Demo  Arrow | GitHub | Docs | API reference | Contact | Resources
tirreno - Open-source security framework Home Use cases How it works Pricing About
Arrow Download

tirreno » com/bat » Detecting click fraud self-hosted






Resources

tirreno
com/bat



Detecting click fraud self-hosted

December 27, 2025 · 4 min read

Click fraud is the systematic abuse of advertising budgets by click farms, competitors, and bots. In some industries, fraudulent clicks account for up to half of all ad traffic, consuming budget with zero return on investment. The pattern is predictable: repeated visits from datacenter IPs, traffic from mobile devices rotating through residential proxies, clicks that arrive in bursts and produce no conversions.

Most click fraud detection is sold as a SaaS service. You send your click data to a vendor, pay based on traffic volume, and receive risk assessments in return. The vendor gets a continuous stream of your advertising traffic data, including the genuine clicks from real users. The cost scales with your campaigns regardless of how much fraud you actually have, and the detection logic is proprietary, so you cannot inspect or adjust it.

There is a simpler starting point. Server-side behavioral monitoring on your own infrastructure can detect fraudulent traffic without sending anything to a third party, and because it runs on your backend, bots cannot detect or manipulate it.

Why detection has to be server-side

Client-side detection (JavaScript challenges, browser fingerprinting scripts, challenge pages) is visible to bots. Sophisticated fraud operations inspect the page source, identify the detection mechanism, and adapt. A JavaScript fingerprinting library can be reverse-engineered. A challenge page can be solved programmatically. Any detection that runs in the browser is a detection that the bot can see, study, and eventually bypass.

Server-side monitoring avoids this entirely. Your application backend sends events to tirreno for every visitor that lands on your page. The visitor never sees the monitoring, because it happens after their request reaches your server. There is no script to reverse-engineer and no challenge to solve. The bot interacts with your landing page. Your backend evaluates the bot.

Each event carries IP address, user agent, device fingerprint, and timestamp. tirreno enriches this with connection intelligence: whether the IP belongs to a datacenter range, a commercial VPN provider, a TOR exit node, or an address listed in abuse databases. This is resolved through the enrichment API and evaluated locally on your systems.

The bot_detection preset scores the signals most relevant to automated traffic. Datacenter IPs appearing in consumer ad traffic, bot-identified user agents, single-event sessions with no follow-up interaction, and IPs shared across an unusual number of sessions all accumulate risk. The scoring produces a trust level for each visitor, and the auto-blacklisting threshold generates a list of fraudulent IP addresses that you can feed back into your advertising networks to block future clicks from flagged addresses.

Going further with the 1px technique

Server-side monitoring catches fraudulent traffic based on connection and behavioral signals. There is an additional technique that exploits how click farms actually operate.

Most fraud infrastructure does not fully render pages and their resources. It loads enough of the page to register as a click with the advertising platform, but it skips images, scripts, and other assets that a real browser would fetch.

To exploit this, you instrument your landing page to send visitor data from two sources. The first is the page load event your backend already sends to tirreno. The second is a transparent 1px image served through tirreno that fires a separate request when the browser actually renders the page.

When a real user visits, both requests arrive: the page event and the pixel. When a click farm bot visits, the page event fires but the pixel does not, because the bot never fully rendered the page. That missing pixel request, compared against a present page load, is a strong fraud signal that is difficult for fraud operations to counter without investing in full page rendering, which defeats the speed and cost advantages that make click fraud economically viable.

The technique is invisible to users (a transparent single-pixel image is undetectable) and adds a detection layer that works independently from the IP and behavioral signals, catching bots that might otherwise pass connection-level checks.

Click fraud is the first problem, not the last

Here is what happens after you solve click fraud: the fraudulent traffic that was clicking your ads starts registering accounts instead.

Click farms and bot networks that target advertising also target the products behind those ads. The same infrastructure that generates fake clicks can generate fake registrations, abuse promotional offers, poison review systems, and create accounts for coordinated manipulation. Once you have blocked the fraudulent clicks, the operators adapt, and the next attack surface is your registration flow.

If your click fraud detection runs on a single-purpose SaaS tool, you now need a second vendor for registration fraud. Then a third for account takeover. Each one charges separately, receives a separate stream of your user data, and operates its own proprietary detection logic you cannot see.

Starting with an open-source framework avoids this entirely. tirreno's event pipeline and rule engine handle click fraud detection today, and when the same fraudulent traffic shifts to registration abuse, the infrastructure is already in place. The investment is cumulative. Each new threat you address uses the same event pipeline, the same rule engine, and the same behavioral data you are already collecting. One framework, one data flow, one set of rules that grows with your product.

Getting started

Install. Deploy a tirreno instance on any server or container you control. The administration guide covers setup and configuration.

Send landing page events from your backend. When a visitor arrives from an ad click, send an event to tirreno with IP, user agent, timestamp, and event type. tirreno expects a username with each event; for anonymous ad traffic, use the visitor's IP with .* replacing the last octet (e.g. 192.168.1.*) as the identifier. The developer guide has the API schema.

Apply the bot_detection preset. Open the rules page, activate the preset, and browse the activity page. Look for datacenter IP concentrations, bot-identified user agents, and single-event sessions with no engagement.

Use the blacklist. Feed tirreno's auto-generated blacklist of fraudulent IPs back into your advertising networks to block future clicks from flagged addresses.

Add the 1px pixel. Once server-side monitoring is running, add the transparent pixel to your landing page for an additional detection layer that catches bots skipping full page rendering.

Download at tirreno.com/download.
tirreno

Security framework

Use cases

How it works

Pricing

About

Download

Live demo

GitHub

Dockerhub

Documentation

Resource center

Learn

Account takeovers

Insider threat detection

Login & activity monitoring

Field audit trails

API abuse

Bonus abuse

Chargeback management

Fake accounts

Threat hunting

Transaction abuse

HIPAA monitoring

tirreno is an open-source security
framework that embeds protection
against threats, fraud and abuse
right into your product.

General team@tirreno.com
Support ping@tirreno.com
Security atdt@tirreno.com

Terms & conditions
Privacy policy
Imprint | Contact

Rue Galilée 7
1400 Yverdon-les-Bains
Switzerland Switzerland

©2026, tirreno. tirreno© is a trademark of Tirreno Technologies Sàrl. All rights reserved.

Valid HTML 4.01 (1999 specification)



Open-source security framework