Bitcoin Forum
December 15, 2017, 08:07:38 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2]  All
  Print  
Author Topic: CAPTCHA to mitigate DDoS attack?  (Read 2941 times)
keatonatron
Sr. Member
****
Offline Offline

Activity: 322


Jack of oh so many trades.


View Profile
April 23, 2013, 08:15:21 AM
 #21

I was wondering if Mt.Gox could force all visitors to solve a Google hosted CAPTCHA before being able to access the website.

So, the attackers would just launch a DDoS attack on the captcha page, and no humans would be able to load it in order to solve it and log in.

1KEATSvAhbB7yj2baLB5xkyJSnkfqPGAqk
1513368458
Hero Member
*
Offline Offline

Posts: 1513368458

View Profile Personal Message (Offline)

Ignore
1513368458
Reply with quote  #2

1513368458
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
franky1
Legendary
*
Offline Offline

Activity: 1890



View Profile
April 23, 2013, 08:35:07 AM
 #22

sorry not a high end coder, so i will write this as a layman.

have like cloudflare, have mtgox.com as just a public page display server with a hidden backbone server (ip not revealed) that the public server is just php scripted to echo a page from a different server that actually does the trading.

thus separating the engines and trading platform server from the public viewing server.

have some code in the public viewing server that if X attempts are done a second per ip without a session ID (logged in user) = no function and where under x attempts that have a validated captcha or valid session ID belonging to a member, would then call the backbone server.

thirdly have another server that grabs the live market data to echo out to different places like clark moody. so that that clarkmoody and the other thousands of ticker services are not also draining resources directly off the main trading engine server

atleast then, those that are already logged in don't have page freezes and it reduces some of the lag on places like clarkmoody. especially if they tighten up tcp/ip access methods.

id even go to the extent of having 20 domain names that once your logged in you can access it through mtgox1.com or mtgox2.com that way unless these script kiddies had enough power to DDOS 20 ip addresses at once, people could still log in and trade

I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER.
Don't take any information given on this forum on face value. Please do your own due diligence & respect what is written here as both opinion & information gleaned from experience. If you wish to seek legal FACTUAL advice, then seek the guidance of a LEGAL specialist.
tmbp
Sr. Member
****
Offline Offline

Activity: 336


View Profile
April 23, 2013, 08:39:27 AM
 #23

As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

Non-application level DDoS could be solved by CDNs and a physical DDoS protecting router. Amazing that the Mt Cocks kids don't know this yet.

Come-from-Beyond
Legendary
*
Offline Offline

Activity: 1792

Newbie


View Profile
April 23, 2013, 08:43:37 AM
 #24

As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

Non-application level DDoS could be solved by CDNs and a physical DDoS protecting router. Amazing that the Mt Cocks kids don't know this yet.

They imitate the lag.
tmbp
Sr. Member
****
Offline Offline

Activity: 336


View Profile
April 23, 2013, 08:44:56 AM
 #25

As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

Non-application level DDoS could be solved by CDNs and a physical DDoS protecting router. Amazing that the Mt Cocks kids don't know this yet.

They imitate the lag.

For what purpose?

Come-from-Beyond
Legendary
*
Offline Offline

Activity: 1792

Newbie


View Profile
April 23, 2013, 08:48:54 AM
 #26

As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

Non-application level DDoS could be solved by CDNs and a physical DDoS protecting router. Amazing that the Mt Cocks kids don't know this yet.

They imitate the lag.

For what purpose?

MONEY. They play on their own exchange.
keatonatron
Sr. Member
****
Offline Offline

Activity: 322


Jack of oh so many trades.


View Profile
April 23, 2013, 09:20:54 AM
 #27

As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

If that is the case, API's would no longer work (including trading bots and [even more annoyingly] mobile apps). One thing they could do is make a rule that each account can only place one order every 10 seconds or so (unless the attackers have 100s of unique accounts). 

1KEATSvAhbB7yj2baLB5xkyJSnkfqPGAqk
tmbp
Sr. Member
****
Offline Offline

Activity: 336


View Profile
April 23, 2013, 10:25:48 AM
 #28

As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

If that is the case, API's would no longer work (including trading bots and [even more annoyingly] mobile apps). One thing they could do is make a rule that each account can only place one order every 10 seconds or so (unless the attackers have 100s of unique accounts). 

There are visual captchas as well, rotate to arrange type of captchas which can be introduced to mobile apps, selling and buying with an API is just idiotic to begin with.

Bitcoinpro
Legendary
*
Offline Offline

Activity: 1218



View Profile
April 23, 2013, 10:35:01 AM
 #29

A Ddos attack would be a serious attack on a network and the government should provide resources to stop it and to prosecute the attackers.

WWW.FACEBOOK.COM

CRYPTOCURRENCY CENTRAL BANK

LTC: LP7bcFENVL9vdmUVea1M6FMyjSmUfsMVYf
franky1
Legendary
*
Offline Offline

Activity: 1890



View Profile
April 23, 2013, 04:24:20 PM
 #30

sub domains which link to 20 different ip's to gain access to the service.

s1.mtgox.com
s2.mtgox.com
s3.mtgox.com
s4.mtgox.com
s5.mtgox.com
and so on

each Sx wont api call the login/trading servers unless a valid login session exists. So S1-S20 only contains this one script:
echo Catcha
request response
IF CAPTCHA=VALID  create session & api login/trade servers ELSE nothing
theres a 21st server that handles logins which doesnt talk directly to useers but it uses API's for client data through S1-s20 so no one knows the IP of the login server (unless they hacked the S hosts)

wouldnt that dilute the potential kill power of a DDOS attack?

i think mtgox can afford maybe 30 servers with all their profits over the last year to atleast dilute the public accessible side of mtgox using 20 of the servers. to then have a stable trading and login servers and the last couple servers are sending out ticker information

I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER.
Don't take any information given on this forum on face value. Please do your own due diligence & respect what is written here as both opinion & information gleaned from experience. If you wish to seek legal FACTUAL advice, then seek the guidance of a LEGAL specialist.
Welsh
Legendary
*
Offline Offline

Activity: 1078


ALU - Campaign Management, Escrow & Design!


View Profile
April 23, 2013, 04:28:41 PM
 #31

It might stop bots which would be great, however it wouldn't prevent DDOS attacks.

            ▄▄▄█████████▄▄▄
        ▄▄███████████████████▄▄
      ▄████████████▀▀▀██████████▄
    ▄█████████████▄█  ▐███████████▄
   ████████▀▀██████▌  ██▀▀██████████▄
  ██████▀ ▄██▄  ███  ▐█▄▌  ███  ▐█████
 ██████  ████▌ ▐██▌  ███  ▐██▌  ███████
██████▌  ████  ███  ▐██▌  ███  ▐████████
██████▌  ██▀▌ ▐█▀█  █▀█  ▐█▀▀  █▀███████
████████▄▄▄█▄▄▄▄██▄▄▄██▄▄▄▄█▄▄▄▄████████
████████████████████████████████████████

████████████████████████████████████████
.TRUSTED ★ EXPERIENCED ★ READY.       ▄▄█████████▄▄
    ▄█████████████████▄
  ▄█████████████████████▄
 ▄███████████████▀▀▀█████▄
▄████████████▀▀     ██████▄
█████████▀▀   ▄▄▀   ███████
██████▄    ▄▄█▀    ████████
█████████▄██▀      ████████
▀██████████▄▄    ████████▀
 ▀████████▄█████▄████████▀
  ▀█████████████████████▀
    ▀█████████████████▀
       ▀▀█████████▀▀
       ▄▄█████████▄▄
    ▄█████████████████▄
  ▄████████▀▀█▀▀████████▄
 ▄██████▀▀▀  ▀  ▀████████▄
▄███████▄▄   ▄▄   ▀███████▄
██████████   ███   ████████
██████████        ▀████████
██████████   ███▌  ▐███████
▀███████▀▀   ▀▀▀  ▄███████▀
 ▀██████▄▄▄  ▄  ▄████████▀
  ▀████████▄▄█▄▄████████▀
    ▀█████████████████▀
       ▀▀█████████▀▀
       ▄▄█████████▄▄
    ▄█████████████████▄
  ▄█████████████████████▄
 ▄██▀                 ▀██▄
▄██▌ ▄▀█████████████▀▄ ▐██▄
███▌ ██▄ ▀███████▀ ▄██ ▐███
███▌ ████   ▀▀▀   ████ ▐███
███▌ ██▀▄▄██▄▄▄██▄▄▀██ ▐███
▀██▌ ▀▄█████████████▄▀ ▐██▀
 ▀██▄                 ▄██▀
  ▀█████████████████████▀
    ▀█████████████████▀
       ▀▀█████████▀▀
acoindr
Legendary
*
Offline Offline

Activity: 1036


View Profile
April 23, 2013, 05:50:16 PM
 #32

As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

Non-application level DDoS could be solved by CDNs and a physical DDoS protecting router. Amazing that the Mt Cocks kids don't know this yet.

This is a good point. A CDN like Akamai, captcha, and cache should solve most any DDoS they are hit with. Then put reasonable limits on API account requests.
bitsalame
Donator
Hero Member
*
Offline Offline

Activity: 658


Preaching the gospel of Satoshi


View Profile
April 23, 2013, 08:22:54 PM
 #33

As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

Non-application level DDoS could be solved by CDNs and a physical DDoS protecting router. Amazing that the Mt Cocks kids don't know this yet.

This is a good point. A CDN like Akamai, captcha, and cache should solve most any DDoS they are hit with. Then put reasonable limits on API account requests.

The only thing that is stopping them is either greed or paranoia, or both.
The first one is despicable, the second one is understandable.

If data was just data it would be fine.
With bitcoins data literally becomes money so it becomes quite complicated.
acoindr
Legendary
*
Offline Offline

Activity: 1036


View Profile
April 23, 2013, 09:21:23 PM
 #34

As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

Non-application level DDoS could be solved by CDNs and a physical DDoS protecting router. Amazing that the Mt Cocks kids don't know this yet.

This is a good point. A CDN like Akamai, captcha, and cache should solve most any DDoS they are hit with. Then put reasonable limits on API account requests.

The only thing that is stopping them is either greed or paranoia, or both.
The first one is despicable, the second one is understandable.

If data was just data it would be fine.
With bitcoins data literally becomes money so it becomes quite complicated.

I don't think it's either of those. I've seen other companies worth millions (or more) make goof ups one wouldn't expect; take the Sony hacks, for example.

The problem is most companies are not natively technology companies, like Google. They instead focus primarily on their products which leaves them open to those that do spend time capitalizing on tech. Realize the Internet itself is pretty young, and Bitcoin is younger than that, and Mt.Gox the largest most successful exchange even younger than that.
keatonatron
Sr. Member
****
Offline Offline

Activity: 322


Jack of oh so many trades.


View Profile
April 24, 2013, 07:07:16 AM
 #35

selling and buying with an API is just idiotic to begin with.

Why is that? It allows me to completely ignore the eyesore that is the Mt. Gox website.  Grin

1KEATSvAhbB7yj2baLB5xkyJSnkfqPGAqk
tmbp
Sr. Member
****
Offline Offline

Activity: 336


View Profile
April 24, 2013, 08:53:16 AM
 #36

selling and buying with an API is just idiotic to begin with.

Why is that? It allows me to completely ignore the eyesore that is the Mt. Gox website.  Grin

The idea is that if you want to establish a forex-like application you'd better off using UDP coupled with advanced methods of DDoS prevention, not a simple PHP script echoing some crap.

Pages: « 1 [2]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!