How to stop fake web traffic from internet?

Question

I have a website that pays users for showing advertising on shortened links. I recently have someone who is trying to boost his earnings by sending fake traffic to the site. It is not only smashing my site (ie. slowing it down) but is also skewing my Google Analytics data.

Is the only solution here really to deploy a WAF, or roll my own Rack based request inspection code? I not sure how this would work or best practices in a Heroku/Ruby on Rails environment.

Any one have experience on this or have any ideas?

Answer 1

If the requests are being sent at a much higher rate than regular visitors do, the rack-attack gem might be very useful to you.

It allows throttling requests, so if a user visits some page at a higher frequency than allowed for a while, you can (temporarily) block any further requests.

From the gem's README:

Rack middleware for blocking & throttling abusive requests

Rack::Attack is a rack middleware to protect your web app from bad clients. It allows whitelisting, blacklisting, throttling, and tracking based on arbitrary properties of the request.

Do define the rules with a safe margin, so your application won't be blocking regular users who aren't spamming your site.