DDoS protection

[Developer]

Hello,

Feature to stop DDoS attacks,screencapture which will ask user to enter specified text from gif file,same as when user register new account.
The feature should be switched to on/off from ACP.
User must enter text once per session.
DDoS scripts are usually unable to detect text on gif file.
Forums become DDoS victims often since they are ideal kind of sites to overload the server.

Is it possible?

[Louis M.]

I would not enable this on my site. I HATE going to a site and having to register, then to enter CAPTHCA to post or to log in. Its down right annoying. If a user is logged in (either from just logging in or from a saved cookie) then I really do not want to badger him with more CAPTCHA. He passed the test at registration and that is good enough for me.

My two cents....

[atomicknight]

How would that stop DDoS attacks? All you need to overload a server is to send an overwhelming number of requests to it. Changing what actually shows up won't prevent the server from being overwhelmed.

[sunrisecc]

I would not enable this on my site. I HATE going to a site and having to register, then to enter CAPTHCA to post or to log in. Its down right annoying. If a user is logged in (either from just logging in or from a saved cookie) then I really do not want to badger him with more CAPTCHA. He passed the test at registration and that is good enough for me.

My two cents....

I fully agree with you. I view DDOS attacks as a web hosting problem, not a board problem.

[Developer]

How would that stop DDoS attacks? All you need to overload a server is to send an overwhelming number of requests to it. Changing what actually shows up won't prevent the server from being overwhelmed.

One thing is when they hit simple static page with gif file and another is complicated dynamic php pages generated on fly.
To not loose Google ranking,we could also add exception by host,to display normal content without CAPTCHA to SE bots.

[Louis M.]

This makes even less sense to me. Sunrisecc said it perfectly, you can run a DDOS against a server and not even bother with pages. /boggle

[Developer]

I would not enable this on my site. I HATE going to a site and having to register, then to enter CAPTHCA to post or to log in. Its down right annoying. If a user is logged in (either from just logging in or from a saved cookie) then I really do not want to badger him with more CAPTCHA. He passed the test at registration and that is good enough for me.

My two cents....

Sure,but they will have to pass the CAPTCHA just once.
There is a mod available for vBuleltin,you can see it in action,not sure if i can post linsk here..

[atomicknight]

I don't think you quite understand the concept of DDoS. If I send your server a couple million requests for the same page at the same time, it likely won't be able to handle those requests regardless of which page I request, dynamic or static. The server simply can't handle the CPU load - bandwidth is a completely unrelated matter.

And how would CAPTCHAs do anything? CAPTCHAs are by definition dynamic, so I don't see how that'd factor into making the server resilient to DDoS attacks since you're just using up CPU cycles to generate those images.

[Developer]

I don't think you quite understand the concept of DDoS. If I send your server a couple million requests for the same page at the same time, it likely won't be able to handle those requests regardless of which page I request, dynamic or static. The server simply can't handle the CPU load - bandwidth is a completely unrelated matter.

And how would CAPTCHAs do anything? CAPTCHAs are by definition dynamic, so I don't see how that'd factor into making the server resilient to DDoS attacks since you're just using up CPU cycles to generate those images.

If the one send couple of million requests a second then even your host provider router may sink,but what if we are talking about a thouzand requests?
We can make CAPTCHA static,make it display preset numbers/letters.

[Louis M.]

I don't think you quite understand the concept of DDoS. If I send your server a couple million requests for the same page at the same time, it likely won't be able to handle those requests regardless of which page I request, dynamic or static. The server simply can't handle the CPU load - bandwidth is a completely unrelated matter.

And how would CAPTCHAs do anything? CAPTCHAs are by definition dynamic, so I don't see how that'd factor into making the server resilient to DDoS attacks since you're just using up CPU cycles to generate those images.

So right. You can put 10 billion CAPTCHAs on a page, if you still send 1 million requests for that page it won't do ANYTHING for it.

[Developer]

So right. You can put 10 billion CAPTCHAs on a page, if you still send 1 million requests for that page it won't do ANYTHING for it.

Even router wont handle such a attack,will it?
I wrote couple of posts ago that it will work with smaller attacks.

[envonge]

Even router wont handle such a attack,will it?

I wrote couple of posts ago that it will work with smaller attacks.

If you have a decent server and configure things properly small http attacks on your forum will not be an issue even without a captcha image.

[Louis M.]

If the one send couple of million requests a second then even your host provider router may sink,but what if we are talking about a thouzand requests?

We can make CAPTCHA static,make it display preset numbers/letters.

Sorry for the semi close posts.

If you have 1 or 1 million requests CAPTCHA DOES NOT stop the request from being sent to the server. Here is the a definition of CAPTCHA from wikipedia:

A

CAPTCHA

(

IPA

: /ˈk

[Luke]

The only way stand up better to DDOS attacks is to reduce the amount of CPU cycles. There is a plugin for apache (though I can't remember the name) that will alleviate this. But even when doing that, a massive attack will be too much for a server to handle. The only real way to stand up to a DDOS attack after you've done every possible configuration and optimization to a server is by distributing the load between multiple servers (clustering).

[Louis M.]

The only way stand up better to DDOS attacks is to reduce the amount of CPU cycles. There is a plugin for apache (though I can't remember the name) that will alleviate this. But even when doing that, a massive attack will be too much for a server to handle. The only real way to stand up to a DDOS attack after you've done every possible configuration and optimization to a server is by distributing the load between multiple servers (clustering).

Thank you!

[sunrisecc]

I also agree

I do find it remarkable that IPB (it is still an application to me) should need to do what hardware and the operating system is supposed to handle. I guess I am too old-fashioned. :rolleyes:

[Developer]

Sorry for the semi close posts.

If you have 1 or 1 million requests CAPTCHA DOES NOT stop the request from being sent to the server. Here is the a definition of CAPTCHA from

wikipedia:

If you are trying to secure the ACP login a bit more from automated login attempts CAPTCHA would help. If you are trying to secure normal login attempts then CAPTCHA would help (though I REALLY HATE it). CAPTCHA will NOT stop a web browser from sending a request to a web server for a page. It will NOT stop a server from returning the request!

What does a static image do anyways? The idea behind CAPTCHA is that its random. If its static it makes it easier to bypass.

What makes you thinking that i need wikipedia reference for CAPTCHA after so many different kind and size of attacks i have faced?
I am trying to do exactly what i said,minimize DDoS impact on server when forum software is the target of attack.
That will save you from small DDoS attacks,those which will kill your server without that mod and will not with that mod,but you keep telling about 1 million requests.
As i said earlier static gif file which administrator may generate should work just fine.
Most DDoS scritps to recognize CAPTCHA,once they do you can regenerate the image from admincp,it will take them much longer to reprogram their botnets to pass new image.

The only way stand up better to DDOS attacks is to reduce the amount of CPU cycles. There is a plugin for apache (though I can't remember the name) that will alleviate this. But even when doing that, a massive attack will be too much for a server to handle. The only real way to stand up to a DDOS attack after you've done every possible configuration and optimization to a server is by distributing the load between multiple servers (clustering).

Sure,but thats in case you already have optimized everything you can and still IPB page requests overloading your server.
Thats really easy,i have seen dual XEON based server takes to its knees with httpd DDoS attack at just 2 mbps.
Can you please tell me which plugin do you mean?

[Im4eversmart]

What makes you thinking that i need wikipedia reference for CAPTCHA after so many different kind and size of attacks i have faced?

I am trying to do exactly what i said,minimize DDoS impact on server when forum software is the target of attack.

That will save you from small DDoS attacks,those which will kill your server without that mod and will not with that mod,but you keep telling about 1 million requests.

As i said earlier static gif file which administrator may generate should work just fine.

Most DDoS scritps to recognize CAPTCHA,once they do you can regenerate the image from admincp,it will take them much longer to reprogram their botnets to pass new image.

Sure,but thats in case you already have optimized everything you can and still IPB page requests overloading your server.

Thats really easy,i have seen dual XEON based server takes to its knees with httpd DDoS attack at just 2 mbps.

Can you please tell me which plugin do you mean?

Guys he just doesn't get it. Everyone has explained to him repeatedly that CAPTCHA is just for protection against automated logins, yet he still believes it will save him from DDoS attacks, which are completely unrelated.

Here is one last attempt to explain it in terms he can understand:
Let us view your IPB as a country. Now that country can try to prevent terrorists from entering the country through background checks, checking to make sure they are normal people (CAPTCHA), but this checking will do absolutely nothing to prevent another county from dropping a nuke on them (DDoS).

As Luke said, clustering would probably be the best way to cut down on DDoS attacks, not the use of CAPTCHA.

[Louis M.]

Guys he just doesn't get it. Everyone has explained to him repeatedly that CAPTCHA is just for protection against automated logins, yet he still believes it will save him from DDoS attacks, which are completely unrelated.

Here is one last attempt to explain it in terms he can understand:

Let us view your IPB as a country. Now that country can try to prevent terrorists from entering the country through background checks, checking to make sure they are normal people (CAPTCHA), but this checking will do absolutely nothing to prevent another county from dropping a nuke on them (DDoS).

As Luke said, clustering would probably be the best way to cut down on DDoS attacks, not the use of CAPTCHA.

Recent news from the AP. Nukes now can bypass CAPTCHA static images. :devil:

[W13]

Recent news from the AP. Nukes now can bypass CAPTCHA static images. :devil:

DDoS is a FLOOD, you will drown no matter what.

Captcha is an umbrella to keep you from getting wet.

An umbrella won't help you in a flood... so, in other words: Captcha won't help you in a DDoS attack.

[Rοb]

DDoS is a FLOOD, you will drown no matter what.

Captcha is an umbrella to keep you from getting wet.

An umbrella won't help you in a flood... so, in other words: Captcha won't help you in a DDoS attack.

IP.Dinghy will sort out the DDoS issues when released :)

[bfarber]

*Side note - the existing load limit setting in the ACP is a minor attempt at blocking DDoS attacks. Once the load is detected to be higher than the configured value, the script stops nearly immediately until the server load comes back down.

[Developer]

IP.Dinghy will sort out the DDoS issues when released :)

May i find out more about it anywhere?

*Side note - the existing load limit setting in the ACP is a minor attempt at blocking DDoS attacks. Once the load is detected to be higher than the configured value, the script stops nearly immediately until the server load comes back down.

Is that setting located under Admin tab?

[bfarber]

May i find out more about it anywhere?

He was being sarcastic. :P

Is that setting located under Admin tab?

It's under the settings tab -> CPU Savings and Resources

[Silvio]

first you guys need to understand ddos comes in many forms, a good one, a faecestyone, a retarded one. If you are not so good at anyhting and u attempt to take out a server which uses x bandwidth, x cpu, x ram to load pages, you only need x amount of requests. Depending on server setup and what not.


The point of what the guy is asking is you cant stop a 1million request attack with servers most of us have, that is hardware that is needed, yes hardware can stop such an attack, and server firewalls possibly.

The point of ddos is to use up all the resources a server has, if u can reply with small replys you can possibly avoid going down. So for example instead of using 0.01% of CPU to load the page you want to use 0.0001% which means you server can run a lot longer. And possibly never go down.

The point: Loading a white page with nothing on it, to those that ddos, is a lot better then loading a fully dynamic IPB page. Since you can load a lot more white pages then you can load IPB forums at the same time.