php – How to protect yourself from bots without captcha?

Question:

The site (PHP) has registration, it does not use captcha and, according to the TOR, it cannot be implemented. The registration form uses unique fields; when the form is submitted, a check is made for the frequency of requests from the source ip address. But what if a botnet of several thousand machines sends registration requests? How can this be prevented?

Answer:

If we reformulate the title to a more meaningful one, then the answer becomes obvious:

How to protect yourself from bots without captcha?

It is forbidden.

In general, captcha is the only way to distinguish a bot from a human. No captcha – no protection. As simple as 2×2.

In specific cases, the answer will not be so unambiguous, but very unpleasant –

think

This method helps in solving any complex issues.
Unfortunately, there are no ready-made recipes, and it is naive enough to believe that it is enough to write a question on the Internet.

You can use only some particular solutions, but at the same time not the nonsense that is advised in other responses, such as HTTP headers or JS (hell is spying on the user on the client. However, if the task, together with bots, is to weed out honest visitors, then the method is quite good), and first simulate the intended behavior of both an honest user and an attacking attacker. And to build protection on the basis of these theoretical models, adjusting them based on the results of practical use.

Scroll to Top