(context post by Gavin Andresen)
I just shut down freebitcoins.appspot.com; it looks like somebody in Spain is being a jerk and getting a new IP address, bitcoin address, and solving the captcha. Over and over and over again:
Code:79.154.133.217 - - [04/Aug/2010:12:46:55 -0700] “POST / HTTP/1.1” 200 1294 “https://freebitcoins.appspot.com/” “Opera/9.80 (Windows NT 6.0; U; es-LA) Presto/2.6.30 Version/10.60,gzip(gfe)”
79.146.112.13 - - [04/Aug/2010:12:45:20 -0700] “POST / HTTP/1.1” 200 1294 “https://freebitcoins.appspot.com/” “Opera/9.80 (Windows NT 6.0; U; es-LA) Presto/2.6.30 Version/10.60,gzip(gfe)”
81.44.159.81 - - [04/Aug/2010:12:42:20 -0700] “POST / HTTP/1.1” 200 1294 “https://freebitcoins.appspot.com/” “Opera/9.80 (Windows NT 6.0; U; es-LA) Presto/2.6.30 Version/10.60,gzip(gfe)” Those IP addresses all map to Telefonica de Espana. If it was you: give them back, please: 15VjRaDX9zpbA8LVnbrCAFzrVzN7ixHNsC
Now that 5 bitcoins is worth a fair bit, I’m thinking I need more cheating countermeasures. I can think of four things to try:
- Rate limit based on the first byte of the IP address (79. or 81. in this case).
- Rate limit based on the USER-AGENT string (“Opera/9.8…” in this case).
- Rate limit based on last two domains of reverse DNS lookup of the IP address (rima-tde.net in this case).
- Make the standard amount given away 0.5 Bitcoins (Bitcoins have gone up 10 times in value since I started the Faucet).
If you get rate limited, you’ll get a message that asks you to try again tomorrow.
BitcoinFX: thanks again for the donation to the faucet; I’m going to drain the Faucet below 500 coins temporarily, and will refill it with your donation after the new cheating countermeasures are in place.
I’ve tried it last week and got 0.05BC, which is fine for its purpose (testing how it works and if it works). I also send the same amount back. I think it works just fine like this. I wouldn’t have tried it when I had to get a google account, or something similar (getting such thing for only 0.05BC is just to much effort for testing it).
Perhaps it would help to be more clear about the Faucet operating on an honor principle, and that no one is really allowed more than 5.05 bitcoins (or 0.55 bitcoins if you change it to that). When I revisit the site today it says “Right now the rule is 0.05 bitcoins given per unique IP address.” Such language could be interpreted as if it was actually OK to get more payouts from the Faucet using several unique IP addresses, since it would not be “against the rules”. Improving the technical system to prevent cheating is probably a good idea anyway, since there are probably cheaters who don’t care about being cheaters. But some may actually think they are just being clever, maximizing their benefit without breaking any rules.
Just an idea… you could remove the message that tells the user he already got coins and always pretend to have sent coins when in reality you didn’t. Maybe with a nice “If it doesn’t work contact me at …” message. Hopefully they’ll just assume it’s broken and don’t bother trying to get coins from it anymore.
Silently failing would look bad.
Quote from: gavinandresen on August 04, 2010, 08:40:55 PM
- Rate limit based on the first byte of the IP address (79. or 81. in this case).
Definitely needed. What rate are you thinking of? Ultimately, it’s better to rate limit it than to let it all drain out.
Quote from: gavinandresen on August 04, 2010, 08:40:55 PM
3. Rate limit based on last two domains of reverse DNS lookup of the IP address (rima-tde.net in this case).
That might work surprisingly well. If it works, it keeps them from hitting the rate limit, but the rate limit is there as the last line of defence.
Quote from: gavinandresen on August 04, 2010, 08:40:55 PM
4. Make the standard amount given away 0.5 Bitcoins (Bitcoins have gone up 10 times in value since I started the Faucet).
Definitely time to lower it.