Wednesday, 31 August 2016

How to protect your faucet from bots

After passing a lot of time setting up your new faucet and making your first deposit to your faucetbox account, you think that now you will finally start to earn some money. Unfortunately it happens too often that your account gets emptied in hours by a bot attack. Not only were your efforts in vain but you actually lost the money you deposited. For most, this means already the end of the adventure as a faucet owner.

About two years ago, I built a bitcoin faucet and invested a lot of time to do so. It was supposed to be a special faucet where people had to watch some videos and click the according button to be brought to the payout page. The payout was 3000 satoshis what was even much at the time. Somebody found a way to crack my system and I lost around 0.03 btc in one night.

Not only faucetbox faucets are attacked, also the custom faucets and the Xapo faucets are suffering under this threat. Often, the owners have no other solution than to close their faucet to cut the losses. It is not only the direct losses that have to be considered. When being attacked, your faucet may get thousands of artificial hits and either your server provider or your ad networks may create trouble for you.

faucet under bot attack
Bot attacks come often hand in hand with much higher referral payouts. A big rise in referral payouts is a trustworthy indicator that your faucet is under attack.

What can you do to protect your faucet against bot attacks?

I have been attacked over and over and I think there is no 100% solution to avoid bot attacks. I came up however with a strategy to keep the bot problem under control for my faucetbox faucets and I want to share it with you here. First I think that the bot designers have managed to create a way that gives the faucet the information that all the captchas are solved. So whether you use Google's recaptcha or solvemedia or any other service this has almost no influence on your protection.

Are antibotlinks the solution?

I included antibot links in my faucets and this helped in some ways but it still does not make my faucets bot proof. It is certainly better to use antibotlinks since you can prevent basic bot attacks. If you use antibotlinks, make sure that you create your own puzzles so that your faucet becomes different from all the others. You can change the puzzles in the file "antibotlinks.php" that you have to save in the folder "libs", in the array called “$word_universe=array();”. Just look at it and you will understand quite easily how to adapt it.

See this tutorial how to put the newest version of antibotlinks on your faucet:

Please avoid putting your antibotlinks close to ads. If you do that, you are probably offending the terms and conditions of your ad networks and you just might get banned from them. Antibotlinks should only be used as a means to protect against bots not to generate fake ad clicks. Using antibotlinks is a good preventive measure to avoid attacks but not a warranty.

You have to be aware that you are under attack

Before you can do anything against a bot attack, you first have to be aware that you are facing one. In order to have a chance to see an attack coming, it is important to have a recent version of your faucetbox script on your page. Faucetbox is aware of the bot problem and they really try to do the best to help us to fight bots. With every new version there are additional tools at our disposal.

There are some measures that you can take in your faucetbox account. Go to your dashboard. In your faucet go under manage. There you have to click the currency of your faucet and set the maximal amount that is paid out every 30 minutes. Be sure not to leave this empty! Try to figure out how much you paid out in the last days and set the limit accordingly. 

Put a limit to protect your faucet from bot attacks
Set the maximal amount that you want to pay out per 30 minutes and ask
faucetbox to send you a mail when this limit is reached

The second step is to let faucetbox generate an e-mail when this limit is reached. Upon reaching the limit, your faucet does not pay anymore till the next half hour starts and it sends you an e-mail to let you know it. When you get e-mails regularly, this means probably that you are under attack and that you should do something about it. Since you have put a limit, you do not have to do anything immediately. The limit protects your assets but you should react so that the normal users can still claim from your faucet.

How to find out whether you are under attack?

First you have to make sure that you are really under attack. For that I have several indicators:

- Bot attacks come almost always with increased referral payments. Why would they claim only the normal payout if they do all the work to rip you off? So if you have much more frequent referral payouts that can be a sign.

- When I am under attack, I realized that bots are not registered by Google Analytics so there is a big gap between the number of visits and the number of faucet claims on Faucetbox. If there is a big discrepancy with the average numbers, this can indicate that bots are at work.

- If I have a btc address that brought a lot of referrals, I check in Google Analytics if there are people having used this referral address as entry to the faucet. With bots there is often not a single one.

If these indicators are not enough, I put my faucet in maintenance mode. I write in big that the faucet is under maintenance so that human users can see it well and I put the payout to 1 satoshis (for btc) and I put the referral commission to 100%. I check then in my faucetbox account (payouts) whether people are still claiming. If they do, well they are probably not people but bots. Why do I put the referral commissions to 100%? I want to see the referring addresses and to be able to see them, there needs to be at least 1 satoshi referral payout per claim.

What can you do when your faucet is attacked by bots?

1) Disable the faucet

If you are sure that your site is under attack, I would disable your faucet because the attack will not stop before you do something. Let the faucet run in maintenance mode some time before you disable it. To disable the faucet, just erase all the rewards in your admin page in the basic tab.

2) Ban the btc addresses

In the payout history of your faucet (in faucetbox dashboard) you can find all the addresses to which payments were made. Of all the people who claimed 1 satoshis, check the referring addresses first. Did you find them in Google Analytics? If not go to your faucet admin page and open the tab “Referrals”. Enter the btc address in the field and it will show you all the referrals of this address. Since you know that the referring address is a bot, you also know that the referrals are bots. You can ban all these addresses by pasting them into the field “List of cryptocurrency addresses to ban” on the security tab in the admin page of your faucet. To do it fast, I copy the whole list and paste it into a Microsoft excel sheet. Then I select only the column of the referrals and paste it into a text editor. This gives me a list with the addresses in the good order (one per line). I can now paste them into the field on my faucetbox admin page.

When banning addresses there is always the risk that you ban real people so do not ban if you are not really sure.

Banning addresses will probably not eliminate all the bots on your faucet but you make their endeavor much less profitable. If this measure is not enough, you should modify your faucet. Either by changing the layout, the puzzles of your antibotlinks or the captcha.

As a last resort you can use the new function of the faucetbox script which allows you to forbid embedding your faucet in an iframe. A bot is nothing else than a script that needs a support and by denying that your faucet is shown in a frame, makes the bots work much more difficult. Unfortunately this will also prevent your faucet from being placed in faucet rotators and you might lose a lot of users.

fight against bot by preventing that your faucet can be embedded
On the admin page of your faucet in the tab "basics" (from script version 64)
you can choose to disable embedding your faucet in  iframe from other domains  

As faucet owners, we have to live with this bot problem and I do not think that there is a 100% security available. With the measures above you have a solution to deal with the problem but it takes a lot of time to put into action and this just makes this business more expensive and less profitable. When I look at the faucet world today, this tendency is visible everywhere. The payouts are going down, more faucets are disabled and many disappear. In the long term and combined with the advertising restrictions of some ad networks, people using bots are ruining this small industry and I do not know whether there will still be owners out there trying to run a faucet business in a couple of months… I expect the worst and hope for the best. 

If you prefer to look for an alternative to earn money online you can try this:

If you have any suggestions or experiences in how you deal with bots, please share them with us and leave a comment below.

No comments:

Post a Comment