Bad actors are persistent. Block them once, and they’ll be back in seconds with a new IP address, a fresh browser profile, and slightly tweaked attack scripts. It’s exhausting for security teams, honestly. But over the past decade, detection technology has gotten remarkably good at spotting repeat offenders, even when they think they’ve covered their tracks.
Here’s how platforms actually catch people who keep coming back for more.
The IP Address Problem
Every connection to a website reveals an IP address. Think of it as a return address on an envelope. Services maintain huge databases of IPs linked to past abuse, and checking incoming traffic against these lists happens automatically.
Spamhaus, AbuseIPDB, and similar organizations run blocklists with millions of flagged addresses. When someone reports an IP for spamming or launching attacks, that information spreads fast. Within minutes, the address can land on dozens of blocklists simultaneously.
Networks subscribe to these feeds and just reject connections from known bad IPs. Simple enough, right?
Well, not really. The problem is that IP addresses aren’t permanent identifiers anymore. Residential ISPs rotate them regularly. Cloud providers hand them out dynamically. And a cottage industry of proxy services exists specifically to provide “clean” addresses on demand.
Anyone serious about abuse knows how to work around basic IP blocking. They rotate through VPNs, proxy services, and residential IP pools to grab fresh addresses constantly. For a deeper look at what platforms are up against, this how to get around an ip ban article breaks down the common evasion tactics (which explains why IP blocking alone is basically useless now).
Device Fingerprinting Gets Creepy
This is where detection gets clever. Change your IP, clear your cookies, fire up incognito mode, and websites can still figure out who you are. They do it by collecting dozens of tiny details about your browser and hardware.
Your graphics card renders images slightly differently than mine. Your installed fonts create a unique combination. Your screen resolution, timezone, audio processing quirks, even your battery status (yes, really) all feed into a profile. According to Wikipedia’s overview of device fingerprinting, a 2016 study showed 89.4% of browser fingerprints were unique enough to identify individual users.
The scary part? You can’t really see this happening. There’s no cookie consent popup for fingerprinting. It just runs silently in the background, building a hash that follows you around.
Watching How You Move
Humans browse websites in messy, unpredictable ways. We pause to read. Our mouse movements curve naturally. We scroll, stop, scroll again, maybe go back up.
Bots don’t do any of that. They click at perfect intervals. Cursors teleport between buttons. Forms get filled faster than anyone could actually type. These patterns stick out.
Cloudflare processes billions of requests daily and feeds all that behavioral data into machine learning models. Their system spits out a score from 1 to 99 for every request, where lower means “probably a bot.” Anything under 30 usually gets challenged or blocked outright.
Rate Limiting Still Works
Sometimes old school approaches do the job. Cloudflare’s documentation puts it simply: rate limiting caps how often someone can repeat an action within a set timeframe.
Normal users log in once, maybe twice a day. Credential stuffing attacks need thousands of attempts per minute to turn a profit. That gap is easy to spot.
Modern rate limiting goes beyond counting requests per IP, though. Advanced setups track activity per user session, per API endpoint, per authenticated account. They force exponential backoff after failures and adjust thresholds based on what normal traffic actually looks like. It’s gotten pretty sophisticated.
Everyone Shares Notes Now
Here’s something that changed the game: platforms started sharing threat intelligence with each other. Spot a new attack pattern on Monday, and half the internet knows about it by Tuesday.
Cloud providers like AWS maintain internal databases of suspicious IPs. According to AWS documentation, their managed reputation rules block over 90% of malicious request floods. Attack one customer, and you might find yourself locked out of the entire ecosystem.
Where This Leaves Us
The arms race won’t end anytime soon. Every new defense inspires new workarounds. But the math favors the defenders here.
Attackers need to succeed consistently. Defenders just need to make abuse expensive enough that it stops being worth the effort. Between fingerprinting, behavioral analysis, and shared blocklists, that cost keeps going up.
Most people don’t realize how much websites know about identifying visitors. If you’re not doing anything shady, that’s probably a good thing.