IME, the hidden google re-captcha works brilliantly against bots.
Presumably by examining the timing. Set the threshold to 0.6 and off
you go. I run a fairly busy tech forum.

Another approach is to put your site behind Cloudflare. For hobby /
noncommercial sites this is free. And you get handy stuff like

- https certificate is done for you
- you can block up to 5 countries (I blocked Russia China and India)

Ideally you should firewall your server to accept web traffic only
from the set of CF IPs, but in practice this is not necessary unless
somebody is out to get you (there are websites which carry IP history
for a given domain, believe it or not!!!)

On Tue, 12 Mar 2024 12:54:06 +0000, Peter
<occassionally-confused@nospam.co.uk> wrote:

>IME, the hidden google re-captcha works brilliantly against bots.
>Presumably by examining the timing. Set the threshold to 0.6 and off
>you go. I run a fairly busy tech forum.
>
>Another approach is to put your site behind Cloudflare. For hobby /
>noncommercial sites this is free. And you get handy stuff like
>
>- https certificate is done for you
>- you can block up to 5 countries (I blocked Russia China and India)
>
>Ideally you should firewall your server to accept web traffic only
>from the set of CF IPs, but in practice this is not necessary unless
>somebody is out to get you (there are websites which carry IP history
>for a given domain, believe it or not!!!)

My ISP has finally blocked all China IP addresses from accessing the
site.

Maybe that's what the bots want; who knows.

Haven't had access to the site to find out what the practical result
is, yet.

RL

On Tue, 12 Mar 2024 09:41:00 +0000, Martin Brown
<'''newspam'''@nonad.co.uk> wrote:

>On 11/03/2024 16:57, legg wrote:
>> On Mon, 11 Mar 2024 07:48:04 -0700, Don Y
>> <blockedofcourse@foo.invalid> wrote:
>>
>>> On 3/11/2024 7:40 AM, legg wrote:
>>>> Blocking a single IP hasn't worked for my ISP.
>>>
>>> It won't. Even novice users can move to a different IP using reeadily
>>> available mechanisms.
>>>
>>> Whitelisting can work (which is the approach that I use) but
>>> it assumes you know who you *want* to access your site.
>>>
>>> (It's a lot harder to guess a permitted IP than it is to avoid
>>> an obviously BLOCKED one!)
>>>
>>>> Each identical 17G download block (262 visits)was by a new IP
>>>> in a completely different location/region.
>>>>
>>>> Beijing, Hearbin, Henan, a mobile and a fifth, so far untraced
>>>> due to suspension of my site.
>>>
>>> There's a reason things like "captcha" exist.
>>>
>>> Note that this still doesn't prevent the *page(s)* from being repeatedly
>>> accessed. But, presumably, their size is considerably smaller than
>>> that of the payloads you want to protect.
>>>
>>> OTOH, if someone wants to shut down your account due to an exceeded
>>> quota, they can keep reloading those pages until they've eaten up your
>>> traffic quota. And, "they" can be an automated process!
>>>
>>> [Operating a server in stealth mode can avoid this. But, then
>>> you're not "open to the public"! :> ]
>>
>> Doing some simple experiments by temporarily renaming/replacing
>> some of the larger files being tageted, just to see how the bot
>> reacts to the new environment. If they find renamed files it
>> means something. If visits to get the same 17G alter it means
>> something else.
>>
>> This all at the expense and patience of my ISP. Thumbs up there.
>
>Why don't you block entire blocks of Chinese IP addresses that contain
>the ones that have attacked you until the problem ceases?
>eg. add a few banned IP destinations to your .htaccess file
>
>https://htaccessbook.com/block-ip-address/
>
>1.80.*.* thru 1.95.*.*
>101.16.*.* thru 101.16.*.*
>101.144.*.* thru 101.159.*.*
>
>If you block just a few big chunks it should make some difference.
>You might have to inflict a bit of collateral damage in the 101.* range.
>
>Otherwise you are stuck with adding some Captcha type thing to prevent
>malicious bots hammering your site. I'm a bit surprised that your ISP
>doesn't offer or have site wide countermeasures for such DOS attacks.

My ISP has blocked all China IP addresses from accessing the
site.

Maybe that's what the bots want; who knows?

Haven't had access to the site to find out what the practical result
was, yet, or what the final probing looked like. Whatever it was, it
didn't result in another 17G block download, before the automated
account suspension reasserted itself, which was the last case
examined. (went 14G overlimit for full 17G load).

RL

legg <legg@nospam.magma.ca> wrote:

>My ISP has blocked all China IP addresses from accessing the
>site.

That will work; the bots can get around it by using a VPN, but more or
less all VPN services which will handle heavy data cost money. So VPNs
are used for hacking but not for a DOS attack.

On 3/11/2024 9:48 AM, legg wrote:
>>>> When I ask google for "how to add a captcha to your website"
>>>> I see many solutions, for example this:
>>>> https://www.oodlestechnologies.com/blogs/create-a-captcha-validation-in-html-and-javascript/
>>>>
>>>> Maybe some html guru here nows?
>>>
>>> That looks like it's good for accessing an html page.
>>> So far the chinese are accessing the top level index, where
>>> files are offered for download at a click.
>>>
>>> Ideally, if they can't access the top level, a direct address
>>> access to the files might be prevented?
>
> Using barebones (Netscape) Seamonkey Compser, the Oodlestech
> script generates a web page with a 4-figure manually-entered
> human test.
>
> How do I get a correct response to open the protected web page?

Why not visit a page that uses it and inspect the source?

>> What I am doing now is using a html://mywebsite/pub/ directory
>> with lots of files in it that I want to publish in for example this newsgroup,
>> I then just post a direct link to that file.
>> So it has no index file and no links to it from the main site.
>> It has many sub directories too.
>> https://panteltje.nl/pub/GPS_to_USB_module_component_site_IXIMG_1360.JPG
>> https://panteltje.nl/pub/pwfax-0.1/README
>>
>> So you need the exact link to access anything
>> fine for publishing here...
> <snip>
>
> The top (~index) web page of my site has lists of direct links
> to subdirectories, for double-click download by user.

You could omit the actual links and just leave the TEXT for a link
present (i.e., highlight text, copy, paste into address bar) to
see if the "clients" are exploring all of your *links* or are
actually parsing the *text*.

> It also has limks to other web pages that, in turn, offer links or
> downloads to on-site and off-site locations. A great number of

Whether or not you choose to "protect" those assets is a separate
issue that only you can resolve (what's your "obligation" to a site that
you've referenced on YOUR page?)

> off-site links are invalid, after ~10-20years of neglect. They'll
> probably stay that way until something or somebody convinces me
> that it's all not just a waste of time.
>
> At present, I only maintain data links or electronic publications
> that need it. This may not be neccessary, as the files are generally
> small enough for the Wayback machine to have scooped up most of the
> databases and spreadsheets. They're also showing up in other places,
> with my blessing. Hell - Wayback even has tube curve pages from the
> 'Conductance Curve Design Manual' - they've got to be buried 4 folders
> deep - and each is a hefty image.

You can see if bitsavers has an interest in preserving them in a
more "categorical" framework.

> Somebody, please tell me the the 'Internet Archive' is NOT owned
> by Google?
>
> Some off-site links for large image-bound mfr-logo-ident web pages
> (c/o geek@scorpiorising) seem already to have introduced a
> captcha-type routine. Wouldn't need many bot hits to bump that
> location into a data limit. Those pages take a long time
> simply to load.

There is an art to designing all forms of documentation
(web pages just being one). Too abridged and folks spend forever
chasing links (even if it's as easy as "NEXT"). Too verbose and
the page takes a long time to load.

OTOH, when I'm looking to scrape documentation for <whatever>,
I will always take the "one large document" option, if offered.
It's just too damn difficult to rebuild a site's structure,
off-line, in (e.g.) a PDF. And, load times for large LOCAL documents
is insignificant.
> Anyway - how to get the Oodlestech script to open the appropriate
> page, after vetting the user as being human?

No examples, there?

On Tue, 12 Mar 2024 15:05:00 -0700, Don Y
<blockedofcourse@foo.invalid> wrote:

>On 3/11/2024 9:48 AM, legg wrote:
>>>>> When I ask google for "how to add a captcha to your website"
>>>>> I see many solutions, for example this:
>>>>> https://www.oodlestechnologies.com/blogs/create-a-captcha-validation-in-html-and-javascript/
>>>>>
>>>>> Maybe some html guru here nows?
>>>>
>>>> That looks like it's good for accessing an html page.
>>>> So far the chinese are accessing the top level index, where
>>>> files are offered for download at a click.
>>>>
>>>> Ideally, if they can't access the top level, a direct address
>>>> access to the files might be prevented?
>>
>> Using barebones (Netscape) Seamonkey Compser, the Oodlestech
>> script generates a web page with a 4-figure manually-entered
>> human test.
>>
>> How do I get a correct response to open the protected web page?
>
>Why not visit a page that uses it and inspect the source?

I'm afraid to find out. If it's google product . . . .

>
>>> What I am doing now is using a html://mywebsite/pub/ directory
>>> with lots of files in it that I want to publish in for example this newsgroup,
>>> I then just post a direct link to that file.
>>> So it has no index file and no links to it from the main site.
>>> It has many sub directories too.
>>> https://panteltje.nl/pub/GPS_to_USB_module_component_site_IXIMG_1360.JPG
>>> https://panteltje.nl/pub/pwfax-0.1/README
>>>
>>> So you need the exact link to access anything
>>> fine for publishing here...
>> <snip>
>>
>> The top (~index) web page of my site has lists of direct links
>> to subdirectories, for double-click download by user.
>
>You could omit the actual links and just leave the TEXT for a link
>present (i.e., highlight text, copy, paste into address bar) to
>see if the "clients" are exploring all of your *links* or are
>actually parsing the *text*.

After the chinese IPs were blocked, there was not much more
I could learn by fiddling about. My ISP had to reset the auto
suspension and up the limit with each (failed) iteration.
The current block is considered as dusting of the hands.
Case closed.

>
>> It also has limks to other web pages that, in turn, offer links or
>> downloads to on-site and off-site locations. A great number of
>
>Whether or not you choose to "protect" those assets is a separate
>issue that only you can resolve (what's your "obligation" to a site that
>you've referenced on YOUR page?)
>
>> off-site links are invalid, after ~10-20years of neglect. They'll
>> probably stay that way until something or somebody convinces me
>> that it's all not just a waste of time.
>>
>> At present, I only maintain data links or electronic publications
>> that need it. This may not be neccessary, as the files are generally
>> small enough for the Wayback machine to have scooped up most of the
>> databases and spreadsheets. They're also showing up in other places,
>> with my blessing. Hell - Wayback even has tube curve pages from the
>> 'Conductance Curve Design Manual' - they've got to be buried 4 folders
>> deep - and each is a hefty image.
>
>You can see if bitsavers has an interest in preserving them in a
>more "categorical" framework.

The PDF version of complte CCDM is already out there in a couple
of free doc sites. Chart images in that pdf might have sample envy.
>
>> Somebody, please tell me the the 'Internet Archive' is NOT owned
>> by Google?
>>
>> Some off-site links for large image-bound mfr-logo-ident web pages
>> (c/o geek@scorpiorising) seem already to have introduced a
>> captcha-type routine. Wouldn't need many bot hits to bump that
>> location into a data limit. Those pages take a long time
>> simply to load.
>
>There is an art to designing all forms of documentation
>(web pages just being one). Too abridged and folks spend forever
>chasing links (even if it's as easy as "NEXT"). Too verbose and
>the page takes a long time to load.

The problem with mfr logo ident is the raw volume of tiny images.
Don't recall if an epub version was made - I think, if anything,
that attempt just made a bigger file . . . .
Slow as it is - it's already split up alpha numerically into six
sections . . . .
>
>OTOH, when I'm looking to scrape documentation for <whatever>,
>I will always take the "one large document" option, if offered.
>It's just too damn difficult to rebuild a site's structure,
>off-line, in (e.g.) a PDF. And, load times for large LOCAL documents
>is insignificant.
>> Anyway - how to get the Oodlestech script to open the appropriate
>> page, after vetting the user as being human?
>
>No examples, there?
>

RL

On 3/12/2024 5:08 PM, legg wrote:
>>>>> Ideally, if they can't access the top level, a direct address
>>>>> access to the files might be prevented?
>>>
>>> Using barebones (Netscape) Seamonkey Compser, the Oodlestech
>>> script generates a web page with a 4-figure manually-entered
>>> human test.
>>>
>>> How do I get a correct response to open the protected web page?
>>
>> Why not visit a page that uses it and inspect the source?
>
> I'm afraid to find out. If it's google product . . . .

I think there are a variety of "similar" mechanisms offered.
You can also "roll your own" just by adding a stumbling
block that ties access to something beyond just having the served
page (e.g., delay the activation of links for a short period
of time after the page is served so the "client" has to
delay clicking on them)

Or, generating a psuedo-random number and requiring the
client to enter it -- or combinations thereof:
"Please enter this numeric value: six four three"
as a bot likely won't know that you have made such a request
of the client.

>>>> What I am doing now is using a html://mywebsite/pub/ directory
>>>> with lots of files in it that I want to publish in for example this newsgroup,
>>>> I then just post a direct link to that file.
>>>> So it has no index file and no links to it from the main site.
>>>> It has many sub directories too.
>>>> https://panteltje.nl/pub/GPS_to_USB_module_component_site_IXIMG_1360.JPG
>>>> https://panteltje.nl/pub/pwfax-0.1/README
>>>>
>>>> So you need the exact link to access anything
>>>> fine for publishing here...
>>> <snip>
>>>
>>> The top (~index) web page of my site has lists of direct links
>>> to subdirectories, for double-click download by user.
>>
>> You could omit the actual links and just leave the TEXT for a link
>> present (i.e., highlight text, copy, paste into address bar) to
>> see if the "clients" are exploring all of your *links* or are
>> actually parsing the *text*.
>
> After the chinese IPs were blocked, there was not much more
> I could learn by fiddling about. My ISP had to reset the auto
> suspension and up the limit with each (failed) iteration.
> The current block is considered as dusting of the hands.
> Case closed.

Well, you should be thankful they were at least THAT cooperative.

>>> Somebody, please tell me the the 'Internet Archive' is NOT owned
>>> by Google?
>>>
>>> Some off-site links for large image-bound mfr-logo-ident web pages
>>> (c/o geek@scorpiorising) seem already to have introduced a
>>> captcha-type routine. Wouldn't need many bot hits to bump that
>>> location into a data limit. Those pages take a long time
>>> simply to load.
>>
>> There is an art to designing all forms of documentation
>> (web pages just being one). Too abridged and folks spend forever
>> chasing links (even if it's as easy as "NEXT"). Too verbose and
>> the page takes a long time to load.
>
> The problem with mfr logo ident is the raw volume of tiny images.
> Don't recall if an epub version was made - I think, if anything,
> that attempt just made a bigger file . . . .
> Slow as it is - it's already split up alpha numerically into six
> sections . . . .

(Without having seen them...) Can you create a PNG of a group
of them arranged in a matrix. Then, a map that allows clicking
on any *part* of the composite image to provide a more detailed
"popup" to inspect?

I.e., each individual image is a trip back to the server to
fetch that image. A single composite could reduce that to
one fetch with other actions conditional on whether or not
the user wants "more/finer detail"

Don Y <blockedofcourse@foo.invalid> wrote:

>(Without having seen them...) Can you create a PNG of a group
>of them arranged in a matrix. Then, a map that allows clicking
>on any *part* of the composite image to provide a more detailed
>"popup" to inspect?
>
>I.e., each individual image is a trip back to the server to
>fetch that image. A single composite could reduce that to
>one fetch with other actions conditional on whether or not
>the user wants "more/finer detail"

All of this "graphical captcha" stuff is easy to hack if somebody is
out to trash *your* site.

For example I run some sites and paid someone 1k or so to develop a
graphical captcha. It displayed two numbers as graphic images and you
had to enter their product e.g. 12 x 3 = 36.

A friend who is an expert at unix spent just a few mins on a script
which used standard unix utilities to do OCR on the page, and you can
guess the rest.

On 3/12/2024 9:41 AM, legg wrote:
> On Tue, 12 Mar 2024 12:54:06 +0000, Peter
> <occassionally-confused@nospam.co.uk> wrote:
>
>> IME, the hidden google re-captcha works brilliantly against bots.
>> Presumably by examining the timing. Set the threshold to 0.6 and off
>> you go. I run a fairly busy tech forum.
>>
>> Another approach is to put your site behind Cloudflare. For hobby /
>> noncommercial sites this is free. And you get handy stuff like
>>
>> - https certificate is done for you
>> - you can block up to 5 countries (I blocked Russia China and India)
>>
>> Ideally you should firewall your server to accept web traffic only
>>from the set of CF IPs, but in practice this is not necessary unless
>> somebody is out to get you (there are websites which carry IP history
>> for a given domain, believe it or not!!!)
>
> My ISP has finally blocked all China IP addresses from accessing the
> site.
>
> Maybe that's what the bots want; who knows.
>
> Haven't had access to the site to find out what the practical result
> is, yet.
>
> RL

Maybe consider hosting the web server yourself, using a virtual
machine/Promox as the host and a Cloudflare tunnel for security:

<https://youtu.be/_7ZqMn_C2Dc?si=z5QZ98HUlLT54oPi>

On 3/14/2024 9:26 AM, Peter wrote:
>
> Don Y <blockedofcourse@foo.invalid> wrote:
>
>> (Without having seen them...) Can you create a PNG of a group
>> of them arranged in a matrix. Then, a map that allows clicking
>> on any *part* of the composite image to provide a more detailed
>> "popup" to inspect?
>>
>> I.e., each individual image is a trip back to the server to
>> fetch that image. A single composite could reduce that to
>> one fetch with other actions conditional on whether or not
>> the user wants "more/finer detail"
>
> All of this "graphical captcha" stuff is easy to hack if somebody is
> out to trash *your* site.

If you are *targeted*, then all bets are off. At the end of the
day, your adversary could put a REAL HUMAN to the task of hammering
away at it.

> For example I run some sites and paid someone 1k or so to develop a
> graphical captcha. It displayed two numbers as graphic images and you
> had to enter their product e.g. 12 x 3 = 36.
>
> A friend who is an expert at unix spent just a few mins on a script
> which used standard unix utilities to do OCR on the page, and you can
> guess the rest.

But a *bot* wouldn't know that this was an effective attack.
It would move on to the next site in its "list" to scrape.

If you use a canned/standard(ized) captcha, then a bot can
reap rewards learning how to defeat it -- because those
efforts will apply to other sites, as well.

[Some university did a study of the effectiveness of
captchas on human vs. automated clients and found the
machines could solve them better/faster than humans]

If you want to make something publicly accessible, then
you have to assume it will be publicly accessed!

I operate a server in stealth mode; it won't show up on
network probes so robots/adversaries just skip over the
IP and move on to others. Folks who *should* be able to
access it know how to "get its attention".

Prior to this "enhancement", I delivered content via email
request -- ask for something, verify YOU were the entity that
issued the request, then I would email it to you.

This was replaced with "then I would email a unique LINK
to it to you".

On 3/14/2024 2:37 PM, bitrex wrote:
> Maybe consider hosting the web server yourself, using a virtual machine/Promox
> as the host and a Cloudflare tunnel for security:

The advantage is that you can institute whatever policies you want.
The DISadvantage is that YOU have to implement those policies!

And, nothing prevents your site from being targeted for a [D]DoS
attack, etc. Or, any other behavior that increases the cost to
you (in terms of your effort or servicing/hosting fees from
provider(s).

It's often easier (less hassle) to just avail yourself of some
free service to host the content and let THEM worry about
these issues. (unless you enjoy dicking with this sort of thing)

Don Y <blockedofcourse@foo.invalid> wrote:

> On 3/14/2024 9:26 AM, Peter wrote:
> >
> > Don Y <blockedofcourse@foo.invalid> wrote:
> >
> >> (Without having seen them...) Can you create a PNG of a group
> >> of them arranged in a matrix. Then, a map that allows clicking
> >> on any *part* of the composite image to provide a more detailed
> >> "popup" to inspect?
> >>
> >> I.e., each individual image is a trip back to the server to
> >> fetch that image. A single composite could reduce that to
> >> one fetch with other actions conditional on whether or not
> >> the user wants "more/finer detail"
> >
> > All of this "graphical captcha" stuff is easy to hack if somebody is
> > out to trash *your* site.
>
> If you are *targeted*, then all bets are off. At the end of the
> day, your adversary could put a REAL HUMAN to the task of hammering
> away at it.

You could always have a question which involved correcting the English
grammar of a sentence, but that might eliminate far more of your
visitors than you intended.

--
~ Liz Tuddenham ~
(Remove the ".invalid"s and add ".co.uk" to reply)
www.poppyrecords.co.uk

On 3/15/2024 3:41 AM, Liz Tuddenham wrote:
> Don Y <blockedofcourse@foo.invalid> wrote:
>
>> On 3/14/2024 9:26 AM, Peter wrote:
>>>
>>> Don Y <blockedofcourse@foo.invalid> wrote:
>>>
>>>> (Without having seen them...) Can you create a PNG of a group
>>>> of them arranged in a matrix. Then, a map that allows clicking
>>>> on any *part* of the composite image to provide a more detailed
>>>> "popup" to inspect?
>>>>
>>>> I.e., each individual image is a trip back to the server to
>>>> fetch that image. A single composite could reduce that to
>>>> one fetch with other actions conditional on whether or not
>>>> the user wants "more/finer detail"
>>>
>>> All of this "graphical captcha" stuff is easy to hack if somebody is
>>> out to trash *your* site.
>>
>> If you are *targeted*, then all bets are off. At the end of the
>> day, your adversary could put a REAL HUMAN to the task of hammering
>> away at it.
>
> You could always have a question which involved correcting the English
> grammar of a sentence, but that might eliminate far more of your
> visitors than you intended.

You have to define your goal with any such mechanism.

If you want to protect content, then encrypt the content;
any downloads just waste the client's bandwidth (but, yours,
as well).

If you want to protect access, then you need a mechanism
that exceeds the abilities of the "current connection"
(e.g., robot, blind scrape, human, etc.) to navigate.

Every mechanism has a cost -- a portion of which you, also, bear.

Remember, a client can always hammer away at the basic page
(ignoring the cached flag) even if he never gets past your
"mechanism(s)" intended to deter him.

[A telemarketer can keep dialing your phone number even
if you NEVER answer his calls!]

Publishing any sort of contact information (email, phone, www,
etc.) INVITES contact.

Don Y <blockedofcourse@foo.invalid> wrote:

>I operate a server in stealth mode; it won't show up on
>network probes so robots/adversaries just skip over the
>IP and move on to others. Folks who *should* be able to
>access it know how to "get its attention".

Port knocking ;)

liz@poppyrecords.invalid.invalid (Liz Tuddenham) wrote:

>You could always have a question which involved correcting the English
>grammar of a sentence, but that might eliminate far more of your
>visitors than you intended.

Yeah; like 95% ;)

Peter <occassionally-confused@nospam.co.uk> wrote:

> liz@poppyrecords.invalid.invalid (Liz Tuddenham) wrote:
>
> >You could always have a question which involved correcting the English
> >grammar of a sentence, but that might eliminate far more of your
> >visitors than you intended.
>
> Yeah; like 95% ;)

[Said in best posh English accent]
Did you meean: "Yes; for instance 95%" ? :-)

--
~ Liz Tuddenham ~
(Remove the ".invalid"s and add ".co.uk" to reply)
www.poppyrecords.co.uk

On 2024-03-15 12:33, Peter wrote:
>
> Don Y <blockedofcourse@foo.invalid> wrote:
>
>> I operate a server in stealth mode; it won't show up on
>> network probes so robots/adversaries just skip over the
>> IP and move on to others. Folks who *should* be able to
>> access it know how to "get its attention".

What is "stealth mode", what do you do?

>
> Port knocking ;)

I was thinking of using a high port. I do that.

--
Cheers, Carlos.

On 3/15/2024 3:41 AM, Liz Tuddenham wrote:
> Don Y <blockedofcourse@foo.invalid> wrote:
>
>> On 3/14/2024 9:26 AM, Peter wrote:
>>>
>>> Don Y <blockedofcourse@foo.invalid> wrote:
>>>
>>>> (Without having seen them...) Can you create a PNG of a group
>>>> of them arranged in a matrix. Then, a map that allows clicking
>>>> on any *part* of the composite image to provide a more detailed
>>>> "popup" to inspect?
>>>>
>>>> I.e., each individual image is a trip back to the server to
>>>> fetch that image. A single composite could reduce that to
>>>> one fetch with other actions conditional on whether or not
>>>> the user wants "more/finer detail"
>>>
>>> All of this "graphical captcha" stuff is easy to hack if somebody is
>>> out to trash *your* site.
>>
>> If you are *targeted*, then all bets are off. At the end of the
>> day, your adversary could put a REAL HUMAN to the task of hammering
>> away at it.
>
> You could always have a question which involved correcting the English
> grammar of a sentence, but that might eliminate far more of your
> visitors than you intended.

Require visitors to insert correct punctuation:

John had had had had had had had a better effect

On 3/15/2024 4:33 AM, Peter wrote:
>
> Don Y <blockedofcourse@foo.invalid> wrote:
>
>> I operate a server in stealth mode; it won't show up on
>> network probes so robots/adversaries just skip over the
>> IP and move on to others. Folks who *should* be able to
>> access it know how to "get its attention".
>
> Port knocking ;)

Effectively, yes. It's a bit tedious to use -- and the server-side
code is far from "standard" -- but it is great at stealth. I'm
not sure how it would work in situations with lots of *intended*
traffic, though...

[I've been making little boxes with a NIC on one end, stack
in the middle, and some form of communications I/O on the
other (serial port, USB, GPIB, CAN, DMX, etc.). The stealth
feature was one of the most requested capabilities (as it lets
an interface be deployed and routed -- without fear of some
hacker/script-kiddie stumbling onto it and dicking with the
attached device).]

On 3/15/2024 5:34 AM, Carlos E.R. wrote:
> On 2024-03-15 12:33, Peter wrote:
>>
>>   Don Y <blockedofcourse@foo.invalid> wrote:
>>
>>> I operate a server in stealth mode; it won't show up on
>>> network probes so robots/adversaries just skip over the
>>> IP and move on to others.  Folks who *should* be able to
>>> access it know how to "get its attention".
>
> What is "stealth mode", what do you do?

It's what you *don't* do that is important.

When you receive a packet, you extract all of the
information indicating sender, intended destination
port, payload, etc.

Then, DON'T acknowledge the packet. Pretend the network
cable is terminated in dead air.

The *determined* "caller" sends another packet, some time later
(with limits on how soon/late this can be).

Again, you extract the information in the packet -- and
ignore it.

Repeat this some number of times for a variety of
different ports, payloads -- all traced back to the
same sender.

Then, on the *important* packet that arrives, subsequently,
acknowledge it with the service that is desired.

If the sequence is botched at any time -- like a sender doing
a sequential port scan -- then you reset the DFA that is
tracking THAT sender's progress through the automaton.

Note that you can handle multiple clients attempting to
connect simultaneously -- "hiding" from each of them
until and unless they complete their required sequences.

Anyone with a packet sniffer can be thwarted by ensuring
that the sequence is related to source IP, time of day,
service desired, etc. (though security by obscurity)

Because you don't react to most (all?) packets, a systematic
probe of your IP will not turn up a "live machine" at your
end.

Once you actually acknowledge a packet, all of the
regular authentication/encryption/etc. mechanisms come
into play. You just don't want to reveal your presence
unless you are reasonably sure the client is someone
that you *want* to have access...

>> Port knocking ;)
>
> I was thinking of using a high port. I do that.

But a port scanner can stumble on that. Or, it can be leaked
by a malevolent user.

The "knock sequence" can be customized per sender IP address,
per client identity, per service, etc. So, it's less vulnerable
than something (anything!) static.

Don Y <blockedofcourse@foo.invalid> wrote:

> On 3/15/2024 3:41 AM, Liz Tuddenham wrote:
> > Don Y <blockedofcourse@foo.invalid> wrote:
> >
> >> On 3/14/2024 9:26 AM, Peter wrote:
> >>>
> >>> Don Y <blockedofcourse@foo.invalid> wrote:
> >>>
> >>>> (Without having seen them...) Can you create a PNG of a group
> >>>> of them arranged in a matrix. Then, a map that allows clicking
> >>>> on any *part* of the composite image to provide a more detailed
> >>>> "popup" to inspect?
> >>>>
> >>>> I.e., each individual image is a trip back to the server to
> >>>> fetch that image. A single composite could reduce that to
> >>>> one fetch with other actions conditional on whether or not
> >>>> the user wants "more/finer detail"
> >>>
> >>> All of this "graphical captcha" stuff is easy to hack if somebody is
> >>> out to trash *your* site.
> >>
> >> If you are *targeted*, then all bets are off. At the end of the
> >> day, your adversary could put a REAL HUMAN to the task of hammering
> >> away at it.
> >
> > You could always have a question which involved correcting the English
> > grammar of a sentence, but that might eliminate far more of your
> > visitors than you intended.
>
> Require visitors to insert correct punctuation:
>
> John had had had had had had had a better effect

"He helped his Uncle Jack off a horse."

--
~ Liz Tuddenham ~
(Remove the ".invalid"s and add ".co.uk" to reply)
www.poppyrecords.co.uk

On 3/15/2024 6:00 AM, Liz Tuddenham wrote:
> Don Y <blockedofcourse@foo.invalid> wrote:
>
>> On 3/15/2024 3:41 AM, Liz Tuddenham wrote:
>>> Don Y <blockedofcourse@foo.invalid> wrote:
>>>
>>>> On 3/14/2024 9:26 AM, Peter wrote:
>>>>>
>>>>> Don Y <blockedofcourse@foo.invalid> wrote:
>>>>>
>>>>>> (Without having seen them...) Can you create a PNG of a group
>>>>>> of them arranged in a matrix. Then, a map that allows clicking
>>>>>> on any *part* of the composite image to provide a more detailed
>>>>>> "popup" to inspect?
>>>>>>
>>>>>> I.e., each individual image is a trip back to the server to
>>>>>> fetch that image. A single composite could reduce that to
>>>>>> one fetch with other actions conditional on whether or not
>>>>>> the user wants "more/finer detail"
>>>>>
>>>>> All of this "graphical captcha" stuff is easy to hack if somebody is
>>>>> out to trash *your* site.
>>>>
>>>> If you are *targeted*, then all bets are off. At the end of the
>>>> day, your adversary could put a REAL HUMAN to the task of hammering
>>>> away at it.
>>>
>>> You could always have a question which involved correcting the English
>>> grammar of a sentence, but that might eliminate far more of your
>>> visitors than you intended.
>>
>> Require visitors to insert correct punctuation:
>>
>> John had had had had had had had a better effect
>
> "He helped his Uncle Jack off a horse."

ROTFL!

On 2024-03-15 14:00, Liz Tuddenham wrote:
> Don Y <blockedofcourse@foo.invalid> wrote:
>
>> On 3/15/2024 3:41 AM, Liz Tuddenham wrote:
>>> Don Y <blockedofcourse@foo.invalid> wrote:
>>>
>>>> On 3/14/2024 9:26 AM, Peter wrote:
>>>>>
>>>>> Don Y <blockedofcourse@foo.invalid> wrote:
>>>>>
>>>>>> (Without having seen them...) Can you create a PNG of a group
>>>>>> of them arranged in a matrix. Then, a map that allows clicking
>>>>>> on any *part* of the composite image to provide a more detailed
>>>>>> "popup" to inspect?
>>>>>>
>>>>>> I.e., each individual image is a trip back to the server to
>>>>>> fetch that image. A single composite could reduce that to
>>>>>> one fetch with other actions conditional on whether or not
>>>>>> the user wants "more/finer detail"
>>>>>
>>>>> All of this "graphical captcha" stuff is easy to hack if somebody is
>>>>> out to trash *your* site.
>>>>
>>>> If you are *targeted*, then all bets are off. At the end of the
>>>> day, your adversary could put a REAL HUMAN to the task of hammering
>>>> away at it.
>>>
>>> You could always have a question which involved correcting the English
>>> grammar of a sentence, but that might eliminate far more of your
>>> visitors than you intended.
>>
>> Require visitors to insert correct punctuation:
>>
>> John had had had had had had had a better effect
>
> "He helped his Uncle Jack off a horse."

Those things would kill most people for which English is a second language.

--
Cheers, Carlos.

liz@poppyrecords.invalid.invalid (Liz Tuddenham) wrote:

>> >You could always have a question which involved correcting the English
>> >grammar of a sentence, but that might eliminate far more of your
>> >visitors than you intended.
>>
>> Yeah; like 95% ;)
>
>[Said in best posh English accent]
>Did you meean: "Yes; for instance 95%" ? :-)

Indeed.

Anybody starting a sentence with "indeed" is posh!

"Carlos E.R." <robin_listas@es.invalid> wrote:

>> Port knocking ;)
>
>I was thinking of using a high port. I do that.

The sniffer will find any port # in a few more seconds...