Probably by having enough computers that they can overload the server even if the number of requests coming from each individual computer is relatively low, as a multiple of what a normal user would send – low enough that those computers have enough CPU time to solve the challenges.
> The service would give the request a priority value based on the "difficulty" of the puzzle solution.
Seems like single clients could increase the difficulty to higher than what the bot net would do (so it gets priority), and hence get access. Operators of the bot net would probably hard code one value as the difficulty, and it would be lower than what you could typically set on consumer hardware.
Maybe user agents could even do this increase automatically?
> Operators of the bot net would probably hard code one value as the difficulty
Bad assumption.
Assumptions like these never last. People who say “I don’t have any money” are still valuable to hackers as phishing senders, legitimate social media accounts, residential + non-cloud + regionally convenient IP space, etc. If consuming connection / server resources becomes valuable then botnet controllers will find a way to pay the cost. It’s easy because someone else is paying for the hardware, bandwidth, and power costs.
But the effect of a market of PoW is the same — there is game theory involved in bidding (just like a silent auction). Even if a botnet uses a dynamic priority bid system, the cost increases as the botnet tries to starve the server of resources. The server’s resources are always zero-sum and the bidding will get progressively more expensive until the opportunity cost of the botnet changes behavior.
Would it really be lower on the bot net in the majority of cases? I'd imagine that real users probably wouldn't want to have their entire cpu spent on this.
Not only that, real users actually want to use the service, not overload it. A real user might only make one request a second. A botnet device is trying to make a thousand requests per second to overload the server. Even if they each have the same CPU as a normal user, now each node in the botnet can only make as many requests per second as a user or the user can outbid them.
> The large botnet is a serious operation with many thousands of computers organized to do this attack. Assuming 100k medium-range computers, we are talking about an attacker with total access to 200 THz of CPU and 200 TB of RAM. The upfront cost for this attacker is about $36k.
They appear to define it by compute capacity, so I'd expect the attacker can solve harder puzzles than legitimate users would attempt.
