Who's the Spanish jerk draining the Faucet?

[Gavin Andresen]

I just shut down freebitcoins.appspot.com; it looks like somebody in Spain is being a jerk and getting a new IP address, bitcoin address, and solving the captcha.  Over and over and over again:

Code:

79.154.133.217 - - [04/Aug/2010:12:46:55 -0700]
"POST / HTTP/1.1" 200 1294 "https://freebitcoins.appspot.com/"
"Opera/9.80 (Windows NT 6.0; U; es-LA) Presto/2.6.30 Version/10.60,gzip(gfe)"

79.146.112.13 - - [04/Aug/2010:12:45:20 -0700]
"POST / HTTP/1.1" 200 1294 "https://freebitcoins.appspot.com/"
"Opera/9.80 (Windows NT 6.0; U; es-LA) Presto/2.6.30 Version/10.60,gzip(gfe)"

81.44.159.81 - - [04/Aug/2010:12:42:20 -0700]
"POST / HTTP/1.1" 200 1294 "https://freebitcoins.appspot.com/"
"Opera/9.80 (Windows NT 6.0; U; es-LA) Presto/2.6.30 Version/10.60,gzip(gfe)" 

Those IP addresses all map to Telefonica de Espana.  If it was you:  give them back, please: 15VjRaDX9zpbA8LVnbrCAFzrVzN7ixHNsC

Now that 5 bitcoins is worth a fair bit, I'm thinking I need more cheating countermeasures.  I can think of four things to try:

1. Rate limit based on the first byte of the IP address (79. or 81. in this case).
2. Rate limit based on the USER-AGENT string ("Opera/9.8..." in this case).
3. Rate limit based on last two domains of reverse DNS lookup of the IP address (rima-tde.net in this case).
4. Make the standard amount given away 0.5 Bitcoins (Bitcoins have gone up 10 times in value since I started the Faucet).

If you get rate limited, you'll get a message that asks you to try again tomorrow.

BitcoinFX: thanks again for the donation to the faucet; I'm going to drain the Faucet below 500 coins temporarily, and will refill it with your donation after the new cheating countermeasures are in place.

[1715211138]

1715211138

[1715211138]

1715211138

[1715211138]

1715211138

[1715211138]

1715211138

[1715211138]

1715211138

[1715211138]

1715211138

[knightmb]

This has been going on for a while I would say. I noticed that when I would donate BTC to it, I would check the site a few minutes later and it would be back down below 500 again very quickly (but not further down since it appears to stop after it reaches below 500)

I'm afraid with how the nature of Bitcoin works, even if you narrow it down to IP address, Bitcoin Address, cookies, browser string, etc. someone can still fake/change all of those to drain it.

I think your recommendation of 0.50 with it being reduced to the 0.05 when it hits below 500 BTC would work better to deter this kind of thing. Also, a rate per hour limit (because someone with a botnet could have all of them descend on it and empty it even at 0.05 a piece just for kicks)

It's obvious from your logs, the guy/gal was just renewing his IP address, generate a new bitcoin address, refresh the page, copy/paste new bitcoin address, send 5 BTC; rinse and repeat.

[omegadraconis]

You know the same thing crossed my mind that you could drain the faucet by grabbing a new ip address. I figured most of the people would be honest enough to not do it or there was something behind the scenes preventing it. One idea might be Browser finger print and a 81.x.x.x or 71.x.x.x limit. http://panopticlick.eff.org was something the eff did to show just how easy it is to finger print your browser (it checks your os build, Browser build, java, flash, other add-on versions, etc). If you were to combo detect the the browser id's and the first ip block it would be a fairly good way, though it would probably be a fair bit of work.

Another idea would be to add a delay to the coins being sent out, like say an hour after they are cleared the coin goes out. This wouldn't give someone instant satisfaction and would allow you to prevent the coins going out during that hour (Add a check to email yourself if a large number of transactions come through or something like that). Also dropping the coins being given out to 1 or 0.5 would significantly decrease the incentive of doing such a thing.

[knightmb]

That's a really good idea, just make a queue system with a simple "click to approve" button.

I don't know how much traffic the faucet site gets though, might not be practical from a human standpoint, but I don't often see the faucet that far below 500 most of the time.

[NewLibertyStandard]

I would make it give out 0.001% of the total bitcoins with a minimum of ฿0.02 and I would move those two decimal points to the left whenever the official client changes to displays another precision point. Thanks for the service, it's very useful to new users. I hope you can stay one step ahead of the cheaters.

[mizerydearia]

Also dropping the coins being given out to 1 or 0.5 would significantly decrease the incentive of doing such a thing.

The incentive will always exist.  It just makes it harder/take longer, more effort and creativity involved.

[skull88]

What if they just use different proxy's, than the checking the first byte of the IP is useless.

You could make a registration form on the site where they first got to activate they're email address, and than get a login code.
After login than they can request the free coins, of course there is a limit of one request for one email address and you keep on checking the ip.

So if you want a lot of coins, you first got to register a lot of email adresses and than you got to register with all those addresses, you really got to have no life to do all that trouble just to drain down the Faucet

[FreeMoney]

This is a nice exercise in what happens when you give free stuff away.

Hint: People try to get the free stuff.


I do think it's a nice idea, I'm not saying you shouldn't do it.

[Anonymous]

Whoever cheats to take free bitcoins wins this award.



It is the douche-bag of the year.

[Gavin Andresen]

Thanks for all the ideas!

First: I'm definitely going to drop from 5 BTC; I think I'll go all the way down to 0.50 BTC (rather than do 1 or 2).  Giving away a percentage of how much the faucet has is an interesting idea, but I want it to be as simple as possible.

Second: I really don't want to make getting coins from the Faucet a whole heavy-weight "register and check your email and yada yada yada."

But I do like the idea of adding an extra hurdle for 'suspicious-looking' behavior.  So I'm leaning towards doing some fuzzy browser fingerprinting combined with rate-limiting and, if you look suspicious or the fountain has been giving away a larger-than-usual number of coins, require that you login with your google account before getting any coins.  No google account: no coins.

It is hard to create lots of google accounts; they're requiring either phone or SMS account verification these days...

[Gavin Andresen]

This is a nice exercise in what happens when you give free stuff away.
Hint: People try to get the free stuff.
I do think it's a nice idea, I'm not saying you shouldn't do it.

Yeah, I shoulda anticipated problems when Bitcoins went from 0.005 USD each to 0.06 each.  If it takes somebody two minutes to go through the "get a new IP, get a new BC address, solve the captcha" process then they'd make 5*30=150 bitcoins an hour, which is $9 USD an hour, which, if you're unemployed, bored, and/or 13 years old is easy money.

[kiba]

This is a nice exercise in what happens when you give free stuff away.
Hint: People try to get the free stuff.
I do think it's a nice idea, I'm not saying you shouldn't do it.

Yeah, I shoulda anticipated problems when Bitcoins went from 0.005 USD each to 0.06 each.  If it takes somebody two minutes to go through the "get a new IP, get a new BC address, solve the captcha" process then they'd make 5*30=150 bitcoins an hour, which is $9 USD an hour, which, if you're unemployed, bored, and/or 13 years old is easy money.

Hmm, now that I think about it....13 years old would find bitcoins to be a money making opportunities, especially since they generally can't be employed by business and such. They can however, offer services and goods of some kind to bitcoiners in exchange for some money. When he/she saved up a bit, she/he can buy hosting services and bootstrap their way to bigger business operations.

[Ground Loop]

Sadly, I don't think there's a viable anti-abuse system when you have an automated system dispensing coins for free.  (anonymous, irrevocable coins)

The only countermeasure that makes sense is to slow down the value and pace of the whole faucet to where someone has a chance to manually keep an eye on flow.

But coming back to the roots of why it's neat, and what people reasonably get from it, the specific value is not really important.  I see it as more a "system test", where someone can watch coins come in, transfer them to another computer, and so on.  It's not supposed to be "what can I buy with these", but test coins.  Having 0.02 coins is much more fun than having zero.

To that end, a system that dispenses BTC 0.02 and has a significant delay (30 mins?) is less likely to be attractive to even automated abuse plots.

[BioMike]

I've tried it last week and got 0.05BC, which is fine for its purpose (testing how it works and if it works). I also send the same amount back. I think it works just fine like this. I wouldn't have tried it when I had to get a google account, or something similar (getting such thing for only 0.05BC is just to much effort for testing it).

[gebler]

Perhaps it would help to be more clear about the Faucet operating on an honor principle, and that no one is really allowed more than 5.05 bitcoins (or 0.55 bitcoins if you change it to that).  When I revisit the site today it says "Right now the rule is 0.05 bitcoins given per unique IP address."  Such language could be interpreted as if it was actually OK to get more payouts from the Faucet using several unique IP addresses, since it would not be "against the rules".  Improving the technical system to prevent cheating is probably a good idea anyway, since there are probably cheaters who don't care about being cheaters.  But some may actually think they are just being clever, maximizing their benefit without breaking any rules.

[tcatm]

Just an idea... you could remove the message that tells the user he already got coins and always pretend to have sent coins when in reality you didn't. Maybe with a nice "If it doesn't work contact me at ..." message. Hopefully they'll just assume it's broken and don't bother trying to get coins from it anymore.

[satoshi]

Silently failing would look bad.

1. Rate limit based on the first byte of the IP address (79. or 81. in this case).

Definitely needed.  What rate are you thinking of?  Ultimately, it's better to rate limit it than to let it all drain out.

3. Rate limit based on last two domains of reverse DNS lookup of the IP address (rima-tde.net in this case).

That might work surprisingly well.  If it works, it keeps them from hitting the rate limit, but the rate limit is there as the last line of defence.

4. Make the standard amount given away 0.5 Bitcoins (Bitcoins have gone up 10 times in value since I started the Faucet).

Definitely time to lower it.

[Bitquux]

Switch to sending payment to IP addresses. They don't have to be static for this purpose. If you happen to miss it, too bad. Any unrelated person who happens to be at the requesting IP address probably sees tons of other random connection attempts from the Internet at large anyway.

[knightmb]

Switch to sending payment to IP addresses. They don't have to be static for this purpose. If you happen to miss it, too bad. Any unrelated person who happens to be at the requesting IP address probably sees tons of other random connection attempts from the Internet at large anyway.

Can't do that with the current state of the software   

[hugolp]

If he/she lives near me I can pay him a visit... just saying.