to protect it to avoid cost surprises.
As far as I can see, without using CAPTCHAs this can be done:
Set up monitoring systems that warn for specific abuse patterns (the same IP uploading lots of data and creating new accounts repeatedly).
Throttle users that follow those patterns; this will hopefully make them realize and make the process worthless. If this fails, then disable those accounts and have their owners mail/talk to you in order to explain what's happening.
Since you say it's a system for your university, make users provide proof of enrollment (e.g. an university e-mail address) in case of abuse.
Have this forbidden usage explicit in your terms of use.
Of course, a smart enough bot can work around all those problems.
For a more advanced solution, you might try some machine learning or AI that learns about normal and abnormal usage patterns, then applies that information to judge a possible abuser.
I would recommend to :
make users register using their email
don't allow multiple accounts for a single email
send them an email registration confirm, and deactivate the "unconfirmed" accounts after a short amount of time (eg 3 days)
AFAIK, Drupal embeds this kind of controls out-of-the-box or with little effort (and no programming).
This won't solve all your problems, but in fact it will reduce the risk of bot exploits.
As you said you need a registration, there are two points to tackle this problem - make sure no bots register and/or limit the number of uploads.
I personally would use both points. For the user signup, design a login form where the user has to enter its email address, send them a mail with a link in it and activate their account only after clicking this link. Or let the user solve a simple math question on signup.
For the second point, you can store the number of uploaded bytes per user and time. You can then set a quota on allowed upload usage per time, for example you may not upload more than 10MB per hour. If a user hits this limit more than n times, you can deactivate his account.
And: set up and alerting and monitoring system. For example monitor the number of non-activated users, monitor the amount of uploads etc. and set up alerts if these exceed a certain threshold.
The above mentioned methods may not be perfect and probably won't block out all bots, but they will at least make it way harder for bots to upload unwanted data. Also these methods are quite simple, so you can start of with your project and see if this is really a problem. And if you get bots to upload data, you will at least receive alerts and can invent a better solution afterwards.
I am trying to ban users that spam my service by logging their IP and blocking it.
Of course this isn't safe at all, because of dynamic IP addresses.
Is there a way to identify a user that's 100% safe?
I've heard about something called evercookie, but I was easily able to delete that, and I guess that anyone capable of changing their IP can also keep their PC clean..
Are there any other options? Or is it just not possible?
A cookie will prevent the same browser from visiting your site as long as the user doesn't delete it, or turn off cookies, or use a different browser, or reinstall their browser, or use another machine, etc.
There is no such thing as 100% safe. Spam is an ongoing problem that most websites just have to learn to deal with.
There are numerous highly secure options, mostly relying on multi-factor authentication and physical key generators like the ones RSA markets. But the real question is an economic one. The more draconian the authentication mechanism, the more quickly you kill your website as you scare off all your visitors.
More practical solutions involve CAPTCHA, forum moderation, spam-reporting affordances, etc. One particularly effective technique is to block offending content from every IP address except the one that originated it. That way, the original spammer thinks their content is still there, oblivious to the fact that no one else can see it.
Alright I get that it's impossible to 100% identify a unique visitor.
What are the things that I could do to:
- find whether someone (anonymous) is using lots of different proxies to see my content (problem here is that cookies would land on the machine of the proxy? and not the actual visitors PC?)
- identify unique (anonymous) visitors with a dynamic IP