Invalid traffic and fraud
Some harmful traffic is invisible to ordinary per-IP rate limits: in a distributed attack or a fraud campaign, each individual IP stays quiet and under the threshold, yet the same cloned environment sits behind all of them. WebShield finds such groups by correlation and shows them separately — this is invalid traffic (IVT) detection.
Where to look: the Protection tab of domain statistics.
How it works
Section titled “How it works”When a client passes the browser check, WebShield captures a browser fingerprint — a set of technical traits of the environment. Live people on different addresses have different fingerprints. But if the same fingerprint arrives from dozens of different IPs in a short time, it is almost always a farm: an emulator or a cloned profile multiplied across many addresses to dodge limits.
The Invalid traffic (fraud farms) card lists such IP addresses: for each one, the number of requests and how many shared fingerprints are linked to it. Only addresses with a strong signal (a shared fingerprint) are included, so the list can be used as evidence with confidence.
Ad click fraud
Section titled “Ad click fraud”A separate Suspicious ad clicks card shows visits with ad-click tags (yclid for Yandex.Direct, gclid for Google Ads) that failed the browser check. These are direct candidates for ad-budget click fraud.
How to use
Section titled “How to use”- Open the Protection tab and pick the period.
- From the Invalid traffic and Suspicious ad clicks cards, collect the list of IPs and times.
- Attach the export to a refund claim with the ad network, or use it to investigate an attack.
WebShield not only shows these addresses but also acts on them: suspicious groups are automatically sent to an extra check (captcha), and clear attacks are banned at the network level. The report exists so you can see the picture and reclaim money for fake clicks.
Limits
Section titled “Limits”Fingerprint correlation is a strong but not absolute signal. Mass-identical devices (for example, cheap models with the same graphics stack) could in theory produce matching fingerprints across different people, so WebShield additionally compares the rate against a baseline and does not treat a steadily popular device as a farm. The report deliberately excludes “behavioural” suspicions (mass page enumeration), which more often false-positive on large networks — only the high-confidence shared-fingerprint signal is shown.