While I get the draw, I never understood how PoW is ever supposed to work practically.
PoW tasks are meant to work on a wide range of mobile phones, desktops, single-board computers, etc... you have vastly different compute budgets in every environment. For a PoW task that is usable on a five year old mobile phone, an adversary with a consumer RTX 50 series card (or potentially even an ASIC) can easily perform it many, many, many orders of magnitude faster.
I understand that, but what I'm saying is that due to the wide gulf between the compute budget of the slowest device one is meant to support and a couple commodity VPSs adversaries need anyway to conduct a DDoS or to spam, there is ostensibly no extra cost.
In fact, all you are doing is slowing down legitimate clients with old equipment and doing nothing against adversaries.
I've seen a PoW CAPTCHA https://github.com/mCaptcha/mCaptcha and at the time it did not make any sense to me. I would still get spam, just a tiny bit slower, and spammers would have to expend more resources for just my site, which would barely register on their bill.
I bet that requiring JS stops more spam than the PoW itself. Can anyone who tried it chime in?
Oh, I see, it's effective against 'someone [who] wants to hammer your site'. That is usually never the case with my sites. I do get a steady stream of spam, but it is quite gentle as to not trigger any WAFs. The load comes from LLMs scraping this everliving shit of my sites and fortunately they don't seem to bother with filling in forms...
You are not missing something, you are finding it: the game theory of bots vs anti-bots is subtle and somewhat different from regular software engineering and cyber security.
For the most part bots wish to be hidden and sites wish to reveal them, and this plays out over repeat games on small and large scales. Can be near-constantly or intermittently.
The bot usually gets to make the first move against a backdrop that the anti-bot may or may not have a hand in.
Perhaps you think all PoW algorithms are still crackable by ASICs? A few years ago that was the case, but some years ago Monero developers made a breakthrough with RandomX. Now it is no longer true that a GPU or ASIC can outperform a typical consumer device to the extent that you seem to imagine. The Tor project uses a similar algorithm, i think with the same developer contributing to it as RandomX. It is nothing like bitcoin's SHA256 PoW - with that, the performance of an ASIC does indeed mean a consumer PC becomes completely useless at the algorithm
Will RandomX work on the old cell phones, via Javascript interface only?
The website says: "Fast mode - requires 2080 MiB of shared memory. Light mode - requires only 256 MiB of shared memory, but runs significantly slower"
If you want your website challenge to work on the cheap phone - slow CPU, with little memory, and when implemented in Javascript, you'd have to tune complexity way down. And when a modern PC with fast CPU and tons of memory tries to solve it.. it probably will take only a few milliseconds, basically being useless.
I don't know, I dont understand the details and your reasoning is confusing for me. My understanding is that the effectiveness of particular hardware is complex to predict; it depends on the sizes of the CPU caches and effectiveness at certain instructions, and the algorithm can of course be tuned in all sorts of ways. The Tor project is already using it so presumably it is working for them to some extent. More info here: https://blog.torproject.org/introducing-proof-of-work-defens...
PoW tasks are meant to work on a wide range of mobile phones, desktops, single-board computers, etc... you have vastly different compute budgets in every environment. For a PoW task that is usable on a five year old mobile phone, an adversary with a consumer RTX 50 series card (or potentially even an ASIC) can easily perform it many, many, many orders of magnitude faster.
Am I missing something?