Feb 12, 2014

How does CAPTCHA help defend against DDoS attacks?

As I understand it, one of the goals of CAPTCHA is to mitigate the effects of DDoS attacks. How is this effective? Assuming that an attack is flooding the server with repeated log-in attempts either with or without CAPTCHA, what difference does it make?


What to Do About DDoS Attacks

"Malo says banks should encourage vendors to develop DDoS protections that "challenge" traffic. These protections, he says, could mirror challenge-and-response options, such as CAPTCHA images, used for online banking. A CAPTCHA image uses distorted letters or numbers that an online user is required to enter at login to help affirm authenticity.

"DDoS mitigation is not just about finding a signature and putting mechanisms in to filter or block traffic," Malo says. "Mitigation also includes introducing challenge-response." Challenge-and-response options would help banking institutions differentiate legitimate traffic from so-called junk traffic often associated with DDoS attacks, he adds."

It’s less database intensive to check the CAPTCHA than it is to check user login/account information. By having CAPTCHA checked first, if it is not correct, there is no need to go forward with the rest of the login operation. Stopping DDoS attacks is not what CAPTCHA is really intended to do, and while it may help somewhat, the level of DDoS protection is pretty low, especially against a more sophisticated attack.

Answer this