Hi people - I've posted this already on the main Drupal site - http://drupal.org/node/383426 - could somebody run similar tests and/or comment please?
This came about because one of my sites was seeing huge (20+) load averages from time to time, making the site next to useless. I also know from logs that more than once we have script attacks which are trying to create user accounts (and of course we also get the usual spam post attempts.) So, I'm guessing the two are related.
In addition, I know that on a couple of occasions the "create user" scripts actually succeeded, i.e. they "read" the image captcha code (I subsequently increased the complexity of the code.) and generated a whole bunch of accounts with random names.
What's needed is a cached approach to image generation - generate maybe 100 images and keep them on disk - update them from time to time. I may code it myself, when I get a moment.
Any further thoughts?
Comments
Limit number of times captcha image is generated per session
Here's an idea...
When the $seed is generated and stored in session data, also record the last timestamp it's been used, and a counter. Then add a module option so that you can define how many images can be generated per time interval.
You may also add code to limit the number of anonymous sessions created from a single IP, and that will cover DoS, but not DDoS.
True, some patch to the
True, some patch to the existing module to prevent overloading would be quicker to code than a significant update, though for busy sites, cached images would still be better (especially if captchas are likely to get displayed often, e.g. if comment form + captcha is displayed to guest users at the end of posts.)
Can anyone confirm my findings? (run ab to do mutliple concurrent access to any page on your site which normally shows a captcha image and watch the impact on server load.)
Currently part of the team at https://lastcallmedia.com in a senior Drupal specialist role.
Hi Andy, I think that using
Hi Andy,
I think that using the cached image generation is not the focus from the CAPTCHA's core Image Captcha, but I would really support the idea of having a Advanced Image Captcha module, are you willing to implement that? ;)
cheers,
fabiano
No point in re-inventing the
No point in re-inventing the wheel! - the recaptcha service is good (and available via Drupal Captcha module) -- problem with it is that IME many human beings can't read them! My site has a large number of older folks, not such good eyesight, not so computer literate etc - they moan that we have captcha at all, so the last thing I want to do is make it harder for them.
Currently part of the team at https://lastcallmedia.com in a senior Drupal specialist role.