proof of PoW, advanced bots

Since in all types of captcha AI systems show better results than humansresearchers set out to come up with more effective methods of protecting against bots.

For example, mCaptcha — open source CAPTCHA, working on the principle proof-of-work. It can already be found on some sites.

mCaptcha does not require recognizing pictures of bicycles or sidewalks; it works much simpler; usually the visitor only needs to press one button. There is no need to solve puzzles here, mCaptcha simply loads the user’s computer with computational tasks – and checks the result. It is assumed that the attacker unprofitable take on such a load for a DDoS attack.

How mCaptcha works

The operating algorithm is simple.

To limit user speed, mCaptcha uses a proof-of-work (PoW) system based on SHA256.

When a user wants to do something on a site protected by mCaptcha,

  1. He has to generate a proof of work (a lot of math that will take some time) and submit it to mCaptcha.
  2. The proof is verified:

    • If the verification is unsuccessful, access to the site is blocked.
    • If the verification was successful, read on, a token will be issued, which must be sent along with the request/form to the target site.
  3. Before processing the request, the target site verifies the submitted token using mCaptcha.

As you can see, the system works simply. From the user’s point of view, everything is automated. All he has to do is press a button to initiate the process.

The mCaptcha algorithm dynamically changes the PoW difficulty so that the average user will not even notice the delay when accessing the site. On the other hand, the servers of potential attackers will be seriously loaded with computing tasks (a delay of up to 2-3 seconds before accessing the site), which will make their work unprofitable. Here’s an example test execution time (WASM library) on a Core i7-9750H processor in different Firefox and Chromium (in milliseconds):

The main idea of ​​mCaptcha is to

the attacker’s server did more work to send the request than your server did to issue the response

. Purely economic calculation.

To register in the system, you need to create a new account and add your website there:

Among other things, specify three parameters:

  • average number of visitors;
  • the maximum number of visitors that the site can support;
  • a limit amount that the site definitely cannot handle (optional).

The value depends on these parameters

Cooldown Duratoin

which is set in seconds.

Then we add the generated snippet to the site pages and the verification logic to the server. The developer states that the mCaptcha widget and admin panel fully compatible with LibreJS and other blockers, that is, they should not be blocked:

Other types of CAPTCHA

The main purpose of CAPTCHA is to protect sites from DDoS attacks, that is, from massive traffic from bots, including protection from brute force (searching for passwords using brute force). During such an attack, it makes sense to enable filtering of visitors using CAPTCHA, which makes the attack much more expensive and potentially unprofitable for the attacker.

New methods have to be invented, among other things, because of the rapid progress in machine learning, which is already superior to humans in image recognition tasks.

Types of CAPTCHA

Therefore, for detecting people, it is proposed other alternatives, including logic games, complexly structured questions and tasks. So far, none of them works reliably enough – some tasks are too complex for ordinary people, while others are too simple, so they can be automated.

Time and accuracy of solving various types of CAPTCHA by humans and bots, source

Today, the accuracy of bots in solving problems is 85–100%, and in most tasks it exceeds 96%. This significantly exceeds the human accuracy range (50–85%). In addition, the bot solution time is significantly lower in all cases, with the exception of reCAPTCHA, where the human solution time (18 s) is almost the same as the bot solution time (17.5 s).

Thus, bots now handle all types of CAPTCHA better than humans.

Hubs: Information Security, Image Processing, Open Source, Website Development
Cover for social networks:

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *