根据您想要进入的复杂程度，您可以采取一些解决方案。

这些都是基于IP跟踪，在僵尸网络和云计算下有些崩溃，但应该能挫败绝大多数的僵尸。乔·兰登拥有大量机器人的可能性远远低于他只是运行一个从某处下载的Woot机器人来获取他的垃圾的可能性。

普通的节流

At a very basic, crude level, you could throttle requests per IP per time period. Do some analysis and determine that a legitimate user will access the site no more than X times per hour. Cap requests per IP per hour at that number, and bots will have to drastically reduce their polling frequency, or they'll lock themselves out for the next 58 minutes and be completely blind. That doesn't address the bot problem by itself, but it does reduce load, and increases the chance that legitimate users will have a shot at the item.

自适应调节

An variant on that solution might be to implement a load balancing queue, where the number of requests that one has made recently counts against your position in the queue. That is, if you keep slamming the site, your requests become lower priority. In a high-traffic situation like the bag of crap sales, this would give legitimate users an advantage over the bots in that they would have a higher connection priority, and would be getting pages back more quickly, while the bots continue to wait and wait until traffic dies down enough that their number comes up.

废料验证码

Third, while you don't want to bother with captchas, a captcha at the very end of the process, right before the transaction is completed, may not be a bad idea. At that point, people have committed to the sale, and are likely to go through with it even with the mild added annoyance. It prevents bots from completing the sale, which means that at a minimum all they can do is hammer your site to try to alert a human about the sale as quickly as possible. That doesn't solve the problem, but it does mean that the humans have a far, far better chance of obtaining sales than the bots do currently. It's not a solution, but it's an improvement.

以上的组合

实施基本的、慷慨的限制来阻止最滥用的机器人，同时考虑到单个公司IP背后的多个合法用户的潜力。截止数字将非常高——你引用了bot攻击你的网站10次/秒，即216万次/小时，这显然远远高于任何合法的使用量，即使是最大的公司网络或共享ip。

实现负载平衡队列，这样如果占用的服务器连接和带宽超过自己的份额，就会受到惩罚。这将惩罚共享公司池中的人，但不会阻止他们使用站点，而且他们的违规行为应该远没有您的装瓶者那么可怕，因此他们的惩罚应该不那么严重。

最后，如果您超过了每小时请求的某个阈值(这个阈值可能远远低于“自动断开连接”的截止值)，那么就要求用户使用验证码进行验证。

这样，合法使用网站的用户每小时只有84个请求，即使他们非常兴奋，也不会注意到网站速度变慢了。然而，乔·波特发现自己陷入了两难境地。他可以:

Blow out his request quota with his current behavior and not be able to access the site at all, or Request just enough to not blow the request quota, which gives him realtime information at lower traffic levels, but causes him to have massive delays between requests during high-traffic times, which severely compromises his ability to complete a sale before inventory is exhausted, or Request more than the average user and end up getting stuck behind a captcha, or Request no more than the average user, and thus have no advantage over the average user.

只有滥用的用户才会受到服务降级或复杂性增加的影响。合法用户不会注意到任何变化，除了他们更容易购买他们的垃圾包。

齿顶高

以远低于注册用户的速率限制未注册用户的请求。这样，机器人所有者就必须通过一个经过身份验证的帐户来运行机器人，以通过应该是相对严格的节流率。

然后，有创造力的装瓶者将注册多个用户id，并使用这些id来实现他们想要的查询率;您可以通过将给定时间段内来自同一IP的任何ID视为相同的ID，并接受共享节流来解决这个问题。

这使得装瓶商别无选择，只能运行一个机器人网络，每个IP一个机器人，每个机器人注册一个Woot账户。不幸的是，这实际上无法与大量未关联的合法用户区分开来。

您可以将此策略与上述一种或多种策略结合使用，目的是为没有滥用使用模式的注册用户提供最佳服务，同时根据他们的状态(匿名或已注册)以及由流量指标决定的滥用程度逐步惩罚其他用户，包括注册用户和未注册用户。

您可以通过同时更新RSS和HTML来减少服务器上的负载，这样机器人就不会对您的站点进行屏幕抓取。当然，这给了机器人和购买你的装备的优势。

如果你只接受信用卡支付(可能是这样，也可能不是，但这显示了我的思路)，只允许用户每10次使用同一个账户和/或信用卡购买一次BOC。对一个脚本小子来说，搞到一大堆ip很容易，但搞到一大堆信用卡就不那么容易了。正如你所说的，ip很难被禁止，而暂时禁止信用卡应该是在公园里散步。

你可以让每个人都知道限制是什么，或者你可以告诉他们，因为高需求和/或机器人的兴趣，在不具体说明机制的情况下，对购买实施了限制。

在节流期间的每一次购买尝试都可能引发指数级的倒退——你买了一个BOC，在你再次尝试之前，你必须通过10次销售。不管怎样，你还是会在下一次促销时再次尝试，现在你不得不等待20次、40次、80次……

只有在人类用户不太可能在不到10次销售中获得两次BOC的情况下，这才真正有用。适当地调整数字。

我喜欢BradC的回答(使用Ned Batchelder文章中的建议)，但我想在此基础上再增加一个层次。您不仅可以随机化字段名称，还可以随机化字段位置和使它们不可见的代码。

Now, this last bit is hard part and I don't know exactly how to do it, but someone with more JavaScript and CSS experience might be able to figure it out. Of course, you can't just keep the same positions all the time, because the scripters will just figure out that the element with position (x,y) is the real one. You would have to have some code that changes the positioning of form elements relative to other elements in order to move them off the page, overlay them on each other, etc. Then obfuscate the code that does this with some randomness introduced into it. Automatically change the obfuscation daily, before a new item is made available. The idea is that without a proper CSS and JavaScript implementation (and code to read layout of the page as a human would) a bot won't be able to figure out which elements are being shown to the user. Your server-side code, of course, knows which fields are real and which are fake.

总而言之:

字段名是随机的 字段顺序是随机的 字段隐藏代码很复杂 字段隐藏代码是随机混淆的 服务器端代码每天自动更改随机因子

在你给出的限制条件下，我不认为有办法避免某种形式的“军备竞赛”，但这并不意味着一切都完了。如果你能在军备竞赛中实现自动化，而编剧不能，那么你每次都能获胜。

我的解决方案是，通过为“机器人和脚本”设置大约10分钟的延迟，让屏幕抓取变得毫无价值。

以下是我的做法:

记录并识别任何重复作案的人。

你不需要记录每次点击的每个IP地址。大概每20次点击只录一次。一个惯犯仍然会在随机的偶尔跟踪中出现。

保留大约10分钟前页面的缓存。 当重复攻击者/机器人攻击您的网站时，给他们10分钟前的缓存页面。

他们不会马上意识到他们得到的是一个旧网站。他们可以把它刮掉，但他们不会再赢得任何比赛了，因为“真人”会有10分钟的领先优势。

好处:

没有麻烦或问题的用户(如验证码)。 完全在服务器端实现。(不依赖Javascript/Flash) 提供一个较旧的缓存页面的性能强度应该小于活动页面。这样实际上可以减少服务器的负载!

缺点

需要跟踪一些IP地址 需要保持和维护旧页面的缓存。

您可以尝试让脚本更难阅读价格。最简单的方法是将其转换为图像，但文本识别算法仍然可以解决这个问题。如果有足够多的脚本编写人员能够解决这个问题，您可以尝试对该图像应用类似验证码的东西，但显然是以牺牲用户体验为代价的。而不是图像，价格可以在一个flash应用程序。

或者，您可以尝试设计一种方法，以某种不影响呈现的方式在页面中“洗牌”HTML。我一时想不出一个好的例子，但我确信它在某种程度上是可行的。

那么使用Flash呢?

是的，我知道使用Flash的开销，加上一些用户将无法购买这些垃圾(即iPhone用户)，这可能会造成不利影响，但在我看来，Flash可以防止屏幕抓取或至少使其变得困难。

我错了吗?

编辑添加

在你的提交表单上添加几个“隐藏”字段怎么样，就像我下面发现的那样:

Actually, best practice seems to be to use two hidden fields, one with an initial value, and one without. It's the rare bot which can ignore both fields. Check for one field to be blank, and the other to have the initial value. And hide them using CSS, not by making them "hidden" fields: .important { display : none ; } Please don't change the next two fields. Bots tend to like fields with names like 'address'. The text in the paragraph is for those few rare human beings who have a non-CSS capable browser. If you're not worried about them, you can leave it out. In the logic for processing the form, you'd do something like: if (address2 == "xyzzy" and address3 == "") { /* OK to send / } else { / probably have a bot */ }