this post was submitted on 26 Nov 2025
411 points (96.8% liked)

Selfhosted

53538 readers
635 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
411
Have clankers visited my blog one hundred twenty-one sexagintillion eight hundred ten novemquinquagintillion times so far in November?? (lemmy.ml)
submitted 2 weeks ago* (last edited 1 week ago) by benagain@lemmy.ml to c/selfhosted@lemmy.world
91 comments fedilink hide all child comments
 

Got a warning for my blog going over 100GB in bandwidth this month... which sounded incredibly unusual. My blog is text and a couple images and I haven't posted anything to it in ages... like how would that even be possible?

Turns out it's possible when you have crawlers going apeshit on your server. Am I even reading this right? 12,181 with 181 zeros at the end for 'Unknown robot'? This is actually bonkers.

Edit: As Thunraz points out below, there's a footnote that reads "Numbers after + are successful hits on 'robots.txt' files" and not scientific notation.

Edit 2: After doing more digging, the culprit is a post where I shared a few wallpapers for download. The bots have been downloading these wallpapers over and over, using 100GB of bandwidth usage in the first 12 days of November. That's when my account was suspended for exceeding bandwidth (it's an artificial limit I put on there awhile back and forgot about...) that's also why the 'last visit' for all the bots is November 12th.

you are viewing a single comment's thread
view the rest of the comments
[–] deffard@lemmy.world 4 points 1 week ago (6 children)

The author demonstrated that the challenge can be solved in 17ms however, and that is only necessary once every 7 days per site. They need less than a second of compute time, per site, to be able to send unlimited requests 365 days a year.

The deterrent might work temporarily until the challenge pattern is recognised, but there's no actual protection here, just obscurity. The downside is real however for the user on an old phone that must wait 30 seconds, or like the blogger, a user of a text browser not running JavaScript. The very need to support an old phone is what defeats this approach based on compute power, as it's always a trivial amount for the data center.

[–] scrubbles@poptalk.scrubbles.tech 3 points 1 week ago (2 children)

That's counting on one machine using the same cookie session continuously, or they code up a way to share the tokens across machines. That's now how the bot farms work

[–] deffard@lemmy.world 1 points 1 week ago (1 children)

It will obviously depend heavily on the type of bot crawling, but that is not hard coordination for harvesting data for LLM's, as they will already have strategies to prevent nodes all crawling the same thing - a simple valkey cache can store a solved JWT.

[–] scrubbles@poptalk.scrubbles.tech 1 points 1 week ago

but the vast majority of crawlers don't care to do that. That's a very specific implementation for this one problem. I actually did work at a big scraping farm, and if they encounter something like this,they just give up. It's not worth it to them. That's where the "worthiness" check is, you didn't bother to do anything to gain access.

load more comments (3 replies)