[jimmies]

That's doable but you have to process a lot of traffic from the clients because the client would have to send all the answers it has calculated.

Do exactly what bitcoin does: You send a random prefix and require the client to find a random suffix so that hash(prefix+suffix) ends with, say 4 zeros.

[salawat]

So. Someone is wasting your time, so you want to start wasting everyone's time and natural resources playing games with a script?

Stay away from trying to increase computational overhead. Everyone thinks computation is "free", but it isn't. There is a turbine somewhere cranking out annoyed pixies to drive your computation war with this botnet. The fact some actor has decided to distribute the energy cost to someone else doesn't mean you have to double down on the waste by multiplying the botnet operator's energy expenditure being dealt with by oblivious user's a thousandfold.

It's a bit like global thermonuclear warfare. The only winning mover is not to play.

The least resource intensive way of dealing with it is just detection and either preemptive drop (no more useful info) or if you want to get creative, start doing some whois digging with IP's and start blowing up some operator's inboxes with questions as to why you are getting malicious login traffic from their IP block so they can start running down the source from their end.

This is the Internet. We don't know everything going through it, but most operator's are generally open to trying to keep transits clean if they are made aware of a problem in a way that doesn't seem like a DDoS aimed at their time.

[omribahumi]

That's cool. Didn't know that bitcoin does this. It sounds like a much better approach.

I guess you can fine tune how complex you want this to be by changing the number of zeros you require.

A friend suggested something else - make the client bruteforce a short RSA key (of say, 100 bits)