Web challenges are one of the most effective ways to stop web-based DDoS attacks. There are different types of challenges, which will be explained below. Some challenges are transparent to users, yet block significant types of attackers. Others are very strong and do not allow any bot to pass, yet do so at the cost of being more intrusive to legitimate users. The reason we prefer that vendors offer as many types of challenges as possible it that it allows you to choose the exact hammer for the situation you are facing. Sometimes all you need is a small reflex hammer, and sometimes you need a sledgehammer.
Perhaps the best-known challenge to laymen is the CAPTCHA. CAPTCHA’s intention is to allow only humans to pass, and to stop bots. Therefore, it can stop DDoS attacks originating from bots. In reality, CAPTCHA is hardly used against DDoS attacks, although it is extremely effective against bots; it is quite effective against humans as well. Some have trouble passing the CAPTCHA or may even decide to leave the website when faced with it. For this reason, the more popular challenges are the “silent” challenges. For example, in Cookie Validation the mitigation just sends users a redirect command with a special cookie, expecting the client to return the cookie. This simple challenge, with which any of your favorite browsers can easily comply, will actually fail most bots, which do not conform with the test.
The ‘JavaScript Challenge’ is the older brother of the Cookie Validation. While in the Cookie Validation the challenge was carried over to the HTTP language, now it is carried over to the JavaScript (JS) language. If the attacker wants to pass the challenge, he needs to speak JS, which few bots today do.
While few bots today can pass the JS Challenge, some can. This is why some challenges conduct additional investigations to determine humans and bots. They issue checks for mouse movements and the existence of a keyboard as well as other traits that indicate whether the user is a human or bot. This type of challenges family is referred to as ‘Silent Human Investigation’.
If all the silent web challenges are not effective, one can always escalate to the CAPTCHA sledgehammer. Actually, a light hammer is the NoCAPTCHA reCAPTCHA. Is is a modern version of CAPTCHA with the moto “Tough on Bots, Easy on Humans”.
The different types of challenges are referred as the Challenge Spectrum because in different situations you may want to use different challenges. In some situations you may settle on a light-weight, transparent Cookie Validation, while in others you may need to stop an attack with a CAPTCHA.
Related entries: Cookie Validation, JavaScript Challenge ,Web Challenges.