Skip Navigation

Linux @programming.dev

Lee Duna @lemmy.nz

2d ago

FOSS infrastructure is under attack by AI companies

thelibre.news FOSS infrastructure is under attack by AI companies

LLM scrapers are taking down FOSS projects' infrastructure, and it's getting worse.

29 comments

Can't we just filter them out by iptables rules?

Wow that was a frustrating read. I dd not know it was quite that bad. Just to highlight one quote
they don’t just crawl a page once and then move on. Oh, no, they come back every 6 hours because lol why not. They also don’t give a single flying fuck about robots.txt, because why should they. ...] If you try to rate-limit them, they’ll just switch to other IPs all the time. If you try to block them by User Agent string, they’ll just switch to a non-bot UA string (no, really). This is literally a DDoS on the entire internet.
- the solution here is to require logins. thems the breaks unfortunately. it'll eventually pass as the novelty wears off.
  
  Next you'll have to invest in preventing automated signups
  
  Alternative: require a proof of work calculation.

This is the most crazy read on subject in a while. Most articles just talk about hypothetical issues of tomorrow, while this one actually full of today's problems and even costs of those issues in numbers and hours of pointless extra work. Had no idea it's already this bad.

Whats confusing the hell out of me is: why are they bothering to scrape the git blame page? Just download the entire git repo and feed that into your LLM!
9/10 the best solution is to block nonresidential IPs. Residential proxies exist but they're far more expensive than cloud proxies and providers will ask questions. Residential proxies are sketch AF and basically guarded like munitions. Some rookie LLM maker isn't going to figure that out.
Anubis also sounds trivial to beat. If its just crunching numbers and not attempting to fingerprint the browser then its just a case of feeding the page into playwright and moving on.
- I don't like the approach of banning nonresidential IPs. I think it's discriminatory and unfairly blocks out corporate/VPN users and others we might not even be thinking about. I realize there is a bot problem but I wish there was a better solution. Maybe purely proof-of-work solutions will get more popular or something.
  
  Proof of Work is a terrible solution because it assumes computational costs are significant expense for scrapers compared to proxy costs. It'll never come close to costing the same as residential proxies and meanwhile every smartphone user will be complaining about your website draining their battery.
  You can do something like only challenge data data center IPs but you'll have to do better than Proof-of-Work. Canvas fingerprinting would work.

How much you wanna bet that at least part of this traffic is Microsoft just using other companies infrastructure to mask the fact that it’s them
- I doubt it since Microsoft is big enough to be a little more responsible.
  What you should be worried about is the fresh college graduates with 200k of venture capital money.

Sometimes, I hate humanity.
- just hate the techbros

I'm perfectly fine with Anubis but I think we need a better algorithm for PoW
- Tor has one now
  Maybe it can be reused for the clearnet.
  
  You mean the TOR project?

29 comments