pointer bashing since 2012.

Fast Captcha Validition? fasthttp.

Last year, I’ve built a Captcha Server in Python, which is used to generate captchas, serve them over http and validate the users input. The implementation is used to filter layer7 ddos attacks on web applications.

However, as Python webapps based on flask and served by gunicorn, cause some serious (limiting) overhead, I’ve started rethinking the previously built application.

Implementing my own http server in C? – No way, too much work.

Go? net/http isnt too fast. Alternatives? – https://github.com/valyala/fasthttp


It took me almost 2 hours to rewrite the python based captcha validator in go using fasthttp to serve the captcha and validate the input.

Only ~200 lines of code ended up in the following benchmark results on my local machine:

Server Software:        fasthttp
Server Hostname:
Server Port:            10000

Document Path:          /verify/captcha
Document Length:        2949 bytes

Concurrency Level:      500
Time taken for tests:   981.127 seconds
Complete requests:      9999999
Failed requests:        0
Total transferred:      31039996896 bytes
HTML transferred:       29489997051 bytes
Requests per second:    10192.36 [#/sec] (mean)
Time per request:       49.056 [ms] (mean)
Time per request:       0.098 [ms] (mean, across all concurrent requests)
Transfer rate:          30895.59 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        0   34 177.8      3    7150
Processing:     0   15  16.8     12    1621
Waiting:        0   13  15.5     10    1621
Total:          0   49 181.4     16    7174

Percentage of the requests served within a certain time (ms)
  50%     16
  66%     19
  75%     22
  80%     25
  90%     36
  95%     66
  98%   1031
  99%   1046
 100%   7174 (longest request)

~10k handled requests per second and ~350Mbit/s of peak http traffic is quite astonishing for a single cpu core, while also saturating my laptop cpu with apache bench.

More work such as fifo IPC with a netmap based c application in order to block bots on network level is tbd. However, thats probably just a one hour job 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *