Comment by ChuckMcM
7 months ago
I sort of did this with ssh where I figured out how to crash an ssh client that was trying to guess the root password. What I got for my trouble was a number of script kiddies ddosing my poor little server. I switched to just identifying 'bad actors' who are clearly trying to do bad things and just banning their IP with firewall rules. That's becoming more challenging with IPV6 though.
Edit: And for folks who write their own web pages, you can always create zip bombs that are links on a web page that don't show up for humans (white text on white background with no highlight on hover/click anchors). Bots download those things to have a look (so do crawlers and AI scrapers)
> you can always create zip bombs that are links on a web page that don't show up for humans
I did a version of this with my form for requesting an account on my fediverse server. The problem I was having is that there exist these very unsophisticated bots that crawl the web and submit their very unsophisticated spam into every form they see that looks like it might publish it somewhere.
First I added a simple captcha with distorted characters. This did stop many of the bots, but not all of them. Then, after reading the server log, I noticed that they only make three requests in a rapid succession: the page that contains the form, the captcha image, and then the POST request with the form data. They don't load neither the CSS nor the JS.
So I added several more fields to the form and hid them with CSS. Submitting anything in these fields will fail the request and ban your session. I also modified the captcha, I made the image itself a CSS background, and made the src point to a transparent image instead.
And just like that, spam has completely stopped, while real users noticed nothing.
I did essentially the same thing. I have this input in a form:
With this CSS:
And any form submission with a value set for the email is blocked. It stopped 100% of the spam I was getting.
Would this also stop users with automatic form filling enabled?
1 reply →
If CSS is disabled or using a browser that does not implement CSS, that might also be an issue. (A mode to disable CSS should ideally also be able to handle ARIA attributes (unless the user disables those too), but not all implementations will do this (actually, I don't know if any implementation does; it doesn't seem to on mine), especially if they were written before ARIA attributes were invented.)
We use to just call those honeypot fields. Works like a charm.
Oh that is great.
apart from blind users, who are also now completely unable to use their screenreaders with your site
aria-hidden="true" should take care of that.
Check this out if you want to stop this behavior...
https://github.com/skeeto/endlessh
> you can always create zip bombs that are links on a web page that don't show up for humans (white text on white background with no highlight on hover/click anchors)
RIP screen reader users?
“aria-hidden” would spare those users, and possibly be ignored by the bots unless they are sophisticated.
Why is it harder to firewall them with IPv6? I seems this would be the easier of the two to firewall.
Manual banning is about the same since you just book /56 or bigger, entire providers or countries.
Automated banning is harder, you'd probably want a heuristic system and look up info on IPs.
IPv4 with NAT means you can "overban" too.
Why wouldn't something like fail2ban not work here? That's what it's built for and has been around for eons.
2 replies →
I think they are suggesting the range of IPs to block is too high?
Allow -> Tarpit -> Block should be done by ASN
1 reply →
Maybe it’s easier to circumvent because getting a new IPv6 address is easier than with IPv4?
These links do show up for humans who might be using text browsers, (perhaps) screen readers, bookmarklets that list the links on a page, etc.
Weird that text browsers just ignore all the attributes that hide elements. I get that they don't care about styling, but even a plain hidden attribute or aria-hidden are ignored.
true, but you can make the link text 'do not click this' or 'not a real link' to let them know. I'm not sure if crawlers have started using LLMs to check pages or not which would be a problem.
> I sort of did this with ssh where I figured out how to crash an ssh client that was trying to guess the root password. What I got for my trouble was a number of script kiddies ddosing my poor little server.
This is the main reason I haven't installed zip bombs on my website already -- on the off chance I'd make someone angry and end up having to fend off a DDoS.
Currently I have some URL patterns to which I'll return 418 with no content, just to save network / processing time (since if a real user encounters a 404 legitimately, I want it to have a nice webpage for them to look at).
Should probably figure out how to wire that into fail2ban or something, but not a priority at the moment.
Automated systems like Cloudflare and stuff also have a list of bot IPs. I was recently setting up a selfhosted VPN and I had to change the IPv4 of the server like 20 times before I got an IP that wasn't banned on half the websites.
I am just banning large swaths of IPs. Banning most of Asia and the middle east reduced the amount of bad traffic by something like 98%.
Same, using ipsets, and a systemd {service,timer} for updating the lists.
fail2ban automates that and is in package managers