The Anubis challenge could be easily and cheapely solved by any JavaScript engine. It only becomes expensive for a massive number of petitions.
If for instance you would want to register a few thousand emails in a forum anubis is not going to stop anyone.
In fact I’m sceptical about really having an impact. As even when the challenge goes up in difficulty is not that expensive compared with all other cost related to these kinds of attacks or massive scrapes.
My suspicion is that most websites using Anubis see a positive impact because most crawlers and probers doesn’t take into account Anubis, so they don’t even attach a way to solve the challenge and they directly go into the “rejected by anubis” bucket. But any targeted attack I suppose would pass easily, either by doing a slow attack not to up the challenge very much, or just eating the cost. Imagine an AI company that using nuclear plants for training data, the cost of solving a few million JavaScript challenges is nothing in comparison.
As a DDOS mitigation it helps, but once again it’s just a matter of eating the cost by the attacker. And the attack will still deny some service as the challenge go up and new legit users would also need to solve harder challenges.
Both have different purposes.
The Anubis challenge could be easily and cheapely solved by any JavaScript engine. It only becomes expensive for a massive number of petitions.
If for instance you would want to register a few thousand emails in a forum anubis is not going to stop anyone.
In fact I’m sceptical about really having an impact. As even when the challenge goes up in difficulty is not that expensive compared with all other cost related to these kinds of attacks or massive scrapes.
My suspicion is that most websites using Anubis see a positive impact because most crawlers and probers doesn’t take into account Anubis, so they don’t even attach a way to solve the challenge and they directly go into the “rejected by anubis” bucket. But any targeted attack I suppose would pass easily, either by doing a slow attack not to up the challenge very much, or just eating the cost. Imagine an AI company that using nuclear plants for training data, the cost of solving a few million JavaScript challenges is nothing in comparison.
As a DDOS mitigation it helps, but once again it’s just a matter of eating the cost by the attacker. And the attack will still deny some service as the challenge go up and new legit users would also need to solve harder challenges.