Monero for DDoS protection - eviltoast

Trocador used to be a pleasure to use. No Javascript, it worked over tor, and it had an onion service. Then they got DDoSed. Turns out this is what causes the enshittification of the internet, that sites without javascript are trivial to DDoS. Now, the statement about no JS is gone, the onion service is gone, and if you try to connect over tor, if you can connect at all, you get DDoS Guard demanding you enable javascript so it can try to fingerprint your browser and force you to perform captchas. What if there was a better way?

You use a proof-of-work cryptocurrency that is not only microtransaction capable, but also “micro-mineable”, i.e. the difficulty is low enough that you can solo mine multiple blocks per day even on modest hardware. For proof of concept you could use stagenet monero, but in the long term you would use a dedicated fourth Monero blockchain where transactions older than a certain age are pruned, because the idea is that PoWnet coins are something you mine and use rather than using them as a long-term store of value.

You go to website.app/NoBS/, and the site communicates in headers the current cost in PoW tokens of an access token good for X minutes of access and an appropriate amount of server resources for a non-bot user during that time. You have a web browser plugin that reads it, and if you’ve whitelisted the combination of site + cost it can autopay from a PoWnet wallet so you just go straight through.

No more javascript or reliance on third parties that might be compromised.

To keep people from rolling forward their PoWnet balance forever by making a transaction just before the outputs expire, PoWnet ouputs could have a telomere which is reduced by one every time they’re transacted, so they also expire after a set number of sends. It would be a small value, not more than 5 at start, and merging outputs would use the least of the input t-values.

Or you could just pay for website access in minute amounts of mainnet Monero. But I expect people don’t want to pay in real money, and I want there to be a way for people who don’t have any mainnet Monero to still use the system.

  • Krugtron9000@monero.town
    link
    fedilink
    arrow-up
    6
    ·
    edit-2
    5 months ago

    This is precisely what Hashcash is. Hashcash is widely acknowledged as the primary ancestor of Bitcoin.

    Also, Tor now has a system like this built-in. It uses PoW. It’s quite new (less than a year old) and you have to explicitly enable it, but I’m sure the trocador admins know about this.

    But seriously, regarding enshittification, I don’t think javascript makes websites any harder to ddos. Rather, you get ddossed until you cry uncle and comply with the demands that you help MITM and fingerprint your customers. Javascript happens to be useful for fingerprinting. It has very little to do with ddos mitigation.

    • Anonymous@monero.townOP
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      5 months ago

      But they did the opposite. The onion is gone. Presumably they have some reason for that?

      Also onion sites in general are very slow because of the six hops. I’d like an open source solution that can be used by anyone, including clearnet sites, so that use of captchas and browser probing can be reduced across the entire web.

      And Trocador couldn’t go onion only because an increasing number of their partner exchanges were no longer willing to be available over .onion or i2p.

      • shortwavesurfer@monero.town
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        5 months ago

        I mean, the tor proof of work mechanism is open source, so theoretically it could be adopted on the clear net with some modification

        • Anonymous@monero.townOP
          link
          fedilink
          arrow-up
          2
          ·
          5 months ago

          That might work, I will certainly look at it, but I like the idea of premining PoW tokens because it won’t bog your browser down at the time you need to go through, and the cost can also be made higher. It could be used as a general cost for things that need spam protection, such as creating accounts, making posts, submitting contact forms.

      • Krugtron9000@monero.town
        link
        fedilink
        arrow-up
        1
        ·
        5 months ago

        It’s only three hops if, like Trocador, you don’t need to hide the location of the server. They can (and should) enable HiddenServiceSingleHopMode. This hides the location of the client but not the location of the server. Six hops is only for darknet sites that need to hide the server location.

  • Scolding0513@sh.itjust.works
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    5 months ago

    this is targeted by the global powers, to get everyone on the top major cdns like akami, cloudflare, etc, in order to scarf and decrypt all traffic. enshitification is correct af.

    why tf do they not have an onion anymore?? have they said anything? it would be perfect to have the onion.

    edit. i just checked and the onion is gone but i can connect to the clearnet from tor with no js.

  • delirious_owl@discuss.online
    link
    fedilink
    arrow-up
    4
    arrow-down
    1
    ·
    edit-2
    5 months ago

    I never understood why monero hard forked to using a hashing algorithm that was intentionally difficult to implement in WASM.

    Like, we could be implementing anti-DDOS fronts as an alternative to CloudFlare that use PoW to mine monero and also raise funds for the site at the same time.

    News sites could use this as an alternative to an authwall ffs (just wait 10 seconds before you read the article).

    Its one of my least favorite things about Monero, and something more people should be talking about

    • jet@hackertalks.com
      link
      fedilink
      English
      arrow-up
      2
      ·
      5 months ago

      Having most people’s first and only exposure to your ecosystem be malware level browser miners that really diminish their browsing experience is really really bad pr.

      • delirious_owl@discuss.online
        link
        fedilink
        arrow-up
        4
        arrow-down
        1
        ·
        edit-2
        5 months ago

        Its not malware. Its a great alternative to ads and authwalls.

        Even Steve Gibson was super behind replacing ads with miners. Ads are cancer. Imagine all if that going away.

        • jet@hackertalks.com
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          5 months ago

          If people are aware they’re running a miner to support the site that’s great.

          Most web miners are clandestine, and not observable, so most people’s interaction with them is a slow computer, or a virus alert, or even crashing the browser. Do I guess the most common one is hey my laptop battery only lasted 20% of its usual length I was just watching movies on this website…

          Fundamentally, a miner to pay for access, is the same as getting a micro payment to view. I realize getting micro payments to work has been in long-standing problem.

          • delirious_owl@discuss.online
            link
            fedilink
            arrow-up
            4
            ·
            5 months ago

            What I’m saying is implementing it in the front, so instead of spending 2 minutes solving captchas, you spend 10 seconds solving a PoW, then load the site without any background mining.

            We shouldn’t ban knifes just because some people use them to stab people.

    • Krugtron9000@monero.town
      link
      fedilink
      arrow-up
      1
      ·
      5 months ago

      WASM is the millennials getting their turn to learn that “those who do not learn from history are doomed to repeat it”.

      Letting the bloated web offload more of its bloat to clients will simply result in an even worse web obesity crisis than already exists. The computational burden needs to stay with the side (the content producer) that has the ability to reduce the level of bloat. Anything else is a broken incentive structure.

      • delirious_owl@discuss.online
        link
        fedilink
        arrow-up
        2
        ·
        5 months ago

        What I’m saying is implementing it in the front, so instead of spending 2 minutes solving captchas, you spend 10 seconds solving a PoW, then load the site without any background mining.

        We shouldn’t ban knifes just because some people use them to stab people.