我所读到的大多数解决方案最终都退化为一种反移动的情况，并不能抑制人们按照“公平竞争规则”进行游戏的积极性。

你有没有想过有目的的性能限制/影子禁止?如果你检测到来自一个IP的大量命中，你的CGI脚本是否故意延迟响应-或者让他们没有资格赢得该物品?

So If you say set a cookie on the system and you see it hitting you more than X per interval of time, you start delaying the responses more and more. If you see cookie X continue this behavior for some interval of time, you set the dreaded 'Can not win today come back tomorrow flag' and dont tell them - that way, even if they win, they still loose. If you have several parameters like this that would be easily/randomly tweekable, you could be changing the rules all the time in such a way that it would keep out the bots - but humans wouldnt even notice. Maybe you could have a login have a delay of X seconds - where the delay is depended on that IP addresses history of hits/logins :)

只是一两个想法

已经发布了一些其他/更好的解决方案，但为了完整起见，我想我会提到这个:

If your main concern is performance degradation, and you're looking at true hammering, then you're actually dealing with a DoS attack, and you should probably try to handle it accordingly. One common approach is to simply drop packets from an IP in the firewall after a number of connections per second/minute/etc. For example, the standard Linux firewall, iptables, has a standard operation matching function 'hashlimit', which could be used to correlate connection requests per time unit to an IP-address.

虽然，这个问题可能更适合于上一个so播客中提到的下一个so衍生产品，它还没有推出，所以我想可以回答:)

编辑: 正如novatrust指出的那样，仍然有ISP实际上没有分配ip给他们的客户，因此有效地，这样一个ISP的脚本客户将禁用该ISP的所有客户。

我的解决方案是市场变革和技术变革的结合。

目前，销售垃圾促销袋部分的技术方面被处理为正常的woot销售。促销开始了，人们争相购买，所有的商品都卖光了。用于日常销售的相同统计图表都是用过的垃圾销售。

这里涉及到几个市场目标:

Get customers to visit the site once every day (impluse purchasing). The possiblility of a seeing a bag of crap sale is the reason/reward. Network/viral/gossipy effect where a customer sees a bag of crap sale is on they will IM/EMail/Telephone their friends. There is also what I'd call general "good will". Woot is a really cool place because it occasionally rewards its customers with amazing sales (bag of crap that included a flat panel tv)... AND its done in a fair "first comes first served" manner.

前两个似乎是最重要的。纯粹的访客数量会影响正常交易的销售速度(或销售一空)。传统上，新客户主要是通过口口相传来吸引的，让客户把自己的朋友推荐到woot.com是一种胜利。

所以…我的解决方案是将促销活动的递送方式改为更多的抽奖方式。

偶尔用户可以做一些有趣的事情，看看他们是否有资格得到一袋垃圾。有趣的内容可以是类似“punch The monkey”或Orbitz迷你看球游戏、棒球或曲棍球的愚蠢flash游戏。这里的目标是机器人无法编写脚本的游戏，因此需要相当谨慎。我们的目标也不仅仅是给游戏赢家一袋垃圾……但对所有游戏玩家来说。

The technical core of the game is that at the end of the game a request is made to a server that does an "instant lottery" to determine if the user has won a bag of crap sale opportunity. The server request will need to include something calculated by the game itself (roughly speaking "hash cash"... a complex, CPU cycle consuming, calculation, and hopefully one that is difficult to reproduce). This is to prevent a bot from repeatedly entering the lottery just be querying the lottery server/service.

游戏本身也会随着时间而改变。你可以为万圣节、圣诞节、情人节、复活节等制作特殊事件游戏。还有许多有趣的营销理念可以与woot的“wooiness”相匹配。

If the user wins they can purchase N bags of crap (in a time limited window)... but they can also send N friends a time limited invitation to purchase a bag of crap (good for 24 hours). This provides a super strong network effect... customers will definately tell their friends. Or you could also do it as "buy 1 give 1"... let customers buy up to a total of N but force every second one to be shipped to a friend. The key here is to make the network/gossip effect an full fledged part... help the customer tell the world about the wonderfulness of woot.

促销材料周围袋垃圾销售概念也将需要修改。一袋垃圾多快卖完的图表已经无关紧要了。比如每个月人们有多少次机会购买。有多少人告诉他们的朋友。材料应该微妙地强调这一点，每天去拜访是一个好主意。

你也可以宣传为什么一袋垃圾的销售正在改变。尤其是你免费雇佣了最烂的顾问。

At the expense of Usability by those with screen readers you could just, on 90% of the pages use unlabelled, undenotable picture buttons. Rotate the pictures regularly and use a random generator and random sorting to lay out two buttons that say "I want this" and "I am a bot". Place them side by sort in a different order. At each stage a user can make progress torwards their target but a bot is more likely to make a mistake (50% * number of steps). It's like a capture at every stage on easier for the user and slower for bots who need to prompt their master at EVERY single step. Put the price, the confirm button, the item description in pictures. It sucks but likely more successful.

用户必须等待图像中显示的延迟的延迟页面如何?

你只有在他们在图像中指定的足够短的时间内点击时才会从他们到达的页面进行排序，也许图像可以在动画gif或非常小的javascript或flash计时器中进行倒计时。

如果他们在时间限制之外跳转到详细信息页面，他们会看到在之前的回答中讨论过的昂贵物品。

如何像SO那样实现captcha呢?

如果你正常使用这个网站，你可能永远不会看到它。如果你经常重载同一个页面，过快地连续发布评论，或者其他触发警报的事情，让他们证明他们是人。在您的情况下，这可能是不断地重新加载同一页面，快速地跟踪页面上的每个链接，或者快速地填写订单。

如果他们连续x次检查失败(比如2次或3次)，给该IP一个超时或其他类似的措施。然后在超时结束时，再次将它们转储回检查。

因为你有未注册的用户访问网站，所以你只有ip地址可以继续。如果愿意，您可以向每个浏览器发出会话并以这种方式跟踪。当然，如果连续(重新)创建了太多会话，还要进行人工检查(以防机器人不断删除cookie)。

至于发现太多无辜的人，你可以在人工检查页面上发布免责声明:“如果有太多匿名用户从同一位置查看我们的网站，也可能出现此页面。我们鼓励你注册或登录以避免这种情况。”(适当调整措辞。)

此外，X个人同时从一个IP加载同一页面的几率是多少?如果它们很高，也许你需要一个不同的触发机制来触发你的机器人警报。

编辑:另一种选择是，如果他们失败了太多次，而你对产品的需求有信心，阻止他们，让他们亲自打电话给你来消除阻碍。

让人们打电话似乎是一种愚蠢的措施，但它可以确保计算机后面有一个人。关键是要让块只在一个几乎不应该发生的情况下出现，除非它是一个机器人(例如，连续多次检查失败)。然后它强迫人类互动——拿起电话。

对于让他们打电话给我的评论，这里显然有一个权衡。你是否担心你的用户会在打折时接几个电话?如果我如此关心产品是否能被人类用户使用，我就必须做出这个决定，可能会在这个过程中牺牲(一小部分)我的时间。

既然你似乎决心不让机器人占据上风/抨击你的网站，我相信手机可能是一个不错的选择。因为我没有从你们的产品中获利，所以我没有兴趣接这些电话。然而，如果你分享一些利润，我可能会感兴趣。因为这是你的产品，你必须决定你有多关心和相应的实现。

其他释放阻塞的方式都不那么有效:超时(但他们会再次关闭你的网站，冲洗-重复)，长时间超时(如果真的有人试图购买你的产品，他们会被SOL并因检查失败而受到惩罚)，电子邮件(很容易由机器人完成)，传真(相同)，或蜗牛邮件(花费太长时间)。

当然，您也可以在每个IP每次超时时增加超时时间。只要确保你不是在不经意间惩罚真正的人类。