When a scrubbing proxy detects suspicious traffic from an IP or ASN, it can respond in two ways: block outright, or issue a challenge. Challenges filter bots from real users without permanently blocking potentially legitimate traffic. Two dominant challenge types exist: CAPTCHA and JavaScript challenges.
JavaScript Challenges
The proxy returns an HTTP page containing a JavaScript puzzle. Real browsers execute it, solve it, and set a verification cookie — all invisibly in under a second. Bots that don't execute JavaScript (most volumetric attack tools) fail the challenge and receive no content. JS challenges have zero friction for end users.
CAPTCHA Challenges
CAPTCHAs (image recognition, checkbox, audio) require active user participation. They block sophisticated bots that can execute JavaScript but can't solve visual puzzles. The tradeoff: they add friction, reduce conversion rates, and exclude users with visual disabilities. CAPTCHA is appropriate for high-value actions (login, checkout) not for general page access.
- JS challenge: zero friction, blocks dumb bots, fails against headless browsers.
- CAPTCHA: visible friction, blocks most bots, poor accessibility, 5–15% user drop-off at the challenge.
- Behavioral CAPTCHA (checkbox): lower friction, uses mouse movement/timing to verify humanness.
Akarguard's Recommendation
Use JS challenges as the default for suspicious traffic during an attack. Reserve CAPTCHA for login and form endpoints that are being specifically targeted with credential stuffing. Never apply CAPTCHA to general page traffic — the conversion cost outweighs the security benefit.