CAPTCHA to mitigate DDoS attack?

[keatonatron]

I was wondering if Mt.Gox could force all visitors to solve a Google hosted CAPTCHA before being able to access the website.

So, the attackers would just launch a DDoS attack on the captcha page, and no humans would be able to load it in order to solve it and log in.

[franky1]

sorry not a high end coder, so i will write this as a layman.

have like cloudflare, have mtgox.com as just a public page display server with a hidden backbone server (ip not revealed) that the public server is just php scripted to echo a page from a different server that actually does the trading.

thus separating the engines and trading platform server from the public viewing server.

have some code in the public viewing server that if X attempts are done a second per ip without a session ID (logged in user) = no function and where under x attempts that have a validated captcha or valid session ID belonging to a member, would then call the backbone server.

thirdly have another server that grabs the live market data to echo out to different places like clark moody. so that that clarkmoody and the other thousands of ticker services are not also draining resources directly off the main trading engine server

atleast then, those that are already logged in don't have page freezes and it reduces some of the lag on places like clarkmoody. especially if they tighten up tcp/ip access methods.

id even go to the extent of having 20 domain names that once your logged in you can access it through mtgox1.com or mtgox2.com that way unless these script kiddies had enough power to DDOS 20 ip addresses at once, people could still log in and trade

[tmbp]

As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

Non-application level DDoS could be solved by CDNs and a physical DDoS protecting router. Amazing that the Mt Cocks kids don't know this yet.

[Come-from-Beyond]

As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

Non-application level DDoS could be solved by CDNs and a physical DDoS protecting router. Amazing that the Mt Cocks kids don't know this yet.

They imitate the lag.

[tmbp]

As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

Non-application level DDoS could be solved by CDNs and a physical DDoS protecting router. Amazing that the Mt Cocks kids don't know this yet.

They imitate the lag.

For what purpose?

[Come-from-Beyond]

As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

Non-application level DDoS could be solved by CDNs and a physical DDoS protecting router. Amazing that the Mt Cocks kids don't know this yet.

They imitate the lag.

For what purpose?

MONEY. They play on their own exchange.

[keatonatron]

As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

If that is the case, API's would no longer work (including trading bots and [even more annoyingly] mobile apps). One thing they could do is make a rule that each account can only place one order every 10 seconds or so (unless the attackers have 100s of unique accounts). 

[tmbp]

As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

If that is the case, API's would no longer work (including trading bots and [even more annoyingly] mobile apps). One thing they could do is make a rule that each account can only place one order every 10 seconds or so (unless the attackers have 100s of unique accounts). 

There are visual captchas as well, rotate to arrange type of captchas which can be introduced to mobile apps, selling and buying with an API is just idiotic to begin with.

[Bitcoinpro]

A Ddos attack would be a serious attack on a network and the government should provide resources to stop it and to prosecute the attackers.

[franky1]

sub domains which link to 20 different ip's to gain access to the service.

s1.mtgox.com
s2.mtgox.com
s3.mtgox.com
s4.mtgox.com
s5.mtgox.com
and so on

each Sx wont api call the login/trading servers unless a valid login session exists. So S1-S20 only contains this one script:
echo Catcha
request response
IF CAPTCHA=VALID  create session & api login/trade servers ELSE nothing
theres a 21st server that handles logins which doesnt talk directly to useers but it uses API's for client data through S1-s20 so no one knows the IP of the login server (unless they hacked the S hosts)

wouldnt that dilute the potential kill power of a DDOS attack?

i think mtgox can afford maybe 30 servers with all their profits over the last year to atleast dilute the public accessible side of mtgox using 20 of the servers. to then have a stable trading and login servers and the last couple servers are sending out ticker information

[Welsh]

It might stop bots which would be great, however it wouldn't prevent DDOS attacks.

[acoindr]

As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

Non-application level DDoS could be solved by CDNs and a physical DDoS protecting router. Amazing that the Mt Cocks kids don't know this yet.

This is a good point. A CDN like Akamai, captcha, and cache should solve most any DDoS they are hit with. Then put reasonable limits on API account requests.

[bitsalame]

As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

Non-application level DDoS could be solved by CDNs and a physical DDoS protecting router. Amazing that the Mt Cocks kids don't know this yet.

This is a good point. A CDN like Akamai, captcha, and cache should solve most any DDoS they are hit with. Then put reasonable limits on API account requests.

The only thing that is stopping them is either greed or paranoia, or both.
The first one is despicable, the second one is understandable.

If data was just data it would be fine.
With bitcoins data literally becomes money so it becomes quite complicated.

[acoindr]

As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

Non-application level DDoS could be solved by CDNs and a physical DDoS protecting router. Amazing that the Mt Cocks kids don't know this yet.

This is a good point. A CDN like Akamai, captcha, and cache should solve most any DDoS they are hit with. Then put reasonable limits on API account requests.

The only thing that is stopping them is either greed or paranoia, or both.
The first one is despicable, the second one is understandable.

If data was just data it would be fine.
With bitcoins data literally becomes money so it becomes quite complicated.

I don't think it's either of those. I've seen other companies worth millions (or more) make goof ups one wouldn't expect; take the Sony hacks, for example.

The problem is most companies are not natively technology companies, like Google. They instead focus primarily on their products which leaves them open to those that do spend time capitalizing on tech. Realize the Internet itself is pretty young, and Bitcoin is younger than that, and Mt.Gox the largest most successful exchange even younger than that.

[keatonatron]

selling and buying with an API is just idiotic to begin with.

Why is that? It allows me to completely ignore the eyesore that is the Mt. Gox website. 

[tmbp]

selling and buying with an API is just idiotic to begin with.

Why is that? It allows me to completely ignore the eyesore that is the Mt. Gox website. 

The idea is that if you want to establish a forex-like application you'd better off using UDP coupled with advanced methods of DDoS prevention, not a simple PHP script echoing some crap.