Pages:
Author

Topic: CAPTCHA to mitigate DDoS attack? (Read 3053 times)

sr. member
Activity: 350
Merit: 250
April 24, 2013, 03:53:16 AM
#36
selling and buying with an API is just idiotic to begin with.

Why is that? It allows me to completely ignore the eyesore that is the Mt. Gox website.  Grin

The idea is that if you want to establish a forex-like application you'd better off using UDP coupled with advanced methods of DDoS prevention, not a simple PHP script echoing some crap.
sr. member
Activity: 308
Merit: 250
Jack of oh so many trades.
April 24, 2013, 02:07:16 AM
#35
selling and buying with an API is just idiotic to begin with.

Why is that? It allows me to completely ignore the eyesore that is the Mt. Gox website.  Grin
legendary
Activity: 1050
Merit: 1002
April 23, 2013, 04:21:23 PM
#34
As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

Non-application level DDoS could be solved by CDNs and a physical DDoS protecting router. Amazing that the Mt Cocks kids don't know this yet.

This is a good point. A CDN like Akamai, captcha, and cache should solve most any DDoS they are hit with. Then put reasonable limits on API account requests.

The only thing that is stopping them is either greed or paranoia, or both.
The first one is despicable, the second one is understandable.

If data was just data it would be fine.
With bitcoins data literally becomes money so it becomes quite complicated.

I don't think it's either of those. I've seen other companies worth millions (or more) make goof ups one wouldn't expect; take the Sony hacks, for example.

The problem is most companies are not natively technology companies, like Google. They instead focus primarily on their products which leaves them open to those that do spend time capitalizing on tech. Realize the Internet itself is pretty young, and Bitcoin is younger than that, and Mt.Gox the largest most successful exchange even younger than that.
donator
Activity: 714
Merit: 510
Preaching the gospel of Satoshi
April 23, 2013, 03:22:54 PM
#33
As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

Non-application level DDoS could be solved by CDNs and a physical DDoS protecting router. Amazing that the Mt Cocks kids don't know this yet.

This is a good point. A CDN like Akamai, captcha, and cache should solve most any DDoS they are hit with. Then put reasonable limits on API account requests.

The only thing that is stopping them is either greed or paranoia, or both.
The first one is despicable, the second one is understandable.

If data was just data it would be fine.
With bitcoins data literally becomes money so it becomes quite complicated.
legendary
Activity: 1050
Merit: 1002
April 23, 2013, 12:50:16 PM
#32
As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

Non-application level DDoS could be solved by CDNs and a physical DDoS protecting router. Amazing that the Mt Cocks kids don't know this yet.

This is a good point. A CDN like Akamai, captcha, and cache should solve most any DDoS they are hit with. Then put reasonable limits on API account requests.
staff
Activity: 3304
Merit: 4115
April 23, 2013, 11:28:41 AM
#31
It might stop bots which would be great, however it wouldn't prevent DDOS attacks.
legendary
Activity: 4410
Merit: 4766
April 23, 2013, 11:24:20 AM
#30
sub domains which link to 20 different ip's to gain access to the service.

s1.mtgox.com
s2.mtgox.com
s3.mtgox.com
s4.mtgox.com
s5.mtgox.com
and so on

each Sx wont api call the login/trading servers unless a valid login session exists. So S1-S20 only contains this one script:
echo Catcha
request response
IF CAPTCHA=VALID  create session & api login/trade servers ELSE nothing
theres a 21st server that handles logins which doesnt talk directly to useers but it uses API's for client data through S1-s20 so no one knows the IP of the login server (unless they hacked the S hosts)

wouldnt that dilute the potential kill power of a DDOS attack?

i think mtgox can afford maybe 30 servers with all their profits over the last year to atleast dilute the public accessible side of mtgox using 20 of the servers. to then have a stable trading and login servers and the last couple servers are sending out ticker information
legendary
Activity: 1344
Merit: 1000
April 23, 2013, 05:35:01 AM
#29
A Ddos attack would be a serious attack on a network and the government should provide resources to stop it and to prosecute the attackers.
sr. member
Activity: 350
Merit: 250
April 23, 2013, 05:25:48 AM
#28
As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

If that is the case, API's would no longer work (including trading bots and [even more annoyingly] mobile apps). One thing they could do is make a rule that each account can only place one order every 10 seconds or so (unless the attackers have 100s of unique accounts). 

There are visual captchas as well, rotate to arrange type of captchas which can be introduced to mobile apps, selling and buying with an API is just idiotic to begin with.
sr. member
Activity: 308
Merit: 250
Jack of oh so many trades.
April 23, 2013, 04:20:54 AM
#27
As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

If that is the case, API's would no longer work (including trading bots and [even more annoyingly] mobile apps). One thing they could do is make a rule that each account can only place one order every 10 seconds or so (unless the attackers have 100s of unique accounts). 
legendary
Activity: 2142
Merit: 1010
Newbie
April 23, 2013, 03:48:54 AM
#26
As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

Non-application level DDoS could be solved by CDNs and a physical DDoS protecting router. Amazing that the Mt Cocks kids don't know this yet.

They imitate the lag.

For what purpose?

MONEY. They play on their own exchange.
sr. member
Activity: 350
Merit: 250
April 23, 2013, 03:44:56 AM
#25
As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

Non-application level DDoS could be solved by CDNs and a physical DDoS protecting router. Amazing that the Mt Cocks kids don't know this yet.

They imitate the lag.

For what purpose?
legendary
Activity: 2142
Merit: 1010
Newbie
April 23, 2013, 03:43:37 AM
#24
As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

Non-application level DDoS could be solved by CDNs and a physical DDoS protecting router. Amazing that the Mt Cocks kids don't know this yet.

They imitate the lag.
sr. member
Activity: 350
Merit: 250
April 23, 2013, 03:39:27 AM
#23
As far as I'm aware the DDoS that they have experienced was application level (e.g. someone creating buy and lose queries every second) and it WOULD in fact be solved with a simple captcha.

Non-application level DDoS could be solved by CDNs and a physical DDoS protecting router. Amazing that the Mt Cocks kids don't know this yet.
legendary
Activity: 4410
Merit: 4766
April 23, 2013, 03:35:07 AM
#22
sorry not a high end coder, so i will write this as a layman.

have like cloudflare, have mtgox.com as just a public page display server with a hidden backbone server (ip not revealed) that the public server is just php scripted to echo a page from a different server that actually does the trading.

thus separating the engines and trading platform server from the public viewing server.

have some code in the public viewing server that if X attempts are done a second per ip without a session ID (logged in user) = no function and where under x attempts that have a validated captcha or valid session ID belonging to a member, would then call the backbone server.

thirdly have another server that grabs the live market data to echo out to different places like clark moody. so that that clarkmoody and the other thousands of ticker services are not also draining resources directly off the main trading engine server

atleast then, those that are already logged in don't have page freezes and it reduces some of the lag on places like clarkmoody. especially if they tighten up tcp/ip access methods.

id even go to the extent of having 20 domain names that once your logged in you can access it through mtgox1.com or mtgox2.com that way unless these script kiddies had enough power to DDOS 20 ip addresses at once, people could still log in and trade
sr. member
Activity: 308
Merit: 250
Jack of oh so many trades.
April 23, 2013, 03:15:21 AM
#21
I was wondering if Mt.Gox could force all visitors to solve a Google hosted CAPTCHA before being able to access the website.

So, the attackers would just launch a DDoS attack on the captcha page, and no humans would be able to load it in order to solve it and log in.
legendary
Activity: 966
Merit: 1004
Keep it real
April 22, 2013, 06:32:22 PM
#20
lolz...

the easiest and cheapest way to mitigate DDOS as of today is use...

CLOUDFLARE

For static content (I believe)
sr. member
Activity: 462
Merit: 250
Free World
April 22, 2013, 05:39:18 PM
#19
lolz...

the easiest and cheapest way to mitigate DDOS as of today is use...

CLOUDFLARE
legendary
Activity: 3192
Merit: 1279
Primedice.com, Stake.com
April 22, 2013, 05:37:33 PM
#18
This wouldn't be effective, new ways to mitigate must be developed.
legendary
Activity: 2142
Merit: 1010
Newbie
April 22, 2013, 02:27:17 PM
#17
This is actually a great idea.

They could even separate their home page from the rest of the system so you could access the home page without a captcha but need to solve one for anything else (which might be more resource intensive).

This could help against application level DDoS but useless against attacks on lower levels.

What do you mean "lower levels"? You mean like remote DB access? Any impact on something like that would be solved by using local DB connection only. As for a file server that could require a valid session the same way an application would.

Think about OSI model.

Yes. That's exactly what I meant when said "lower levels".
Pages:
Jump to: