DoS Demo: Comparing mCaptcha-protected endpoint performance against exposed endpoints with non-simulated, realistic load
This demo uses a registration workflow that looks as real as possible: password and password re-type confirmation followed by password hashing and storing in DB
-
mCaptcha server with a captcha configured. Please self-host an mCaptcha instance as the demo server is just that --- a demo server. See here for deployment instructions.
-
Python 3.10.4: might work on other versions but I tested it on this version
-
rustc:
mCaptcha/pow_py, the proof of work library used in mCaptcha(well, the Python bindings to it) is not published on pypi(still figuring out how to) so the user will have to compile from source
-
server: a demo flask endpoint with two endpoints that do the exact same thing: process and register a user but differ in the fact the one of them(
/protected) is protected by mCaptcha. -
unprotected: DoS Client written using locust that launches an attack on the unprotected endpoint
-
protected: DoS Client written using locust that launches an attack on the rotected endpoint. It generates proof of work and solves the captcha on every request.
2023 development is funded through the NGI0 Entrust Fund, via NLnet. Please see here for more details.