> There is no way to obfuscate an IP address on a TCP connection.
I think you misunderstand how this works/is done.
> The TCP sequence numbers are random so if the fraudster spoofs their IP, they won't get the return traffic and will be unable to complete the handshake and even establish a connection.
A bunch of misperceptions here.
I'm posting this right now from an IP address that is different than the IP address that HN sees on their side. Likely you are as well. I'm not doing IP address spoofing like you are describing (though you can indeed do that, even with TCP... there are RFCs on it and everything, it's just totally unnecessary), because that isn't needed. A simple NAT, VPN, or proxy can obfuscate the IP you are using. Click fraud is really no different from SPAM in the way that perpetrators collect pools of IP addresses/computers and relay their activity through those addresses/computers to obfuscate its true origin.
The TCP connection used to click on the ad on reddit is not the same TCP connection used to visit the advertiser's landing page, so there is no need to mess with anything at the TCP level for a different IP address to be presented to the publisher.
> As the original poster noted, 15 requests from a single IP in a short amount of time should be an anomaly. There's no real world scenario where 15 people behind one NAT show interest to a specific ad simultaneously.
Would you consider it an anomaly for 15 people anywhere on the Internet to show interest in an ad over a short amount of time? If so, you probably should rate limit your campaigns accordingly, but if not then there's no reason why you should consider it an anomaly for 15 people to show interest in an ad over the same IP. Particularly since ad engines have behaviours that make it disproportionately likely that an ad will be shown to people at the same time if they are behind the same IP. I'm not saying it isn't an anomaly. It could well be, but it is far from definitively fraud. This kind of "anomaly" happens all the time for reasons that have absolutely nothing to do with fraud.
I think you misunderstand how this works/is done.
> The TCP sequence numbers are random so if the fraudster spoofs their IP, they won't get the return traffic and will be unable to complete the handshake and even establish a connection.
A bunch of misperceptions here.
I'm posting this right now from an IP address that is different than the IP address that HN sees on their side. Likely you are as well. I'm not doing IP address spoofing like you are describing (though you can indeed do that, even with TCP... there are RFCs on it and everything, it's just totally unnecessary), because that isn't needed. A simple NAT, VPN, or proxy can obfuscate the IP you are using. Click fraud is really no different from SPAM in the way that perpetrators collect pools of IP addresses/computers and relay their activity through those addresses/computers to obfuscate its true origin.
The TCP connection used to click on the ad on reddit is not the same TCP connection used to visit the advertiser's landing page, so there is no need to mess with anything at the TCP level for a different IP address to be presented to the publisher.
> As the original poster noted, 15 requests from a single IP in a short amount of time should be an anomaly. There's no real world scenario where 15 people behind one NAT show interest to a specific ad simultaneously.
Would you consider it an anomaly for 15 people anywhere on the Internet to show interest in an ad over a short amount of time? If so, you probably should rate limit your campaigns accordingly, but if not then there's no reason why you should consider it an anomaly for 15 people to show interest in an ad over the same IP. Particularly since ad engines have behaviours that make it disproportionately likely that an ad will be shown to people at the same time if they are behind the same IP. I'm not saying it isn't an anomaly. It could well be, but it is far from definitively fraud. This kind of "anomaly" happens all the time for reasons that have absolutely nothing to do with fraud.