NYCPHP Meetup

NYPHP.org

[nycphp-talk] Rate limiters for sign ups for a site.

Anthony Wlodarski anthony at tinkertownlabs.com
Mon Aug 15 13:04:40 EDT 2011 

I signed up for ReCaptcha via Google and have implemented it 
successfully.  I was hesitant to use it based on the ease of which it 
can be defeated by OCR software but it is getting harder and harder for 
bots as well as humans to decipher the images.  I am going to seriously 
consider (well more like definitely implement but just have to plan it) 
email verification.  The ReCaptcha is coupled with Zend Framework.  I 
extended the Zend_Service_ReCaptcha class ass I wanted to provide a 
custom theme for the class and I do have to say that it is working out 
quite well.

I do also see now how IP limiting would definitely lead to DoS for some 
clients and the site is accessible to all.  I plan to write up how to 
extend the Zend class at the end of the day.  I'll post a link to my 
blog by the end of the day.

-Anthony

On 08/15/2011 10:14 AM, Ben Sgro wrote:
> Hello Anthony,
>
> Have you implemented CAPTCHAs?If you have not, that might help curb some of the automated account creation. Also, you could add in an email verification step to the account sign-up process.
>
> Can you give more details on what techniques you've tried and what (if any) framework or libs (cake, zend, etc)
> you might be working with.
>
> As far as rate limiting via IP, not sure, but you can imagine how that could lead to DoS for some clients behind a large corporate IP or ISP. I'm not sure what the de facto timeout it is for that sort of setup or how the software should handle it. Does this site receive "high traffic?" or traffic from only one company or subnet? Or is this a site accessible to all?
>
> Good luck!
>
> - Ben
>
> On Aug 15, 2011, at 9:45 AM, Anthony Wlodarski wrote:
>
>> I'm having a problem with spam bots and am currently research how to build an effective rate limiter for our sign up form.  Currently I am leaning towards IP based limits (with a certain time criteria).  Has anyone ever had problems with this type of rate limit and corporate proxies/firewalls where every user has the same IP address?  Also if anyone has any interesting articles about this type of rate/velocity limiting I would be interesting in learning more.
>>
>> Regards,
>> Anthony
>>
>> -- 
>> Anthony Wlodarski
>> Lead Software Engineer
>> Get2Know.me (http://www.get2know.me)
>> Office: 646-285-0500 x217
>> Fax: 646-285-0400
>>
>> _______________________________________________
>> New York PHP Users Group Community Talk Mailing List
>> http://lists.nyphp.org/mailman/listinfo/talk
>>
>> http://www.nyphp.org/Show-Participation
> _______________________________________________
> New York PHP Users Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/Show-Participation

-- 
Anthony Wlodarski
Lead Software Engineer
Get2Know.me (http://www.get2know.me)
Office: 646-285-0500 x217
Fax: 646-285-0400

More information about the talk mailing list