[Szpadel]

because bots use hundreds IP addresses assigned to the same system, if you have 5r/s from 10k IP addresses it adds up if you require computational power you force them to invest money in hardware and potentially make it unprofitable

[jart]

The last botnet I fended off had 49131669 IPs so believe me I know: https://ipv4.games/statusz The issue is it's not their money. A lot of these botnets are compromised of ordinary people's devices that got hacked into or hijacked by some slimy mobile app, that fires off a DDOS request every ~5sec or so in the background, and they do it because hacked devices aren't easy to fingerprint. So I feel bad for what's going to happen to all those normal people if the industry pivots to using CPU hard approaches to defend themselves.

[Szpadel]

I guess this depends what kind of traffic do you get in some cases data that they try to push is confidential like their user session. I switched on some systems rate limiting from per IP to per session, because of thousands ips used the same session cookie, that's why I assume all of them use the same physical machine

[hot_gril]

Right. Captchas are supposed to ensure the operation is human-initiated. This solution doesn't work.