this post was submitted on 26 Nov 2025
403 points (96.8% liked)

Selfhosted

53222 readers
1549 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
403
Have clankers visited my blog one hundred twenty-one sexagintillion eight hundred ten novemquinquagintillion times so far in November?? (lemmy.ml)
submitted 3 days ago* (last edited 3 days ago) by benagain@lemmy.ml to c/selfhosted@lemmy.world
90 comments fedilink hide all child comments
 

Got a warning for my blog going over 100GB in bandwidth this month... which sounded incredibly unusual. My blog is text and a couple images and I haven't posted anything to it in ages... like how would that even be possible?

Turns out it's possible when you have crawlers going apeshit on your server. Am I even reading this right? 12,181 with 181 zeros at the end for 'Unknown robot'? This is actually bonkers.

Edit: As Thunraz points out below, there's a footnote that reads "Numbers after + are successful hits on 'robots.txt' files" and not scientific notation.

Edit 2: After doing more digging, the culprit is a post where I shared a few wallpapers for download. The bots have been downloading these wallpapers over and over, using 100GB of bandwidth usage in the first 12 days of November. That's when my account was suspended for exceeding bandwidth (it's an artificial limit I put on there awhile back and forgot about...) that's also why the 'last visit' for all the bots is November 12th.

top 50 comments
sorted by: hot top controversial new old
[–] Omega_Jimes@lemmy.ca 3 points 1 day ago

It's a shame we don't have those banner ad schemes anymore. Cybersquatting could be a viable income stream if you could convince the cleaners to click banner ads for a faction of a penny each.

[–] ChaoticNeutralCzech@feddit.org 2 points 1 day ago* (last edited 1 day ago)

I don't know what "12,181+181" means (edit: thanks @Thunraz@feddit.org, see Edit 1) but absolutely not 1.2181 × 10^185^. That many requests can't be made within the 39 × 10^9^ bytes of bandwidth − in fact, they exceed the number of atoms on Earth times its age in microseconds (that's close to 10^70^). Also, "0+57" in another row would be dubious exponential notation, the exponent should be 0 (or omitted) if the mantissa (and thus the value represented) is 0.

[–] ChaoticNeutralCzech@feddit.org 1 points 1 day ago

That's insane... Can't a website owner require bots (at least those who are identifying themselves as such) to prove at least they're affiliated with a certain domain?

[–] phoenixz@lemmy.ca 21 points 2 days ago

AI bots killing the internet again? You don't say

[–] pendel@feddit.org 16 points 2 days ago

I had to pull an all nighter to fix some unoptimized query because I had just launched a new website with barely any visitors and hadn’t implemented caching yet for something that I thought no one uses anyway, but a bot found it and broke my entire DB through hitting the endpoint again and again until nothing worked anymore

[–] hoshikarakitaridia@lemmy.world 152 points 3 days ago (2 children)

Fucking hell.

Yeah and that's why people are using cloudflare so much.

[–] artyom@piefed.social 123 points 3 days ago (2 children)

One corporation DDOS's your server to death so that you need the other corporations' protection.

[–] MaggiWuerze@feddit.org 82 points 3 days ago

basically protection racket

[–] muffedtrims@lemmy.world 29 points 3 days ago (1 children)

That's a nice website you gots there, would be ashame if something weres to happen to it.

[–] Agent641@lemmy.world 6 points 2 days ago (1 children)

We accidentally the whole config file

load more comments (1 replies)
[–] Lee@retrolemmy.com 60 points 3 days ago (1 children)

A friend (works in IT, but asks me about server related things) of a friend (not in tech at all) has an incredibility low traffic niche forum. It was running really slow (on shared hosting) due to bots. The forum software counts unique visitors per 15 mins and it was about 15k/15 mins for over a week. I told him to add Cloudflare. It dropped to about 6k/15 mins. We excitemented turning Cloudflare off/on and it was pretty consistent. So then I put Anubis on a server I have and they pointed the domain to my server. Traffic drops to less than 10/15 mins. I've been experimenting with toggling on/off Anubis/Cloudflare for a couple months now with this forum. I have no idea how the bots haven't scrapped all of the content by now.

TLDR: in my single isolated test, Cloudflare blocks 60% of crawlers. Anubis blocks presumably all of them.

Also if anyone active on Lemmy runs a low traffic personal site and doesn't know how or can't run Anubis (eg shared hosting), I have plenty of excess resources I can run Anubis for you off one of my servers (in a data center) at no charge (probably should have some language about it not being perpetual, I have the right to terminate without cause for any reason and without notice, no SLA, etc). Be aware that it does mean HTTPS is terminated at my Anubis instance, so I could log/monitor your traffic if I wanted as well, so that's a risk you should be aware of.

[–] MinFapper@startrek.website 15 points 2 days ago (2 children)

It's interesting that anubis has worked so well for you in practice.

What do you think of this guy's take?

https://lock.cmpxchg8b.com/anubis.html

[–] Lee@retrolemmy.com 1 points 1 hour ago

Is there a particular piece? I'll comment on what I think are the key points from his article:

  1. Wasted energy.

  2. It interferes with legitimate human visitors in certain situations. Simple example would be wanting to download a bash script via curl/wget from a repo that's using Anubis.

3A) It doesn't strictly meet the requirement of a CAPTCHA (which should be something a human can do easily, but a computer cannot) and the theoretical solution to blocking bots is a CAPTCHA.

and very related

3B) It is actually not that computationally intensive and there's no reason a bot couldn't do it.

Maybe there were more, but those are my main takeaways from the article and they're all legit. The design of Anubis is in many respects awful. It burns energy, breaks (some) functionality for legitimate users, unnecessarily challenges everyone, and probably the worst of it, it is trivial for the implementer of a crawling system to defeat.

I'll cover wasted energy quickly -- I suspect Anubis wastes less electricity than the site would waste servicing bot requests, granted this is site specific as it depends on the resources required to service a request and the rate of bot requests vs legitimate user requests. Still it's a legitimate criticism.

So why does it work and why am I a fan? It works simply because crawlers haven't implemented support to break it. It would be quite easy to do so. I'm actually shocked that Anubis isn't completely ineffective already. I actually was holding out bothering testing it out because I had assumed that it would be adopted rather quickly by sites and given the simplicity in which it can be defeated, that it would be defeated and therefore useless.

I'm quite surprised for a few reasons that it hasn't been rendered ineffective, but perhaps the crawler operators have decided that it doesn't make economic sense. I mean if you're losing say 0.01% (I have no idea) of web content, does that matter for your LLMs? Probably if it was concentrated in niche topic domains where a large amount of that niche content was inaccessible, then they would care, but I suspect that's not the case. Anyway while defeating Anubis is trivial, it's not without a (small) cost and even if it is small, it simply might not be worth it.

I think there may also be a legal element. At a certain point, I don't see how these crawlers aren't in violation of various laws related to computer access. What i mean is, these crawlers are in fact accessing computer systems without authorization. Granted, you can take the point of view that the act of connecting a computer to the internet is implying consent, that's not the way the laws are, at least in the countries I'm familiar with. Things like robots.txt can sort of be used to inform what is/isn't allowed to be accessed, but it's a separate request and mostly used to help with search engine indexing, not all sites use it, etc. Something like Anubis is very clear and in your face, and I think it would be difficult to claim that a crawler operator specifically bypassed Anubis in a way that was not also unauthorized access.

I've dealt with crawlers as part of devops tasks for years and years ago it was almost trivial to block bots with a few heuristics that would need to be updated from time to time or temporarily added. This has become quite difficult and not really practical for people running small sites and probably even for a lot of open source projects that are short on people. Cloudflare is great, but I assure you, it doesn't stop everything. Even in commercial environments years ago we used Cloudflare enterprise and it absolutely blocked some, but we'd get tons of bot traffic that wasn't being blocked by Cloudflare. So what do you do if you run a non-profit, FOSS project, or some personal niche site that doesn't have the money or volunteer time to deal with bots as they come up and those bots are using legitimate user-agents coming from thousands of random IPs (including residential! -- it used to be you could block some data center ASNs in a particular country until it stopped).

I guess the summary is, bot blocking could be done substantially better than what Anubis does and with less down side for legitimate users, but it works (for now), so maybe we should only concern ourselves with the user hostile aspect of it at this time -- preventing legitimate users from doing legitimate things. With existing tools, I don't know how else someone running a small site can deal with this easily, cheaply, without introducing things like account sign ups, and without violating people's privacy. I have some ideas related to this that could offer some big improvements, but I have a lot of other projects I'm bouncing between.

[–] pipe01@programming.dev 7 points 2 days ago (1 children)

I wouldn't be surprised if most bots just don't run any JavaScript so the check always fails

[–] Lee@retrolemmy.com 2 points 1 hour ago

It could be, but they seem to get through Cloudflare's JS. I don't know if that's because Cloudflare is failing to flag them for JS verification or if they specifically implement support for Cloudflare's JS verification since it's so prevalent. I think it's probably due to an effective CPU time budget. For example, Google Bot (for search indexing) runs JS for a few seconds and then snapshots the page and indexes it in that snapshot state, so if your JS doesn't load and run fast enough, you can get broken pages / missing data indexed. At least that's how it used to work. Anyway, it could be that rather than a time cap, the crawlers have a CPU time cap and Anubis exceeds it whereas Cloudflare's JS doesn't -- if they did use a cap, they probably set it high enough to bypass Cloudflare given Cloudflare's popularity.

[–] MystikIncarnate@lemmy.ca 10 points 2 days ago

fracking clankers.

[–] BurnedDonutHole@ani.social 27 points 2 days ago (1 children)

You can also use crowdsec on your server to stop similar BS. They use a community based blacklist. You choose what you want to block. Check it out.

https://github.com/crowdsecurity/crowdsec

[–] jjlinux@lemmy.zip 6 points 2 days ago (2 children)

I'm going to try and implement crowdsec for all my ProxMox containers over Cloudflare tunnels. Wish me luck and that my wife and kids let me do this without constantly making shot up fore to do.

[–] Appoxo@lemmy.dbzer0.com 2 points 15 hours ago* (last edited 4 hours ago) (1 children)

They also have a plugin for opnsense (if you use that)

[–] jjlinux@lemmy.zip 1 points 13 hours ago (1 children)

I used to, but moved on to a full Unifi infrastructure about 2 years ago.

[–] Appoxo@lemmy.dbzer0.com 1 points 4 hours ago

Yeah, then you need to implement it at the webhost level.

[–] BurnedDonutHole@ani.social 3 points 2 days ago (1 children)

Good luck and if you need help drop by their discord. They have an active community.

https://discord.gg/crowdsec

[–] jjlinux@lemmy.zip 2 points 22 hours ago (1 children)

Can they help me keep my wife and kids at bay too? That's what I need the most help with 😂

[–] BurnedDonutHole@ani.social 1 points 12 hours ago

I don't think asking help about domestic issues on the Internet is healthy... However, who knows maybe they can ( ͡~ ͜ʖ ͡°)

[–] slazer2au@lemmy.world 103 points 3 days ago (1 children)

AI scrapers are the new internet DDoS.

Might want to throw something Infront of your blog to ward them off like Anubis or a Tarpit.

[–] Eyekaytee@aussie.zone 33 points 3 days ago* (last edited 3 days ago) (6 children)

the one with the quadrillion hits is this bad boy: https://www.babbar.tech/crawler

Babbar.tech is operating a crawler service named Barkrowler which fuels and update our graph representation of the world wide web. This database and all the metrics we compute with are used to provide a set of online marketing and referencing tools for the SEO community.

[–] derpgon@programming.dev 1 points 1 day ago

Metrics on what - how much beating can a server take before it commits ritual Sudoku and fries itself?

load more comments (5 replies)
[–] dual_sport_dork@lemmy.world 71 points 3 days ago (2 children)

I run an ecommerce site and lately they've latched onto one very specific product with attempts to hammer its page and any of those branching from it for no readily identifiable reason, at the rate of several hundred times every second. I found out pretty quickly, because suddenly our view stats for that page in particular rocketed into the millions.

I had to insert a little script to IP ban these fuckers, which kicks in if I see a malformed user agent string or if you try to hit this page specifically more than 100 times. Through this I discovered that the requests are coming from hundreds of thousands of individual random IP addresses, many of which are located in Singapore, Brazil, and India, and mostly resolve down into those owned by local ISPs and cell phone carriers.

Of course they ignore your robots.txt as well. This smells like some kind of botnet thing to me.

[–] panda_abyss@lemmy.ca 21 points 3 days ago (2 children)

I don’t really get those bots.

Like, there are bots that are trying to scrape product info, or prices, or scan for quantity fields. But why the hell do some of these bots behave the way they do?

Do you use Shopify by chance? With Shopify the bots could be scraping the product.json endpoint unless it’s disabled in your theme. Shopify just seems to show the updated at timestamp from the db in their headers+product data, so inventory quantity changes actually result in a timestamp change that can be used to estimate your sales.

There are companies that do that and sell sales numbers to competitors.

No idea why they have inventory info on their products table, it’s probably a performance optimization.

I haven’t really done much scraping work in a while, not since before these new stupid scrapers started proliferating.

[–] dual_sport_dork@lemmy.world 21 points 3 days ago (9 children)

Negative. Our solution is completely home grown. All artisinal-like, from scratch. I can't imagine I reveal anything anyone would care about much except product specs, and our inventory and pricing really doesn't change very frequently.

Even so, you think someone bothering to run a botnet to hound our site would distribute page loads across all of our products, right? Not just one. It's nonsensical.

load more comments (9 replies)
load more comments (1 replies)
load more comments (1 replies)
[–] GaryGhost@lemmy.world 2 points 1 day ago

Downloading you wallpapers? Lol what for

[–] Thunraz@feddit.org 48 points 3 days ago (1 children)

It's 12181 hits and the number behind the plus sign are robots.txt hits. See the footnote at the bottom of your screenshot.

[–] benagain@lemmy.ml 20 points 3 days ago (4 children)

Phew, so I'm a dumbass and not reading it right. I wonder how they've managed to use 3MB per visit?

load more comments (4 replies)
[–] carrylex@lemmy.world 28 points 2 days ago* (last edited 2 days ago) (1 children)
  1. Get a blocklist
  2. Enable rate limits
  3. Get a proper robots.txt
  4. ~~Profit~~ Silence
[–] Cort@lemmy.world 9 points 2 days ago (2 children)

Can you just turn the robots.txt into a click wrap agreement to charge robots high fees for access above a certain threshold?

[–] carrylex@lemmy.world 3 points 2 days ago

why do a agreement when you can serve a zip bomb :D

load more comments (1 replies)
[–] scrubbles@poptalk.scrubbles.tech 27 points 3 days ago (12 children)

Check out Anubis. If you have a reverse proxy it is very easy to add, and for the bots stopped spamming after I added it to mine

load more comments (12 replies)
[–] KeenFlame@feddit.nu 5 points 2 days ago (1 children)

What is the blog about? It may be increased interest as search providers use them for normal searches now.. or it could be a couple of already sentient doombots.

Please don't be a blog about von Neumann probes. Please don't be a blog about von Neumann probes. Please don't be a blog about von Neumann probes..

[–] Vupware@lemmy.zip 1 points 1 day ago (2 children)

What’s wrong with blogs about von Neumann probes? Genuinely curious!

[–] KeenFlame@feddit.nu 2 points 1 day ago (1 children)

If an ai read it several thousand times, I thought it was too on the nose joke sorry

[–] Vupware@lemmy.zip 1 points 1 day ago

lol that’s funny. I guess I’m just slow

[–] Cyber@feddit.uk 1 points 1 day ago

I want to search for a blog on this now...

[–] biggerbogboy@sh.itjust.works 3 points 2 days ago

Hydrogen bomb vs coughing baby type shit

load more comments
view more: next ›