Replies: 3 comments 1 reply
-
|
Per-cookie rate limiting might be an idea. Maybe you're doing that already? |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
The cookie is based on the client ip |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
OK, that's in fact what I thought/expected at first, until I realized that I don't get challenged again if I use a VPN/change VPN servers. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
It randomizes the check intensity in order to make reverse engineering it more annoying. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi, and first of all: Thanks for the work you're putting into this, it's fantastic!
I have a question regarding the long-term viability of the present approach assuming that anubis gains traction and the bot makers should try to circumvent it: is there anything that would prevent them from completing the challenge once and then sharing the cookie with all their instances, thus having to complete just one challenge for the whole DDoS enterprise? If I'm not missing anything, the only way to prevent this should be to take (parts of) the IP address into account somehow so that a cookie is only accepted from the proper (set of) addresses and otherwise the challenge is reissued (I'm aware this would be something of an inconvenience to mobile users with frequently changing addresses). Repeated requests from the same address would have to be addressed by rate limiting.
Am I missing some secret sauce that makes the whole point moot?
Beta Was this translation helpful? Give feedback.
All reactions