Problem isn’t a bot traffic. I run an Ecommerce site and scammers run python scripts to test 1000s of cards per hour if there is no captcha. I hate it, my customers hate it, scammers hate it, but it is the only thing that keeps my merchant account running. Any advise is welcome!
Logon forms are another whole issue. "Lock out the account" is just a DoS vector. People are quick to talk about systems that can defeat a captcha but if the brute force goes from 50 passwords/sec to one password/10 sec it's mission accomplished.
Not easily: if it's enforced client side it may as well not exist, if it's enforced server side you just let anyone lock anyone else out of their account by running a constant brute force attack against their account (a DoS vuln). It also does nothing for attackers who try a giant list of accounts but only one or two passwords for each.
I worked on Google's system for solving this. It's a pretty sophisticated analysis that decides whether to demand CAPTCHAs or not based on a lot of factors. The CAPTCHA was needed (at that time) because it's the only way to slow down the attacker without bothering the real user, who won't be shown one.
Serverside of course, but i would think the loading bar can be per connection rather than be per account right? Like a connection is attempted, starting the loading bar, and then 5s later you only allow that connection to continue the load? I do non-web dev stuff so maybe i'm missing something but it sounds like should be easy enough.
Presumably the point is that the user (or bot) wants to access the content, a connection would have to complete the load successfully to do what they came for. if they just drop it instantly then that's a bot turned away.
