Bitcoin Forum
November 01, 2024, 04:38:18 PM *
News: Bitcoin Pumpkin Carving Contest
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: CAPTCHA to mitigate DDoS attack?  (Read 3050 times)
olalonde (OP)
Newbie
*
Offline Offline

Activity: 25
Merit: 0


View Profile
April 22, 2013, 10:16:49 AM
 #1

I was wondering if Mt.Gox could force all visitors to solve a Google hosted CAPTCHA before being able to access the website. It seems that the small annoyance of having to solve a CAPTCHA would outweigh the damage done by a DDoS. Logged in users and users who have previously solved a captcha should be exempt from the CAPTCHA requirement.

Would this even work? Would it be a good idea?
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
April 22, 2013, 10:19:24 AM
 #2

This could help against application level DDoS but useless against attacks on lower levels.
sagiko
Newbie
*
Offline Offline

Activity: 58
Merit: 0


View Profile
April 22, 2013, 10:26:21 AM
 #3

This could help against application level DDoS but useless against attacks on lower levels.

Exactly. Without knowing how they fell, can't really suggest anything meaningful. I wonder whether they are willing to share more details on this DDOS.
acoindr
Legendary
*
Offline Offline

Activity: 1050
Merit: 1002


View Profile
April 22, 2013, 05:45:02 PM
 #4

This is actually a great idea.

They could even separate their home page from the rest of the system (use a cache, etc.) so you could access the home page without a captcha but need to solve one for anything else (which might be more resource intensive).

This could help against application level DDoS but useless against attacks on lower levels.

What do you mean "lower levels"? You mean like remote DB access? Any impact on something like that would be solved by using local DB connection only. As for a file server that could require a valid session the same way an application would.

bitsalame
Donator
Hero Member
*
Offline Offline

Activity: 714
Merit: 510


Preaching the gospel of Satoshi


View Profile
April 22, 2013, 05:49:53 PM
 #5

This is actually a great idea.

They could even separate their home page from the rest of the system so you could access the home page without a captcha but need to solve one for anything else (which might be more resource intensive).

This could help against application level DDoS but useless against attacks on lower levels.

What do you mean "lower levels"? You mean like remote DB access? Any impact on something like that would be solved by using local DB connection only. As for a file server that could require a valid session the same way an application would.

Think about OSI model.
acoindr
Legendary
*
Offline Offline

Activity: 1050
Merit: 1002


View Profile
April 22, 2013, 06:01:10 PM
 #6

Think about OSI model.

How does a model have anything to do with http access to system resources?
tysat
Legendary
*
Offline Offline

Activity: 966
Merit: 1004


Keep it real


View Profile
April 22, 2013, 06:01:58 PM
 #7

Think about OSI model.

How does a model have anything to do with http access to system resources?

Because it's getting clogged up on the network layer.
acoindr
Legendary
*
Offline Offline

Activity: 1050
Merit: 1002


View Profile
April 22, 2013, 06:06:43 PM
 #8

Think about OSI model.

How does a model have anything to do with http access to system resources?

Because it's getting clogged up on the network layer.

Hmm, I suppose that's possible. To me that's an advanced DDoS though, or I guess that could happen naturally with large enough attack...
bitsalame
Donator
Hero Member
*
Offline Offline

Activity: 714
Merit: 510


Preaching the gospel of Satoshi


View Profile
April 22, 2013, 06:24:14 PM
Last edit: April 22, 2013, 06:37:17 PM by bitsalame
 #9

Think about OSI model.

How does a model have anything to do with http access to system resources?

Because it's getting clogged up on the network layer.

Hmm, I suppose that's possible. To me that's an advanced DDoS though, or I guess that could happen naturally with large enough attack...
That's not only "possible", it is precisely what is going on.
It is the very definition of DDoS.
And there are plenty of methods, most of them common knowledge, exploiting weaknesses of the TCP/IP protocol.
These days such exploitations aren't sophisticated, they are all easily accessible to any script kiddie.
DarkHyudrA
Legendary
*
Offline Offline

Activity: 1386
Merit: 1000


English <-> Portuguese translations


View Profile
April 22, 2013, 06:26:18 PM
 #10

This would kill bots, think about it.

English <-> Brazilian Portuguese translations
acoindr
Legendary
*
Offline Offline

Activity: 1050
Merit: 1002


View Profile
April 22, 2013, 06:33:49 PM
 #11

Think about OSI model.

How does a model have anything to do with http access to system resources?

Because it's getting clogged up on the network layer.

Hmm, I suppose that's possible. To me that's an advanced DDoS though, or I guess that could happen naturally with large enough attack...
That's not only "possible", it is precisely what is going on.
It is the very definition of DDoS.
And there are plenty of methods, most of them common knowledge, exploiting weaknesses of the TCP/IP protocol.
These days such exploitations aren't sophisticated, they are all easily accessible to any script kiddie.

Right. I'm used to looking at problems from the server level down, not the pipes. As I said earlier it seems the only real way to solve DDoS is take away botnets.

EDIT: To be pedantic, though, I wouldn't say the 'D' in DDoS is the very definition of clogging the network layer. DDoS AFAIK is the progression from DoS which didn't clog the network and was effectively mitigated with IP filtering. The more effective DDoS defeated that, and the network clogging seems an added benefit and problem.
grue
Legendary
*
Offline Offline

Activity: 2058
Merit: 1434



View Profile
April 22, 2013, 06:36:48 PM
 #12

what if the attacker just floods the server with random packets? there's no captcha for packets, and even if you're dropping them with a firewall, your link is still being saturated.

It is pitch black. You are likely to be eaten by a grue.

Adblock for annoying signature ads | Enhanced Merit UI
bitsalame
Donator
Hero Member
*
Offline Offline

Activity: 714
Merit: 510


Preaching the gospel of Satoshi


View Profile
April 22, 2013, 06:38:09 PM
 #13

what if the attacker just floods the server with random packets? there's no captcha for packets, and even if you're dropping them with a firewall, your link is still being saturated.
That's what we've been saying all along.
Wtf
tysat
Legendary
*
Offline Offline

Activity: 966
Merit: 1004


Keep it real


View Profile
April 22, 2013, 06:39:42 PM
 #14

what if the attacker just floods the server with random packets? there's no captcha for packets, and even if you're dropping them with a firewall, your link is still being saturated.

So you mean they're just DDoS'ing the server?
bitsalame
Donator
Hero Member
*
Offline Offline

Activity: 714
Merit: 510


Preaching the gospel of Satoshi


View Profile
April 22, 2013, 06:49:59 PM
Last edit: April 22, 2013, 07:02:34 PM by bitsalame
 #15

Think about OSI model.

How does a model have anything to do with http access to system resources?

Because it's getting clogged up on the network layer.

Hmm, I suppose that's possible. To me that's an advanced DDoS though, or I guess that could happen naturally with large enough attack...
That's not only "possible", it is precisely what is going on.
It is the very definition of DDoS.
And there are plenty of methods, most of them common knowledge, exploiting weaknesses of the TCP/IP protocol.
These days such exploitations aren't sophisticated, they are all easily accessible to any script kiddie.

Right. I'm used to looking at problems from the server level down, not the pipes. As I said earlier it seems the only real way to solve DDoS is take away botnets.

EDIT: To be pedantic, though, I wouldn't say the 'D' in DDoS is the very definition of clogging the network layer. DDoS AFAIK is the progression from DoS which didn't clog the network and was effectively mitigated with IP filtering. The more effective DDoS defeated that, and the network clogging seems an added benefit and problem.
You clearly missed your highlighted quote.
I am out of here.

Edit: evidently your understanding doesn't go that far.
acoindr
Legendary
*
Offline Offline

Activity: 1050
Merit: 1002


View Profile
April 22, 2013, 06:59:18 PM
 #16

Think about OSI model.

How does a model have anything to do with http access to system resources?

Because it's getting clogged up on the network layer.

Hmm, I suppose that's possible. To me that's an advanced DDoS though, or I guess that could happen naturally with large enough attack...
That's not only "possible", it is precisely what is going on.
It is the very definition of DDoS.
And there are plenty of methods, most of them common knowledge, exploiting weaknesses of the TCP/IP protocol.
These days such exploitations aren't sophisticated, they are all easily accessible to any script kiddie.

Right. I'm used to looking at problems from the server level down, not the pipes. As I said earlier it seems the only real way to solve DDoS is take away botnets.

EDIT: To be pedantic, though, I wouldn't say the 'D' in DDoS is the very definition of clogging the network layer. DDoS AFAIK is the progression from DoS which didn't clog the network and was effectively mitigated with IP filtering. The more effective DDoS defeated that, and the network clogging seems an added benefit and problem.
You clearly missed your highlighted quote.
I am out of here.

I didn't miss it.

I'm saying the attack became distributed in response to IP filtering not in order to clog the network. Denial of Service originally attacked servers not the network. The defense then was to filter problematic IPs. So to get around that distributed IPs were used. This had the added benefit of clogging the network. So when you say the very definition of the 'd' for distributed is clogging the network I disagree; I say that became a welcome side effect when, as you highlight, the attack is large enough. That's my understanding of the topic anyway. It's admittedly not my area of expertise.
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
April 22, 2013, 07:27:17 PM
 #17

This is actually a great idea.

They could even separate their home page from the rest of the system so you could access the home page without a captcha but need to solve one for anything else (which might be more resource intensive).

This could help against application level DDoS but useless against attacks on lower levels.

What do you mean "lower levels"? You mean like remote DB access? Any impact on something like that would be solved by using local DB connection only. As for a file server that could require a valid session the same way an application would.

Think about OSI model.

Yes. That's exactly what I meant when said "lower levels".
Stunna
Legendary
*
Offline Offline

Activity: 3192
Merit: 1279


Primedice.com, Stake.com


View Profile
April 22, 2013, 10:37:33 PM
 #18

This wouldn't be effective, new ways to mitigate must be developed.

Stake.com Fastest growing crypto casino & sportsbook
Primedice.com The original bitcoin instant dice game
papaminer
Sr. Member
****
Offline Offline

Activity: 462
Merit: 250


Free World


View Profile WWW
April 22, 2013, 10:39:18 PM
 #19

lolz...

the easiest and cheapest way to mitigate DDOS as of today is use...

CLOUDFLARE

฿: 1L7dSte4Rs4KyyxRCgrqSWYtkXdAb4Gy1z

MORE INFO ABOUT ME: BTC
tysat
Legendary
*
Offline Offline

Activity: 966
Merit: 1004


Keep it real


View Profile
April 22, 2013, 11:32:22 PM
 #20

lolz...

the easiest and cheapest way to mitigate DDOS as of today is use...

CLOUDFLARE

For static content (I believe)
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!