Captcha Improvement: Security from DDoS Attack


CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”. Manuel Blum, Luis von Ahn, Nicholas J. Hopper, and John Langford originated the term CAPTCHA in 2003 [1]. The first version of CAPTCHA was image-based. It was designed in 1997 to distinguish humans from Robots. Solving the CAPTCHA is similar to the reverse Turing test. CAPTCHA was introduced to add a layer of security to protect the servers/devices from unauthorized sources/users like robots. It is also considered a DDoS attack prevention mechanism. CAPTCHA can also be useful for solving NP-hard problems to take correct decisions when dealing with ambiguous problems.

Figure 1. CAPTCH System

Figure 1 represents the overall CAPTCHA system, assuming all the resources available on the internet as a server. All the request bodies are either Robots or Humans. Human/Robot tries to get resources from server and CAPTCHA plays a security layer to prevent the Robot from unauthorized access. If the client is able to solve the captcha it is considered as Human and allowed to access the resources if not client is not allowed to access the resource.


CAPTCHA system can be categorized into 5 categories depending on the problems created to solve by the human[3].

  • CAPTCHAs based on puzzle
  • CAPTCHAs based on text.
  • CAPTCHAs based on audio.
  • CAPTCHAs based on video.
  • CAPTCHAs based on image.
  • CAPTCHAs based on OCR [4].

Application of CAPTCHA

  • Protecting unauthorized registration/request for resources.
  • Helping computer to solve computationally hard/ambiguous problems.
  • Preventing the attacks based on Hit and Trial method.
  • Preventing web scraping and unauthorized automation.
  • Protecting personal information like email/contact number from scrapers to protect unwanted emails/messages.

Drawbacks of Current CAPTCHA System

There are several drawbacks due to which bots are able to solve the CAPTCHA using machine learning approaches. Due to the huge development of machine learning[5], it is easy to solve approximately all the CAPTCHA by training the bots. There is no technique introduced in the CAPTCHA to prevent the bots if bots are able to solve the captcha. CAPTCHA should be easy to solve for humans but tough to solve for bots, due to which the scope of CAPTCHA design has been limited. So there is a huge need for improvement as CAPTCHA is the easiest method to prevent unauthorized access of resources.

Improvement in CAPTCHA

The Captcha system tries to prevent the DDoS attack but it fails when the robot is able to solve the captcha using the machine learning approach. It is very difficult to create a captcha system that is not solvable using a machine learning algorithm or by robots. So better idea is to force the user/robot to wait for a definite time(equal to the time required to solve the captcha). This idea will make the system double secure from DDoS attacks. A multistep authentication scheme is recommended to be used for better security[8].

Algorithm for CAPTCHA improvement

var date = new Date();  

var starting_time = date.getSeconds();

const time_bount= 2 sec


date = new Date();

var end_time = date.getSeconds();

if  (end_time – starting_time)> 0:

setInterval( function() {


  },(time_bound -(end_time – starting_time)*1000);


The above algorithm tries to add a time-bound with captcha so that a user must take a specific time to solve the CAPTCHA. If any user can solve the captcha very quickly it must wait for a specific time to enter the server, even a bot can be identified here to add keep track of it. The complete explanation of the algorithm is given below.

  1. date = new Date() and var starting_time = date.getSeconds() captures the current time in second.
  2. const time_bount= 2 sec; initialize the time-bound, it can vary according to the complexity of the CAPTCHA.
  3. ShowCaptcha(); It shows the CAPTCHA in the screen to be solved.
  4. date = new Date() and var end_time = date.getSeconds() captures the time in second after getting the CAPTCHA solved.
  5. If time-taken to solve the CAPTCHA is less than the time-bound defined then the user should wait for the rest of the time to enter in the server. “setInterval” is responsible to wait for the time defined and then allow the user to access the resources.
Figure 2 Improved Captcha System

Figure 2 represents the improved captcha system. This figure shows that humans or Robots must solve the CAPTCHA in a definite time interval not earlier than that. If the user is able to solve the CAPTCHA it must wait for time-bound.

Future Scope

The DDoS attacks can also be prevented by designing the CAPTCHA which takes exponential time to solve by the bots but can be easily solved by humans. Creating a reverse Turing problem is best for CAPTCHA. The DDoS attack is very much powerful for IoT devices because IoT devices are very much vulnerable. Adding a better security protocol for data transmission will be good to secure data transmission. The next target of the research would be focused on securing IoT devices from DDoS attacks.


[1]. R. K. Devi, M. Muthukannan, S. S. H. Babu, A. Sivadasan and S. Abinivesh, “Novel Authentication Mechanisms for Hash Code, CAPTCHA and OTP in Cyber Security Domain,” 2021 6th International Conference on Inventive Computation Technologies (ICICT), 2021, pp. 62-68, doi: 10.1109/ICICT50816.2021.9358573.

[2]. visited 20 july2020.

[3]. Magdy, Menna and Tawfeek, Medhat A. and Mousa, Hamdy M., A Comprehensive Study for Different Types of CAPTCHA Methods and Various Attacks (2021). JETIR June 2021, Volume 8, Issue 6

[4]. C. E. Dunn and , P. S. P. Wang, “Character segmentation techniques for handwritten text-a survey,” In Pattern Recognition, 1992. Vol. II. Conference B: Pattern Recognition Methodology and Systems, Proceedings., 11th IAPR International Conference , pp. 577-580.

[5]. Y. Zhang, H. Gao, G. Pei, S. Luo, G. Chang and N. Cheng, “A Survey of Research on CAPTCHA Designing and Breaking Techniques,” 2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), 2019, pp. 75-84, doi: 10.1109/TrustCom/BigDataSE.2019.00020.

[6]. Ning Zhang, Mohammadreza Ebrahimi, Weifeng Li, Hsinchun Chen, “A Generative Adversarial Learning Framework for Breaking Text-Based CAPTCHA in the Dark Web“, Intelligence and Security Informatics (ISI) 2020 IEEE International Conference on, pp. 1-6, 2020.

[7]. Mohit Jadhav, Nupur Kulkarni, Omkar Walhekar, “Doodling Based CAPTCHA Authentication System“, Innovation in Technology (ASIANCON) 2021 Asian Conference on, pp. 1-5, 2021.

[8]. Almazrooie, M., Samsudin, A., Gutub, A., Salleh, M.S., Omar, M.A., Hassan, A.A. (2020). Integrity verification for  digital Holy Quran verses using cryptographic hash function and compression. Journal of King Saud University Computer and Information Sciences 32(1):24-34.

Cite this article

Dhananjay Singh (2021) Captcha Improvement: Security from DDoS Attack, Insights2Techinfo, pp.1

Related Articles:

14910cookie-checkCaptcha Improvement: Security from DDoS Attack
Share this:

2 thoughts on “Captcha Improvement: Security from DDoS Attack

Leave a Reply

Your email address will not be published.