Dee in Osaka 🇯🇵⛩️5h ago

AI crawler attacks are out of control.

Yesterday a site I still help with saw over 20M requests from tens thousands of IP addresses across hundreds of ASNs. Each bot involved only did just over 1k requests, the most from a single ASN was 45k requests. Almost everything I could block against is legit looking and would trigger false positives, or just randomized garbage and even allow listing won't work as still there would be false positives.

What is everyone doing with these?

I already have:

  • Nginx blocking countries
  • Nginx blocking ASNs
  • Nginx allow listing only known URLs
  • Heavy caching layers

Yet still the URLs that exist and are correct from countries and ASNs allowed, is still enough to effectively pull the whole site in a couple of hours.

These bots obvs don't honour robots.txt, and Cloudflare and such don't report them as AI crawls.

The only thing I can really think of doing is raising the cost of crawling... Using an allow list of known TLS certs against recent browsers, and saying that that's the only thing you can use. But that's exclusive and shitty to do.

Show threadLuci Bitchface Angerfoot5h ago
@dee what tools are you using to be informed about these attacks? i’m a little lost when it comes to log analysis
Show threadDee in Osaka 🇯🇵⛩️

@bri7 from nginx I'm logging every tcp, http, and TLS field that is exposed advertising to the docs... Literally everything.

I'm formatting that as Json lines in the log output.

I'm then sending that to Loki.

And analysing via a Grafana dashboard.

I need some plugins too for nginx, the geoip one for getting ASNs for direct traffic, but some sites are behind Cloudflare so I also log their heads which gives me asn and country too.

In the early days of attacks, ASNs were useful as blocks. But now I see a lot of consumer ISPs involved and asn blocking is less useful. Countries aren't that useful to block at all... And it's often wrong, i.e. China shows up in Marseilles or Singapore based on where submarine cables go.

6:57amWeb
Show threadLuci Bitchface Angerfoot5h ago
@dee thank you
Show threadDee in Osaka 🇯🇵⛩️5h ago
@bri7 when I'm back from travels I'm happy to share the logging config with you if you run behind and are interested
Show threadLuci Bitchface Angerfoot5h ago
@dee i’ll give it a crack on my own and then i will have better questions