[throw10920]

> Attackers are using hacked IoT devices to do these attacks. These devices have roughly the same computing power as a mid level smartphone.

False for a very large variety of low-power IoT devices using chips like the ESP32, which are multiple decimal orders of magnitude slower than a modern computer (or high-end smartphone) and will absolutely take far longer to compute a Hashcash challenge than one of those devices. Your smart light bulb is absolutely not hosting a Qualcomm Snapdragon 450 to change its colors.

Additionally, adding this compute+power load causes the presence of malware to become far more visible on these devices, which increases risk of discovery, which is a significant upside.

Finally, because there's now a significant computational cost to performing a login attempt, the value of individual devices are further decreased to the attacker, which reduces their likelihood of compromising these devices, and for using them for these kinds of attacks against services that use this measure.

So, yes, Hashcash is absolutely an adequate solution, and yes, there is absolutely a cost to the attacker.

[bsamuels]

You have no idea what you're talking about. Botnets are almost entirely ISP router/modem combo devices.

Hashcat was proposed over 20 years ago. You really think out of all the tens of thousands of security engineers working on this problem, nobody has ever considered it? Get a grip.

I hate how this website incentivizes people to try to make posts that sound smart instead of posting stuff they're actually knowledgeable about.

[wolverine876]

> Botnets are almost entirely ISP router/modem combo devices.

Above you say they are IoT devices. I don't mean 'gotcha', but to learn: What does the population of botnet devices consist of?

[throw10920]

This comment violates probably about a dozen different parts of the HN guidelines[1]. You should calm down with the ad-hominems and substance-less claims and give the guidelines a read, then come back and make an actual argument.

[1] https://news.ycombinator.com/newsguidelines.html

[fennecfoxy]

Yeah the majority of them aren't Wifi lightbulbs afaik it's mostly routers and other similar devices, so they really do have the power of a low-mid range smartphone.

Realistically though as long as it can send a request I think attackers would prefer lower power devices someone's computer may be able to send many more r/s but much harder to gain control of versus the $30 iot device.

[smaryjerry]

This is ab irrelevant tangent on the mid level phone comment. We all know you don’t need any compute power at all to make “2-3 login attempts per hour” even on the slowest of IOT devices.