I always figured that CAPTCHAs worked because they limited on a resource that was harder to steal - human attention.
Rate limit by IP, and you get attacked by a botnet that "steals" IP addresses with malware.
Rate limit by PoW and you get people stealing AWS accounts, or using aforementioned botnet. See bitcoin mining.
Rate limit by CAPTCHA and you have to get a lot more clever (see things like setting up porn sites and proxying CAPTCHAs there)
So while you can pay to have CAPTCHAs solved, you actually DO have to pay and can't just steal your way in, so it means your target has to be more valuable.
> So while you can pay to have CAPTCHAs solved, you actually DO have to pay and can't just steal your way in, so it means your target has to be more valuable.
None of these things you listed above are available for free. They all require either effort to obtain or paying someone to do the work.
Rate limit by IP, and you get attacked by a botnet that "steals" IP addresses with malware.
Rate limit by PoW and you get people stealing AWS accounts, or using aforementioned botnet. See bitcoin mining.
Rate limit by CAPTCHA and you have to get a lot more clever (see things like setting up porn sites and proxying CAPTCHAs there)
So while you can pay to have CAPTCHAs solved, you actually DO have to pay and can't just steal your way in, so it means your target has to be more valuable.