First of all, I'm new to this whole crypto thing. Here's my scenario:
I have a client app, that sends a 20char max string to my server. The server then checks if the name is indeed matching the char limit, then logs the name, time, and IP into an sqlite3 database.
My problem is that I have a troll who is hell bent on destroying my site. First, there was no protection or filters on added usernames. I've now added the char filter, and also made sure to only accept 1 name per IP address. That all works, but now he created a bot that gets him a new proxy every time before making the get request.
I've changed as much as I think I can server side, I think I need to roll out a client side application patch. Also note that this process happens once a minute until the client app is closed.
I need to verify that the get request is coming from my client app, and not a bot. This guy is pretty hell bent on pissing in my/anyone who's trying to use the site legitimately's Cheerios.
Idea 1: creating random token checks. Process: client app (shortened to app) sends unhashed token request, server replies with random string. Client app hashes the string, and replies to the server with the hashed and unhashed string. Server does the hashing on the unhashed, and compares it to the hashed one. If all matches, it adds the name to the database.
Problem with that is A) I have to make sure the unhashed string is not used more than once per period of time, but I could add them to a DB and use Cron or something to delete the database every now and then. B) is that I have to have my hashing algorithm completely protected, on both the app and the server. If they busted the algorithm (or just identified what hashing method it's using) they could build a bot with that accounted for.
I'd use something like a captcha, but it's just a background thread that routinely submits the get request, there is no user interaction with it at all.
Any help or pointers are greatly appreciated, thanks if you've made it through this much text...