Add Hashcash?

[sandeepshetty]

• Possible solution to make it expensive to do pingback DDOS:

Pingback DDOS references:

• http://blogs.csoonline.com/network-security/3061/wordpress-pingback-abuse-blamed-massive-ddos-attack
• http://www.incapsula.com/blog/wordpress-security-alert-pingback-ddos.html
• https://core.trac.wordpress.org/ticket/4137
• https://isc.sans.edu/forums/diary/Wordpress+Pingback+DDoS+Attacks/17801
• http://www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/
• http://it.slashdot.org/story/14/03/11/2324207/large-ddos-attack-brings-wordpress-pingback-abuse-back-into-spotlight/informative-comments#comments
• http://blogs.csoonline.com/application-security/3066/cto-wordpress-based-business-downplays-pingback-ddos-risks

Hashcash references:

• http://en.wikipedia.org/wiki/Proof-of-work_system
• https://en.wikipedia.org/wiki/Hashcash
• http://hashcash.org/faq/
• http://security.stackexchange.com/questions/14262/hashcash-is-this-really-used
• https://pthree.org/2011/03/03/the-sad-state-of-hashcash/
• https://en.bitcoin.it/wiki/Hashcash
• https://bugzilla.mozilla.org/show_bug.cgi?id=229686#c54
• https://github.com/007/hashcash-js

[sandeepshetty]

Looks like @oshepherd though of this as well: http://owenshepherd.net/content/posts

[sandeepshetty]

Some example code I wrote to mint a hashcash. $counter could be sent as an additional Webmention POST var hashcash_counter.

$source="http://bob.host/post-by-bob";
$target="http://alice.host/post-by-alice";
$zeros = 5;
$counter = 0;
do { $counter++; } while (substr(hash('sha1', "$source|$target|$counter"), 0, $zeros) !== str_repeat('0', $zeros));
echo "$source|$target|$counter: ".substr(hash('sha1', "$source|$target|$counter"), 0, $zeros)."\n";

$ echo -n "http://bob.host/post-by-bob|http://alice.host/post-by-alice|618275" | sha1sum | awk '{print $1}'
00000b8d455a229e04caf57175415e6e3846fd2e  -