Depends on your specific problem. Usually redesign your system not to need to care if the other end is a bot or not.
replyHow though? Can you also avoid DDoS simply by designing your system to not care if the requester is a bot or not.
replyLet's say I'm running https://grep.app/ for example. AI bots start heavily using it, costing me a ton of money. How would you magically design this so it doesn't matter if the end bots are using it?
Rate limit individual clients.
replyLet's play this out: how do you determine individual clients? By ip? By seasionid?
replyI suspect that the HN crowd is somehow insulated from the river of crap and fraud that is the internet experience for a majority of the population.
reply