Change DDOS Protection Techniques

[Sullybash12]

Can we get rid of this dumb captcha that we have to do every time we sign in.

There are plenty of alternatives for DDOS protection, and it would make every user's life so much more convenient and easy. Or get a captcha that tracks mouse movements to determine whether it is a robot or not instead of the silly picture captchas.

TLDR; Get rid of captcha

Thanks for reading,
Sullybash12

 

[Jamo]

+1

Recaptcha v3 doesn't require user interaction.

 

[Jayson]

Evidently, we are currently experiencing higher than normal loads due to higher activity to where I would personally classify it as unstable despite being nearly completely user-generated traffic. At this time, we are unable to resist DDoS attacks without a bot protection technique. We are open to suggestions on specific protection techniques.

Spoiler: Notice for CDN Offers

If you just made a new startup CDN company, we are not interested in moving. We have gotten plenty of them already and are unwilling to accept offers without proven results for dynamic websites highly reliant on a database. If you ask individuals to DDoS your service to prove this, you will immediately be on our do not deal with list.

For most individuals which log in semi-regularly and do not use their browser's private browsing features or a VPN, captchas should be very infrequent.

I checked our records for you in particular and found that you have only gotten one captcha in the last 3 days. I consider this to be an acceptable tradeoff to maintain site stability until a new solution is found.

+1

Recaptcha v3 doesn't require user interaction.

That would not work for our case because it requires collecting data on user interaction (when you say "doesn't require user interaction," I think you mean it doesn't require doing something that a user would not normally do like a captcha. recaptcha v3 collects data on how you use the site.) with the site which doesn't work on a static page that you stare at and wait for it to go away. Our platform is highly dynamic and by visiting a single page, you are prompting dozens of database queries to be executed. Because of this, we cannot allow bots to access the forum itself and thus had to employ Cloudflare as a front to take on their traffic.

I am personally looking on making the captcha enabling dynamic again in a week or two, however, the current situation is definitely better than it was before both from a stability and annoyed captcha solver side.

 

[Sullybash12]

Evidently, we are currently experiencing higher than normal loads due to higher activity to where I would personally classify it as unstable despite being nearly completely user-generated traffic. At this time, we are unable to resist DDoS attacks without a bot protection technique. We are open to suggestions on specific protection techniques.

Spoiler: Notice for CDN Offers

If you just made a new startup CDN company, we are not interested in moving. We have gotten plenty of them already and are unwilling to accept offers without proven results for dynamic websites highly reliant on a database. If you ask individuals to DDoS your service to prove this, you will immediately on our do not deal with list.

For most individuals which log in semi-regularly and do not use their browser's private browsing features or a VPN, captchas should be very infrequent.

I checked our records for you in particular and found that you have only gotten one captcha in the last 3 days. I consider this to be an acceptable tradeoff to maintain site stability until a new solution is found.


That would not work for our case because it requires collecting data on user interaction (when you say "doesn't require user interaction," I think you mean it doesn't require doing something that a user would not normally do like a captcha. recaptcha v3 collects data on how you use the site.) with the site which doesn't work on a static page that you stare at and wait for it to go away. Our platform is highly dynamic and by visiting a single page, you are prompting dozens of database queries to be executed. Because of this, we cannot allow bots to access the forum itself and thus had to employ Cloudflare as a front to take on their traffic.

I am personally looking on making the captcha enabling dynamic again in a week or two, however, the current situation is definitely better than it was before both from a stability and annoyed captcha solver side.

I got three captchas for today alone because I kept closing out of the tabs... But I understand that user-traffic can affect that and whatnot

 

[Anish]

2 Words.
Privacy Pass

I haven't seen a captcha in months.

 

[Moz]

2 Words.
Privacy Pass

I haven't seen a captcha in months.

How the fuck? I use it and it's st-
Oh nevermind, I had 26 now I'm down to 16...

I'm still seeing captchas though?

 

[Jayson]

How the fuck? I use it and it's st-
Oh nevermind, I had 26 now I'm down to 16...

I'm still seeing captchas though?

Thanks for bringing this up! I found multiple captchas for you, some of which were due to a failure on our part where we did not whitelist a content submission endpoint you used. Those specific ones should be fixed in a few minutes.

 

[Moz]

Thanks for bringing this up! I found multiple captchas for you, some of which were due to a failure on our part where we did not whitelist a content submission endpoint you used. Those specific ones should be fixed in a few minutes.

Oh cool! Thanks for letting me know!

 

[Eccat]

Privacy pass is honestly amazing 100% recommend!

 

[Jayson]

Compared to the same time last week, 17% less captchas were issued to visitors. This excludes spikes (we get attacked a lot) and captchas initiated due to bad content submission/invalid headers/invalid paths/etc. This was not adjusted to account for how the last 24 hours encountered 56% more validated activity (this does not reflect upon site visits though which stays relatively consistent). Still not perfect by any means, but always trying to reduce false positives.

 

[Ty]

I use privacy pass and haven't seen one on my main browser in weeks, probably since it first switched to the new captcha.

I'll receive them when using a VPN or another browser as Jayson said but aside from that I don't get them at all on my main device & browser.

 

[Anish]

Compared to the same time last week, 17% less captchas were issued to visitors. This excludes spikes (we get attacked a lot) and captchas initiated due to bad content submission/invalid headers/invalid paths/etc. This was not adjusted to account for how the last 24 hours encountered 56% more validated activity (this does not reflect upon site visits though which stays relatively consistent). Still not perfect by any means, but always trying to reduce false positives.

Any reason that the site gives me a captcha if I login on a new computer?

If new ip:
return true
return false

 

[Jayson]

Any reason that the site gives me a captcha if I login on a new computer?

If new ip:
return true
return false

While IP addresses are a factor, the system does not directly interact with the forum itself actively and relies on cached data, not including your specific IP address. We are not releasing additional information regarding our algorithm at this time.

As a side note, I am looking to reduce captchas for hosting providers/VPNs, but it will be a very limited improvement.

 

[Jamo]

Yeah something needs to be done about the captcha if ip change thing.. Personally I'm constantly switching between VPN's so I get hit with well over 5 captchas a day.. Get's really annoying.

 

[Anish]

Thing is, if a bot is able to make 1 request, that still does dozens of DB queries, which makes it hella ez to take down MCM. If you use privacy pass you should be fine.

 

[Jayson]

Yeah something needs to be done about the captcha if ip change thing.. Personally I'm constantly switching between VPN's so I get hit with well over 5 captchas a day.. Get's really annoying.

IP switching does not significantly impact how many captchas you will get. It is more the fact that you are using a VPN itself.

 

[Blaze.]

I forgot these captchas were a thing, to be honest. I don't use privacy pass or anything, I haven't gotten one in what feels like a month or more.

 

[Jayson]

For folks using VPNs, we are now running an experimental change to the captcha algorithm which should significantly reduce the amount of captchas. This is once again experimental though.

Also, to be clear, this suggestion thread isn't going to change anything - we are not getting rid of captchas for the foreseeable future.

 

[Jayson]

I'm going to go ahead and declare this as denied personally.

Per the latest changes, captchas thrown to members were reduced by 2-3x and it remains as one of our most effective options for stopping bot attacks as quickly as possible with minimal downtime. I have been tweaking the algorithm daily for the past months based upon data we collect and reports and by far, there definitely has been an improvement. In fact, over the past 30 minutes, there were 0 false positives as I had the time to go through every single request manually. Over the past 6 hours, there were only 2 potential false positives. This does not include captchas caused by content analysis in which case I personally go through them every week or so for which over the past 24 hours, we had 2 recorded false positives also.

We remain open to specific suggestions for stopping bot attacks, not including changing changing hosting providers.

The most common suggestions are addressed as follows:

• Changing hosting providers: This will not work as we use SSL. Therefore, the hosting provider must have access to our private key in order to effectively filter. Even the best bad-IP databases will not work and we must rely on dynamic approaches as anyone these days can launch an attack. Removing Cloudflare would also mean it takes longer for us to mitigate the damage.
• Changing to Invisible reCaptcha: Invisible reCaptcha requires that there is some site interaction. Each page visit to our forum inflicts dozens of database queries, and thus we would rather not have them touch us at all. That means we'd have a page which still requires user interaction, but perhaps with more issues.
• Enabling Cloudflare Under Attack Mode Constantly: We use to use this method a few years ago, however, it has become rather ineffective with public access to open source bypasses/solvers.
• Load Balancing: I don't think the cost would be justifiable with our current solution doing mostly fine.

I will not be entertaining any similar suggestions without specific ways to resolve the supposed "issue."

If you receive a captcha, please PM me personally with the ray ID and your IP address as reported by the captcha page.

 

[Mick]

I'm going to go ahead and declare this as denied personally.

Per the latest changes, captchas thrown to members were reduced by 2-3x and it remains as one of our most effective options for stopping bot attacks as quickly as possible with minimal downtime. I have been tweaking the algorithm daily for the past months based upon data we collect and reports and by far, there definitely has been an improvement. In fact, over the past 30 minutes, there were 0 false positives as I had the time to go through every single request manually. Over the past 6 hours, there were only 2 potential false positives. This does not include captchas caused by content analysis in which case I personally go through them every week or so for which over the past 24 hours, we had 2 recorded false positives also.

We remain open to specific suggestions for stopping bot attacks, not including changing changing hosting providers.

The most common suggestions are addressed as follows:

• Changing hosting providers: This will not work as we use SSL. Therefore, the hosting provider must have access to our private key in order to effectively filter. Even the best bad-IP databases will not work and we must rely on dynamic approaches as anyone these days can launch an attack. Removing Cloudflare would also mean it takes longer for us to mitigate the damage.
• Changing to Invisible reCaptcha: Invisible reCaptcha requires that there is some site interaction. Each page visit to our forum inflicts dozens of database queries, and thus we would rather not have them touch us at all. That means we'd have a page which still requires user interaction, but perhaps with more issues.
• Enabling Cloudflare Under Attack Mode Constantly: We use to use this method a few years ago, however, it has become rather ineffective with public access to open source bypasses/solvers.
• Load Balancing: I don't think the cost would be justifiable with our current solution doing mostly fine.

I will not be entertaining any similar suggestions without specific ways to resolve the supposed "issue."

If you receive a captcha, please PM me personally with the ray ID and your IP address as reported by the captcha page.

You're good at this, you should take over for me!

I'll move this to denied, thank you gamer.