I wonder why it is so hard for you to protect your server from bots. Although it is pretty funny when you get tons of generic bots in your server yelling "pools closed", it could on the other hand be pretty annoying.
However, I wouldn't say this "fix" is the way to go to "solve" the bot problem, even temporarily.
- All servers should have a working captcha upon registration. Make sure this works. This is the first layer of protection against bots and is the source to where hotels gets flooded with hundreds of thousands of registrations.
- If this is not enough, we have Cloudflare that got browser verification built-in so in general you don't really need any additional code in the cms or the gameserver.
- And if the bots are still getting into the server, make sure they don't get around Cloudflare by having your real server IP. Add firewall rules to your firewall that only allows connection from Cloudflare IP ranges (see
You must be registered to see links
)
- Add a limit per IP as the origin most normally have a short limit on IPs they can send bots from. Setting this limit to one is not a good idea as there are often more than one (legit) user trying to access the server simultaneously.
- What about RSA? I thought many hotels had RSA going these days to avoid scripting and such.
- The last step would be to add captcha when users sign in. One thing to keep in mind is that users hate captcha as it takes time and effort to enter the almost unreadable letters. Consider this as a last effort when it comes to mitigating a bot attack.
- Consider reporting the IP where the attack is originating from. If it originates from a hosting company, they would be more than happy to help you. Just make sure you have proof such as logs from your web-server that proves that the IP is generating malicious traffic on your server. Had someone running a TCP flood attack to a MySQL server back in the days. Grabbed a log-file and sent an email to the OVH abuse email as the attack came from an OVH server. Shortly after, the IP where it came from was taken down
I don't get why this has to be so hard for you kids. Didn't we learn from the time when hotels got flooded with bots from avalanche (or whatever that program was called)?