Proof-of-Work security

Submitted by Pavel Karoukin on Sat, 01/16/2016 - 14:21

I received email with question about my project https://hashcash.io/ . I decided to share my answer in hope this will help clarify usage of Proof-of-Work in general for security purposes, what it can and can't do.

Hello. I have always been interested in the concept but it does not seem very feasible unless dealing with huge amounts of traffic. IE if each captcha takes 1 second of work, 10000 traffic hits can be accomplished with only 3-6 hours of work. Is the system designed for preventing ddos rather than human verification? Do you have any statistics for the system?

This is no way a ultimate solution to captcha's and/or ddos, but it is certainly something to try. Combination of easier UI for users (no need to break eyes trying to recognized scrambled letters) and novelty approach should keep most spammers/ddosers away.

As for DDoS - there are many ways this attack might be done. For example, someone might want to run millions of search requests on your site. Search usually is pretty heavy operation and easily can make site slow or unresponsive with many parallel requests. If such problem exists, Proof-of-Work certainly might help, but depending on how expensive search is in term of server CPU cycles, it might be not enough. This is where you probably also want to throttle by IP address.

But for example if someone decided to bruteforce password on your site, trying every combination, having Proof-of-Work protection will most likely make it cost ineffective to break in.

So... Answer is - it depends. It certainly helps some site owners to stop spam and simple attacks on their website. But is it ultimate fix? - no, not really. In the end it is hacker's ROI question - how much hackers/spammers can gain from circumventing your site security and how much it costs them. Having Proof-of-Work in place makes it easy to adjust complexity on case by case scenario.

As for 10k requests in 3 hours... Any reasonably well built website should be able to handle that many requests :) If no - there is much more needs to be done beside security.

Tags: