Detection is not a one-way street
Sites can also perform detection. If a site is receiving an abnormal number of requests from an IP address for the same resource within a small amount of time something is not right. An IP address will typically request many resources in a short period of time but usually for the different resources a browser needs to present a page. It's unusual for an IP address to access the same resource more the a few times in a short window of time. A user might refresh a page quickly once or twice but it's not likely they will be be refreshing the page several times even in a few seconds..
Even our noddy site site performs these tests and blocks the offending IP address at the firewall so they are unable to proceed. We see attacks like this all the time, especially to registration pages, and are usually blocking one or two IP addresses per hour. I like to think that more sophisticated sites perform similar real-time checks if only out of self-interest because such attacks consume resources and capacity.
Biting the hand that feeds IT
