Re: blocking IPs

As soon as you cast the magic words "IP blocking" the default replies are always "think about the people behind a NAT firewall" and "there is no way you can use this". (I should write a bot for that someday ;)

I, however, think that's unfair judgment for this specific case. I doubt that you run an image gallery with the load of /. or google. In your case I wouldn't be bothered by the fact that two people *might* not be able to vote, because someone else in the LAN already did so. Besides that, do you really care that much if you miss one legit rating, if you can block certain script kiddies?

You can work out a login procedure, quite like Perlmonks, or Freshmeat for that matter. That way you can allow one vote per image, per user (as stated above), but I quite frankly get quite tired of all the websites you have to register for. You want to search through some message board? Register first! You want to read a certain post? Register first! You want to view an image? Register first!

Yet another way could be the use of cookies. This is very easilly worked around, but hey, it can prevent the truely ignorant script kiddy-wannabees from rating an image a thousand times.

Sessions could be another option. Same as with cookies. Easy to work around, but it'll stop the totally clueless.

But, as prophesied before, if some script kiddy really wants to screw up your ratings, chances are big [s]he'll succeed.

I think the easiest way for you, is to set up a simple database in which you store the IP of the voter, the image [s]he voted for, and the timestamp. Then disallow the IP to vote again for say a day or even a week. That way, you do allow others from the same IP to cast their vote (albeit with a delay) and you prevent the scriptkiddies from writing a simple bot to vote numerous times a minute. Then when someone wants to vote, you first check if their IP is already in your ban-database (for the specific image) and you check the timestamp (how long ago did we receive a vote for this already?). Based on the outcome of these tests, you either allow the vote, or politely report that the voter already voted for this image and that only one vote is allowed, possibly followed by your email address in case of questions.

Just my €0,02

--
b10m

Comment on Re: blocking IPs

Replies are listed 'Best First'.
Re: blocking IPs by Abigail-II (Bishop) on Jan 27, 2004 at 14:06 UTC
I doubt the more than a million AOL customers can be considered to be on a single LAN. Sure, they have "lots and lots" of proxies, but up to a few years ago, they hid behind a dozen proxies. Perhaps they now have a few hundred of them. That still means they have a high user/IP ratio. And AOL isn't the only ISP with a lot more customers than proxies and/or NAT boxes. But you shouldn't only think big. Think small as well. Think families. Lots of families either share a computer, or are hidden behind the same proxy or NAT box. Blocking on IP means that little brother can vote, but when he shows the site to his sister, the sister can't. It's user hostile, and the tell mark sign of a bad programmer. A good programmer would never start from a broken design. Abigail	[reply]
Re: blocking IPs by b10m (Vicar) on Jan 27, 2004 at 14:37 UTC
It's choosing between two (or more) evils. Either you allow everyone to vote as often as possible (with possible abuse), or you restrict it in someway, and have some negative side effects, ranging from forcing people to register, to blocking potential legit votes (and the fact that you can work around it if you really want to). I take it, the OP has experienced people abusing the voting script, otherwise the whole blocking question probably never would come up. I, personally, find forcing users to register far more user unfriendly (hostile) than the blocking of some legit votes. It all depends on the amount of visits, I presume. If you only get a handful of visitors a day, blocking based on IP probably won't hurt. If you get a lot of visitors, it might work counter productive, I agree. And yes, small sites might get big, but a lot of them will stay small forever. In this specific case, the OP seems to have the voting procedures all done, and adding the procedures for users to log in (because I presume you think that is a better way, but I have no clue of knowing that for sure, since you don't specify a better alternative) probably takes a lot more time than implementing a simple IP-blocking test. And I personally would not do that, because of my already explained annoyance with registration on (simple) websites. I fully agree that IP blocking isn't nice (and personally, I would just allow everyone to vote as often as possible and would manually look through the logs to see if I could detect certain abusive votes, or even write a script to do the work for me and report every Monday, first thing in the morning :), but disregarding IP blocking as useful straight when you see the words isn't helping much either. It all depends on specific cases. Most sites won't get away with it, but small sites could use it quite well, IMHO. -- b10m	[reply]
Re: blocking IPs by Abigail-II (Bishop) on Jan 27, 2004 at 15:02 UTC
But what is the goal of having the poll? I can think of two reasons: 1) you have an interest in the outcome of the poll; that is, you want to result to reflect the opinion or experience of your visitors. Or 2) you do it to attract people to your site, or to enhance their visit with the voting experience. In case 1) shutting out people is as bad as having people vote more than once. In case 2) shutting out people is worse than having people vote more than once. Abigail	[reply]
Re: blocking IPs by b10m (Vicar) on Jan 27, 2004 at 15:36 UTC


Syntactic Confectionery Delight
	PerlMonks