| > I would think you could obscure whatever marker you use fairly easily, any basic encryption should work. Indeed, you can, and there are situations in which it makes sense. However, it doesn’t really help when it comes to detecting abuse of this sort. For one, CGNAT causes problems. There’s also the issue of people linking to articles from sites like HN and Wayback Machine. Those two alone make it nearly impossible to automatically rate limit based on an ID in the URL. CGNAT is a big issue that Western companies tend to neglect. However, it’s increasingly common in places like India, and it’s even seen at times in the US, especially in rural areas. And, of course, public VPNs are growing in popularity. Unfortunately, all of these factors mean that performing any sort of risk analysis or rate limiting on IP address alone tends to be ineffective or outright harmful for moderately large sites. You can do some fairly basic categorization (this is from a residential ISP, this is from a datacenter), but beyond that, it’s not particularly useful. Hypothetically, let’s say: 1. We tag every URL with an IP address association in some way. 2. Someone posts a link on HN. 3. We see lots of requests with IP address tags that don’t match the actual requesting IP address, so we block or rate limit them. 4. We’ve just blocked traffic from HN. Another hypothetical: 1. We design, calibrate, and test a rate limiting system in the US. 2. Some large percentage of real-world traffic comes from India and is behind CGNAT. 3. We’ve just rate-limited most of India. 4. So we exclude India. 5. But now we’ve rate-limited Nigeria, and malicious traffic from India isn’t blocked. What we actually end up doing is similar but mostly relies cookies instead, and it’s only a single risk factor. It’s not perfect, and it has some caveats that the URL solution avoids, but it has far fewer false positives. |