Instead of asking for the link, ask for a screenshot of the link. The link is visible, but a bit harder to access. Person would have to type in the link by hand, but if this attack is using a scraper, the link wouldn’t be captured. If it is, it would take a bit longer to solve.
Also, new TL0/1 people won’t be able to see images until they are TL2. May not be possible, but again, I’m throwing ideas here to help.
Although this is defeatable with clients that parse CSS, those are less common and slower. You can make the style take a second or two to load, too. That will effectively slow scraping, although people can always copy/paste.
Or just include something like:
<a class="toDecrypt" data-password="[some aes password]">[text]</a>
<!-- have a script to decrypt each <a> link -->
And here's my idea for the information-encrypt thing:
Have a few rows of checkboxes (or + buttons) labeled "Include Username" "Include Database Name" "Include Your Website: [dropdown v]/[input for subdomain]"etc.
Beneath each could be an short explanation for why to include it. At the very bottom a free input box for misc data.
I like the idea but it suffers from one downside. Unfortunately, it’s possible for an attacker to decrypt and parse the text inside the image through any Optical Character Recognition (OCR) system. If you think that it will take a bit longer to solve, you’re probably wrong, especially if the attacker already knows that it going to be part of the security measure against his/her future attacks (well, this topic is already available to the public). The attacker might use an image scraper and decrypt the text after the scraping process. I do not think the attacker will do it manually. I know there are several libraries available in popular programming languages for OCR functionality such as Tesseract. The attacker can create his/her own program to automate the process. That’s why it’s not impossible for the attacker to speed up the whole scraping process.
I do not want to be a bad guy here. I just want to share the implications of that approach in another perspective.
What do you mean by “information-encrypt thing”? I didn’t see any encryption process in that approach.
As stated by @Admin, the approach does not encourage flexible sharing of information. If I’ve understood the @Admin correctly, the approach is only feasible if a particular type of information is available in the control panel. New users will suffer in this approach. For example, a user may encounter a certain issue on a domain name which has not been added in the client area yet. Not only the new users will suffer but also the existing users as well, depending on when or where a particular issue takes place.
Yeah. Without any proper validation process, irrelevant information is problematic in this method. Not to mention that users can put spam messages into the input box, too.
What do you mean exactly by this statement, @Admin? In what way?
People already do that, I don’t think removing the template will result in more or less spam
Please don’t. Especially for long URLs, it is annoying to transcode. Then you will also run into issues of users tying it out themselves and screenshotting it, so is that letter a “I” or a “l”?
The problem with website URLs is that it might expose the website to attacks. It might also result in people’s topics on this forum showing up when they search for their website, which is undesirable.
Usernames don’t have this issue. You can’t attack a website if all you have is a username. And people who look for your website probably won’t know your account username.
My account was suspended for exceeding the hits limit. This ‘attack’ was surprisingly (at the time) on the heals of my inquiry to https://www.xml-sitemaps.com as to why I could not generate a sitemap.xml file for my website. I had done so in the past. I was first told the bot was blocked by Cloudflare. I paused my Cloudflare link and tried again. This time I was told that my Infinity Free account was to blame. They even provided me a pertinent link to the IF forum. Then there was a comment on the forum that sitemaps essentially were a waste of time. Next thing I know my site gets 16M hits. Just sayin’. Further details are available on the forum, including my website URL.
Bit offtopic, but online site map generators are useless. If you are not creating them yourself, or letting your CMS create it for you, don’t bother. The crawlers that work for search engines are just as good, but probably way better, than the crawler on the site map generator site.
TL;DR online site map generators are useless and a waste of time.
What if it determines Hits based on how long a user is on the site? If a rapid DDoS attack was launched on the website, chances are that the IP accessing the site will leave after accessing it, maybe coming back. If the IP very briefly access the site, then leaves, that could be considered a bot and could be ignored. However, if an IP stays on the site for X period of time, the Hits is then counted for.
Unfortunaitly, as I understand it, once a page is served, there’s no interaction with the server until the next page (or a script) makes a call to the server.
This. An IP address doesn’t “stay on a site”. Web requests themselves are stateless. Cookies can be used to tie different requests together, and monitoring whether someone is on a site is usually done with Javascript.
Both methods are easy to bypass (frankly, it takes more effort to create a bot that supports this than one that doesn’t), and are quite costly on the server to detect and monitor.
Remember that for any DDoS filtering to make sense, it needs not only to work, but also needs to use minimal system resources. If not, then detecting the attack takes more server power than the attack itself does, and you gain nothing.
Information that can be thoroughly verified through any legal process such as national ID, passport, etc. I think it’s currently impossible to accurately verify the account information in that way without the government’s help. Depending on the type of information, we will need the government’s API for the verification process.
ID verification services exist. These companies specialize in checking ID documents. As a service provider, you can just plug in their system into your app and they will do the verification for you. Users then need to photograph their ID and take a selfie, and the ID verification service will check the authenticity of the document and make sure that the document is presented by the person whose details are on the document. The ID verification service knows what documents for every country should look like.
All banks and financial service providers around here have systems like this (either third-party or in-house), and many other companies that want or need to do identity verification do so too.
The good thing is that anyone who wants to do these kinds of identity checks can do them. All you need is to pick a service and integrate it.
The bad things are:
These services are not free. A quick check with a few providers I know charge $1 for a basic verification. Which is not a lot of money, but does add up with many registrations.
I don’t know about you, but I’m very hesitant to share my ID with anyone due to risk of identity fraud. I have left companies whose services I loved because they insisted I provide an ID. And there is zero chance I would share my ID just to be able to help other on a forum.
It would be very effective to prevent abuse on free hosting by asking everyone to submit their ID. But that would also be way too costly for a free service.