Spam trafi\u011fi; credential stuffing, carding, scraping, brute force, form spam, API k\u00f6t\u00fcye kullan\u0131m\u0131<\/strong> gibi farkl\u0131 otomasyon davran\u0131\u015flar\u0131ndan olu\u015fur. OWASP\u2019\u0131n Automated Threats to Web Applications (OAT)<\/strong> s\u0131n\u0131fland\u0131rmas\u0131, hangi u\u00e7 noktalar i\u00e7in hangi sald\u0131r\u0131lar\u0131n tipik oldu\u011funa dair ortak bir dil sa\u011flar; savunmay\u0131 tek bir CAPTCHA\u2019ya indirgemek yerine tehdit odakl\u0131 d\u00fc\u015f\u00fcnmeyi kolayla\u015ft\u0131r\u0131r. owasp.org<\/span>+1<\/span><\/span><\/span><\/a><\/span><\/span><\/p>\n WAF + kural setleri:<\/strong> ModSecurity ile OWASP Core Rule Set (CRS)<\/strong> ba\u015flang\u0131\u00e7 bariyeri sa\u011flar; SQLi\/XSS gibi klasik istismarlara ek olarak brute force ve h\u0131z s\u0131n\u0131rlamaya yard\u0131mc\u0131 kurallar i\u00e7erir. owasp.org<\/span>+1<\/span><\/span><\/span><\/a><\/span><\/span><\/p>\n<\/li>\n Oran s\u0131n\u0131rlama (rate limit) \/ ba\u011flant\u0131 kotas\u0131:<\/strong> Nginx\u2019in Risk skorlu do\u011frulama:<\/strong> Cloudflare Turnstile<\/strong> gibi \u201csessiz\u201d taray\u0131c\u0131 sinyali tabanl\u0131 \u00e7\u00f6z\u00fcmler; d\u00fc\u015f\u00fck g\u00fcven h\u00e2linde hafif challenge g\u00f6stererek s\u00fcrt\u00fcnmeyi azalt\u0131r. Google reCAPTCHA (Enterprise)<\/strong>, OAT kategorilerine g\u00f6re ak\u0131\u015f bazl\u0131 \u00f6neriler sunar. Cloudflare Docs<\/span>+2<\/span><\/span>Cloudflare Docs<\/span>+2<\/span><\/span><\/span><\/a><\/span><\/span><\/p>\n<\/li>\n Honeypot\/decoy taktikleri:<\/strong> G\u00f6r\u00fcnmeyen form alanlar\u0131, sahte endpoint\u2019ler ve (Cloudflare taraf\u0131nda) AI Labyrinth<\/strong> gibi \u201cy\u00f6nlendirip oyalayan\u201d \u00e7\u00f6z\u00fcmlemeler, robots.txt\u2019ye uymayan yeni nesil taray\u0131c\u0131lara kar\u015f\u0131 etkili bir ek katmand\u0131r. The Cloudflare Blog<\/span><\/span><\/span><\/a><\/span><\/span><\/p>\n<\/li>\n Scraper ekosistemi ve robots.txt ger\u00e7ekli\u011fi:<\/strong> 2024\u20132025\u2019te yay\u0131nc\u0131lar ve altyap\u0131 sa\u011flay\u0131c\u0131lar\u0131, robots.txt\u2019yi yok sayan<\/strong> ve kimli\u011fini gizleyen AI taray\u0131c\u0131lar\u0131na kar\u015f\u0131 (\u00f6rn. varsay\u0131lan engelleme, \u201cPay Per Crawl\u201d gibi) daha agresif \u00f6nlemler duyurdu; robots.txt tek ba\u015f\u0131na yeterli de\u011fil<\/strong>. The Verge<\/span>+2<\/span><\/span>Reuters<\/span>+2<\/span><\/span><\/span><\/a><\/span><\/span><\/p>\n<\/li>\n \u00d6l\u00e7\u00fcm temizli\u011fi:<\/strong> Ba\u015far\u0131y\u0131 \u00f6l\u00e7mek i\u00e7in GA4\u2019te internal<\/strong> ve developer<\/strong> trafi\u011fini filtrele; aksi h\u00e2lde bot azaltma etkisini g\u00f6remezsin. Google Yard\u0131m<\/span><\/span><\/span><\/a><\/span><\/span><\/p>\n<\/li>\n API\u2019lere \u00f6zel s\u0131k\u0131la\u015ft\u0131rma:<\/strong> 2024\u2019te web sald\u0131r\u0131lar\u0131 %33 artarken API\u2019ler birincil hedef h\u00e2line geldi; rate limit + kimlik do\u011frulama + davran\u0131\u015fsal sinyaller \u015fart. vmblog.com<\/span>+1<\/span><\/span><\/span><\/a><\/span><\/span><\/p>\n<\/li>\n<\/ol>\n Kritik u\u00e7lar\u0131 \u00e7\u0131kar:<\/strong> WAF\/CRS\u2019i a\u00e7 ve tuning yap:<\/strong> Hatal\u0131 pozitifleri azaltmak i\u00e7in istisna kurallar\u0131 tan\u0131mla. CRS Project<\/span><\/span><\/span><\/a><\/span><\/span><\/p>\n<\/li>\n Oran s\u0131n\u0131rla:<\/strong> Nginx ile IP ve ak\u0131\u015fa \u00f6zg\u00fc anahtarlarla rate limiting uygula. nginx.org<\/span><\/span><\/span><\/a><\/span><\/span><\/p>\n<\/li>\n Riskli ak\u0131\u015flarda challenge:<\/strong> Turnstile\/reCAPTCHA\u2019y\u0131 login, kay\u0131t ve \u00f6deme gibi y\u00fcksek riskli<\/strong> ak\u0131\u015flarda puan\/karar mekanizmas\u0131yla devreye al. Cloudflare Docs<\/span>+1<\/span><\/span><\/span><\/a><\/span><\/span><\/p>\n<\/li>\n Honeypot\/decoy ekle:<\/strong> Form honeypot\u2019lar\u0131 + (Cloudflare kullan\u0131yorsan) AI Labyrinth. The Cloudflare Blog<\/span><\/span><\/span><\/a><\/span><\/span><\/p>\n<\/li>\n Scraper y\u00f6netimi:<\/strong> ASN\/\u00fclke\/UA sinyalleriyle kurallar, h\u0131z limitleri, JSON\/Feed u\u00e7lar\u0131na Accept\/Referer hijyeni.<\/p>\n<\/li>\n \u00d6l\u00e7\u00fcm temizli\u011fi:<\/strong> GA4 i\u00e7\/developer trafi\u011fini d\u0131\u015fla. Google Yard\u0131m<\/span><\/span><\/span><\/a><\/span><\/span><\/p>\n<\/li>\n S\u00fcrekli g\u00f6zlem:<\/strong> 429\/5xx oranlar\u0131, \u00e7erezsiz istek patlamalar\u0131, belirli ASN\/\u00fclkelerden ani s\u0131\u00e7ramalar i\u00e7in alarmlar kur.<\/p>\n<\/li>\n Trendleri izle:<\/strong> Akamai\u2019nin y\u0131ll\u0131k\/\u00e7eyreklik SOTI raporlar\u0131 API\/bot e\u011filimlerini takip i\u00e7in iyi bir referans. Akamai<\/span><\/span><\/span><\/a><\/span><\/span><\/p>\n<\/li>\n<\/ul>\n Login ak\u0131\u015f\u0131 i\u00e7in IP + kullan\u0131c\u0131 ad\u0131 birle\u015fik anahtar:<\/strong><\/p>\n # Limit alanlar\u0131<\/span> server<\/span> { # Basit bot i\u015faretleri (\u00f6rnek)<\/span> Nginx\u2019in Form spam i\u00e7in honeypot + h\u0131z limiti:<\/strong><\/p>\n location<\/span> = \/contact\/submit {Ana savunma katmanlar\u0131 (\u00f6zet strateji)<\/h2>\n
\n
limit_req<\/code> ve limit_conn<\/code> mod\u00fclleri IP ya da \u00f6zel anahtarlar (\u00f6rn. IP+username) \u00fczerinden istek h\u0131z\u0131n\u0131 d\u00fc\u015f\u00fcr\u00fcr; leaky-bucket algoritmas\u0131 kullan\u0131r. nginx.org<\/span>+1<\/span><\/span><\/span><\/a><\/span><\/span><\/p>\n<\/li>\n
\nUygulanabilir kontrol listesi (H\u0131zl\u0131 ba\u015flang\u0131\u00e7)<\/h2>\n
\n
\/login<\/code>, \/signup<\/code>, \u00f6deme\/form ak\u0131\u015flar\u0131, \/search<\/code>, \u00fcr\u00fcn beslemeleri ve API u\u00e7lar\u0131; her birini OAT kategorisiyle e\u015fle\u015ftir. owasp.org<\/span><\/span><\/span><\/a><\/span><\/span><\/p>\n<\/li>\n
\nUygulama Tasla\u011f\u0131 (kopyala\u2013uyarla)<\/h2>\n
A) Nginx: Oran s\u0131n\u0131rlama ve basit i\u015faretler<\/h3>\n
# X-Real-IP varsa onu kullan<\/span>
\nmap<\/span> $http_x_real_ip<\/span> $client_ip<\/span> { default<\/span> $remote_addr<\/span>; }
\n# IP + username kombinasyonu (query\/body'den 'username' geldi\u011fini varsayal\u0131m)<\/span>
\nmap<\/span> \"$client_ip<\/span><\/span>:$arg_username<\/span>\" $login_key<\/span> { default<\/span> $request_uri<\/span>; }<\/p>\n
\nlimit_req_zone<\/span> $client_ip<\/span> zone=perip:20m<\/span> rate=10r\/m;
\nlimit_req_zone<\/span> $login_key<\/span> zone=peruser:20m<\/span> rate=5r\/m;
\nlimit_conn_zone<\/span> $client_ip<\/span> zone=ipconn:10m<\/span>;<\/p>\n
\n location<\/span> = \/login {
\n limit_req<\/span> zone=perip burst=20<\/span> nodelay;
\n limit_req<\/span> zone=peruser burst=5<\/span>;
\n limit_conn<\/span> ipconn 20<\/span>;<\/p>\n
\n if<\/span> ($http_user_agent<\/span> ~* \"(curl|wget|bot|spider)\")<\/span> { return<\/span> 429<\/span>; }
\n proxy_pass<\/span> http:\/\/app_upstream;
\n }
\n}
\n<\/code><\/div>\n<\/div>\n\n
limit_req<\/code> mod\u00fcl\u00fc leaky-bucket y\u00f6ntemiyle \u00e7al\u0131\u015f\u0131r; anahtar se\u00e7iminde IP\u2019nin NAT arkas\u0131nda payla\u015f\u0131l\u0131yor olabilece\u011fini unutma. nginx.org<\/span>+1<\/span><\/span><\/span><\/a><\/span><\/span><\/p>\n<\/blockquote>\n# \/contact\/submit i\u00e7in IP ba\u015f\u0131na saatlik limit<\/span>
\nlimit_req_zone<\/span> $binary_remote_addr<\/span> zone=formip:10m<\/span> rate=30r\/h;<\/p>\n
\n limit_req<\/span> zone=formip burst=10<\/span>;
\n # 'hp_field' honeypot alan\u0131 dolu geldiyse reddet<\/span>
\n if<\/span> ($arg_hp_field<\/span> != \"\"<\/span>) { return<\/span> 403<\/span>; }