How to check fake traffic hits

Question

I want to know, how we can check fake traffic hits:

If traffic coming from an IP changer software;
If traffic coming from an proxy IP;
If person has set referer url in browser;
If traffic is coming from traffic generating software;
If traffic is coming from traffic generating services/websites.

To check proxy we can use:

$_SERVER['HTTP_X_FORWARDED_FOR']
$_SERVER['HTTP_VIA']
$_SERVER['HTTP_PROXY_connection']
$_SERVER['HTTP_CLIENT_IP']

To check referer we can use:

$_SERVER['HTTP_REFERER']

But the above method can easily be cheated!?

Please suggest more possible way to check for fake traffic/hits!?

If there was one way to catch all of these instances and prevent them, "fake traffic" would not exist in the first place. — Lix, Jan 08 '14 at 13:28
Related: [What is the most accurate way to retrieve a user's correct IP address in PHP?](http://stackoverflow.com/questions/1634782/) — Amal Murali, Jan 08 '14 at 13:28
@Lix yes its quite complicated to verify real hits, If you can tell more ways to check that would be great. — , Jan 08 '14 at 13:33
"IP changer software" is the same as a proxy, and both are very commonplace and perfectly legitimately used every day as part of the internet infrastructure. Manually setting a referer is not detectable, and is not "fake" traffic as such. Services that automatically generate traffic *may* be detectable if they have a specific pattern, but if they're any good it'll look just like any other non-specific traffic. In short: what you're asking for is both ill-defined and hardly possible. — deceze, Jan 08 '14 at 13:34
@deceze you are saying its hard verify hits, how does you tube does this. — , Jan 08 '14 at 13:37
How *do* they do it? What exactly do they do? Do you have examples of what exactly they do? — deceze, Jan 08 '14 at 13:52
@deceze check this vedio in which you tube product manager explains https://www.youtube.com/watch?v=oIkhgagvrjI — , Jan 08 '14 at 13:56
One possible solution could be looking at the [SO view counter](https://meta.stackexchange.com/questions/87092/dissecting-the-stack-overflow-views-counter). Most of it is pretty complicated, but one important bit is that SO only allows one hit per unique ip per 15 minutes. That means that "spamming" isn't possible, and in order to get really high hits, you need a massive network or a really long time. — Huey, Jan 09 '14 at 02:19
That YouTube thing appears to be a very manual process, which is why it takes up to a day. Especially their bit about "if there's a misleading thumbnail (bikini babe)..." - that's something a human looks at, together with some other statistics and decides whether a video really has suddenly become popular or not. — deceze, Jan 09 '14 at 06:06
Everything that you got from a HTTP Header can be faked without you ever finding out. There is no way of getting these values from a trusted source however. You will just have to live with all that "fake traffic" I guess... — ToBe, Jan 09 '14 at 13:45
If you want to ensure a legitimate visitor comes from a trusted referer, you will have to generate a secure token on that server and verify it again on your target server. This is a common solution for such problems... — ToBe, Jan 09 '14 at 13:47

score 1 · Answer 1 · answered Jan 09 '14 at 17:47

It is difficult to detect fake traffic, as many have already mentioned.

You can have a base level of fake traffic detection by scanning the user-agent value for incoming requests. Bots usually mention that they are bots in the user agent. So a simple strpos for the user agent can work.

if(empty($_SERVER['HTTP_USER_AGENT']) || strpos($_SERVER['HTTP_USER_AGENT'], 'bot') !== false || strpos($_SERVER['HTTP_USER_AGENT'], 'spider') !== false || strpos($_SERVER['HTTP_USER_AGENT'], 'crawler') !== false)
{
    //most likely fake traffic
}

This is obviously not full-proof, but it provides a basic level of detection.

You can also issue request tokens which would then be passed along to every subsequent request.

It would be easier to know why you want to detect fake hits. Is this for a regular website? Browser game?

What harm are fake hits causing to your application?

If you can't answer any of those questions easily, and thoroughly, then perhaps you don't really need to detect fake hits after-all.

How to check fake traffic hits

1 Answers1