Ask HN: Captcha Alternatives?
51 by ev1 | 42 comments on Hacker News.
TLDR: I help with a gaming community-related site that is being targetted by a script kiddie, they are registering hundreds of thousands of accounts on our forums to 'protest' a cheating (aimbot) ban. They then post large ASCII art spam, giant shock images (the first one started after we blocked new accounts from posting [img]), the usual. Currently we use a simple question/answer addon at registration time - it works against all untargeted bots and is just a little "what is 4 plus six" or "what is the abbreviation for this website" type of question. It's worked fine for years and we don't really get general untargeted spam. I am somewhat ethically disinclined to use reCAPTCHA, and there are some older members that can't reasonably solve hcaptcha easily. Same for using heavy fingerprinting or other privacy invading methods. It's also donation-run, so enterprise services that would block something like this (such as Distil) are both out of budget and out of ethics. Is there a way I can possibly solve this? Negotiation is not really an option on the table, the last time one of the other volunteers responded at all we got a ~150Gbps volumetric attack. I've tried some basic things, like requiring cookie and JS support via middleware; they moved from a Java HTTP-library script to some kind of Selenium equivalent afterward. They also use a massive amount of proxies, largely compromised machines being sold for abuse.
51 by ev1 | 42 comments on Hacker News.
TLDR: I help with a gaming community-related site that is being targetted by a script kiddie, they are registering hundreds of thousands of accounts on our forums to 'protest' a cheating (aimbot) ban. They then post large ASCII art spam, giant shock images (the first one started after we blocked new accounts from posting [img]), the usual. Currently we use a simple question/answer addon at registration time - it works against all untargeted bots and is just a little "what is 4 plus six" or "what is the abbreviation for this website" type of question. It's worked fine for years and we don't really get general untargeted spam. I am somewhat ethically disinclined to use reCAPTCHA, and there are some older members that can't reasonably solve hcaptcha easily. Same for using heavy fingerprinting or other privacy invading methods. It's also donation-run, so enterprise services that would block something like this (such as Distil) are both out of budget and out of ethics. Is there a way I can possibly solve this? Negotiation is not really an option on the table, the last time one of the other volunteers responded at all we got a ~150Gbps volumetric attack. I've tried some basic things, like requiring cookie and JS support via middleware; they moved from a Java HTTP-library script to some kind of Selenium equivalent afterward. They also use a massive amount of proxies, largely compromised machines being sold for abuse.
Comments
Post a Comment