Asia is the #1 attacker of all websites I work with.

Since 100% of the traffic (based on our analysis) coming from Asia is not legitimate business traffic, how would you advise those responsible for these sites security to handle this?

Edit: I have no interest in using Cloudflare...

Similar for me. From the 732745 login attempts last month, 52% were from China, followed by US with 13%. Here is a graph: https://i.imgur.com/YPAuTXO.png

The sheer volume of bot traffic surprised me at first, especially since my website has zero human visitors as far as I can tell, but the numbers are consistent month after month.

Nevertheless, my $1/month VPS can handle the traffic without a problem, so I see no need to ban or rate limit any IPs, especially since I hate captchas with a passion.

> my $1/month VPS can handle the traffic without a problem, so I see no need to ban or rate limit any IPs, especially since I hate captchas with a passion.

I run a company that routinely scrapes government run, public domain websites. Sadly, many of these sites come with captchas. We can easily bypass these captchas by paying roughly $1.50/1000 captchas, but when scraping millions of pages a month, these costs become significant.

As far as I can tell, adding a captcha to a site does nothing to prevent bots, it just alters the economics of any business that relies on the data. I understand that bots can potentially slow down servers and cause disruptions for human users, but for the handful of government agencies that actually talk to us, we happily restrict scraping to certain hours of the day or limit overall traffic to a reasonable level. I would go further and happily give the money we're spending on solving captchas back to the government so they can upgrade their servers and make the system better for everyone.

For those that are conducting nefarious activities, captchas likely do nothing. For individuals, they are annoying. For legitimate scraping companies, they are a needless expense. Captchas are pretty obsolete.

> adding a captcha to a site does nothing to prevent bots, it just alters the economics of any business that relies on the data

Definitely agreed. Recently I have been working on a side-project that makes use of bypassing/placating reCaptcha and it has been trivial and not so costly.

If it is accounts you're creating, it simply puts a "reasonable" price on account creation. If it is about scraped content, once again, does the same. However these costs already existed in terms of compute resources and time anyway. Captchas hardly made it any harder.

Where do you get a $1/month VPS?

A few years ago, I found a promotional offer on lowendbox.com for chicagovps.net, but currently there are none that cheap.

However, keep in mind that low price often comes at a cost. For example, cloudatcost had a cheap VPS with a onetime payment for life (yeah, I know, too good to be true), but then retroactively invented a maintenance fee. Also several days of downtime were not uncommon.

Cool chart but... why are the countries not labelled?

Oops, I changed the y-scale from absolute values to percentage, but forgot to also update the y-position of the country labels, so they are way off-screen (pyplot does not support bar labels, so they have to be drawn by hand). Should be fixed now: https://i.imgur.com/YPAuTXO.png

Consider it a community-run pentest, and look for them to actually get past the gatekeepers. Set an alert for a successful login from an “Asian” IP and push them towards a honeypot. They’re doing work for you for free; take advantage of it.

Attacker means what? Serving too much traffic to bots (because that is what this captchas circumvent). How about that you can measure traffic and reaction times depending on region and also detect peaks? Ever seen a Google captcha on Google search (yes they have them too), it's much much smarter and not saying stupidly to "wrong" countries: here is a captcha.

North American IPs have North American law enforcement.