Configuring Difficulty Factor
mCaptcha is highly responsive to detecting DDoS attacks. Admins are advised to take advantage of it by setting low difficulty factors for normal traffic levels for their website.
Lowest advisable difficulty factor is 5000.
For instance, if it is normal for my website to get 2000 requests for every 30 seconds, I will set a cool down period of 30 seconds and the first level of difficulty configuration will have a visitor threshold of 2000 with a difficulty factor of 5000.
There are two modes to setting difficulty factor for your website on mCaptcha:
Easy mode asks a few basic statistics about your website and generates a configuration that should work for your website. Currently, easy mode is guided by assumptions on suitable difficulty factors to protect a website but it will be fine-tuned as mCaptcha sees more deployment.
Configuration generated by easy mode can be tweaked later using the advance mode, as you become more familiar with how mCaptcha works.
Advance mode gives the admin granular control over how mCaptcha behaves on their website. It has options to set the difficulty factor for each level of traffic(or visitor threshold, in mCaptcha speak), fully taking advantage of mCaptcha’s variable difficulty factor feature.
For instance, if it is normal for a website to get 200 requests over 30 seconds, then setting a very low difficulty factor for a visitor threshold of 200 and a cool down period of 30 seconds will allow the users to pass through without waiting on the CAPTCHA. But if 1000 requests over 30 seconds will bring down the service, then the admin can configure increasing levels of difficulty factor of increasing traffic levels, effectively rate limiting its users and protecting the underlying website.