← Back to context

Comment by Philpax

3 days ago

Volume, primarily - the scrapers are running full-tilt, which many dynamic websites aren't designed to handle: https://pod.geraspora.de/posts/17342163

21 comments

Philpax

Reply
zahlman  3 days ago

Why not just actually rate-limit everyone, instead of slowing them down with proof-of-work?

  • NobodyNada  3 days ago

    My understanding is that AI scrapers rotate IPs to bypass rate-limiting. Anubis requires clients to solve a proof-of-work challenge upon their first visit to the site to obtain a token that is tied to their IP and is valid for some number of requests -- thus forcing impolite scrapers to solve a new PoW challenge each time they rotate IPs, while being unobtrusive for regular users and scrapers that don't try to bypass rate limits.

    It's like a secondary rate-limit on the ability of scrapers to rotate IPs, thus allowing your primary IP-based rate-limiting to remain effective.

    • Symbiote  3 days ago

      Earlier today I found we'd served over a million requests to over 500,000 different IPs.

      All had the same user agent (current Safari), they seem to be from hacked computers as the ISPs are all over the world.

      The structure of the requests almost certainly means we've been specifically targeted.

      But it's also a valid query, reasonably for normal users to make.

      From this article, it looks like Proof of Work isn't going to be the solution I'd hoped it would be.

      2 replies →

immibis  3 days ago

Why haven't they been sued and jailed for DDoS, which is a felony?

  • ranger_danger  3 days ago

    Criminal convictions in the US require a standard of proof that is "beyond a reasonable doubt" and I suspect cases like this would not pass the required mens rea test, as, in their minds at least (and probably a judge's), there was no ill intent to cause a denial of service... and trying to argue otherwise based on any technical reasoning (e.g. "most servers cannot handle this load and they somehow knew it") is IMO unlikely to sway the court... especially considering web scraping has already been ruled legal, and that a ToS clause against that cannot be legally enforced.

    • heavyset_go  3 days ago

      There's an angle where criminal intent doesn't matter when it comes to negligence and damages. They have to had known that their scrapers would cause denial of service, unauthorized access, increased costs for operators, etc.

      2 replies →

    • s1mplicissimus  3 days ago

      coming from a different legal system so please forgive my ignorance: Is it necessary in the US to prove ill intent in order to sue for repairs? Just wondering, because when I accidentally punch someones tooth out, I would assume they certainly are entitled to the dentist bill.

      2 replies →

    • slowmovintarget  3 days ago

      I thought only capital crimes (murder, for example) held the standard of beyond a reasonable doubt. Lesser crimes require the standard of either a "Preponderance of Evidence" or "Clear and Convincing Evidence" as burden of proof.

      Still, even by those lesser standards, it's hard to build a case.

      5 replies →