Such curious traffic

[Moonchild]

We get such curious traffic on the forum these days.
I'm not sure if whomever is causing this is thinking they are keeping the forum downed or what not, because they don't get a response... but just some statistics on the bogus traffic, just for today (about 20 hours worth analysed of bad traffic):
Total bad requests: 841,788 (of about 900k total)
Unique IPs: 673,936 (can't get much more distributed than that...)
Unique countries/territories: 192
All following an easy to recognise pattern (which has made it fairly easy for me to block, no "AI" needed)

[Gemmaugr]

That country number is intriguing, and curious, indeed. That's almost as many as there are countries in the world..

Bot-scrapers for AI LLM's perhaps? It is all the rage currently.

AI written text is also following a very easy to spot pattern that seems hard for them to shake.

[suzyne]

The number of different IPs and countries make me think it is some malware installed on regular users computers that is being controlled to do it? That's my theory, but the question is why forum.palemoon.org?

Could being the target of such traffic, be a sign of being singled out and special in some way!

[Kris_88]

I had to deal with this phenomenon on my website. In my case it was a DDOS attack. The sources of requests were mobile phones, probably with some vulnerable application. Each source generated a request only once a minute, but the total traffic was staggering. I simply blocked entire subnets by IP and that solved the problem. As I found out later, attackers can also use some vulnerable IP cameras as sources of requests.
And no, I don't think in your case it has anything to do with AI. Most likely, it is an attack on the site.

[Moonchild]

Most likely, it is an attack on the site.

I tend to agree - but if it is, then I wonder what the point is. Clearly I've been able to mitigate the attack (without blocking whole swathes of subnets denying service for legitimate users) so the most it does right now is give my server a bit of a workout to filter all this out, but it isn't even hitting the php processor so load is minimal. The overall volume is a nuisance at most and not causing issues otherwise.

The number of different IPs and countries make me think it is some malware installed on regular users computers that is being controlled to do it?

Probably. But indeed the question then becomes who is controlling that botnet and why target our community forum?

Bot-scrapers for AI LLM's perhaps? It is all the rage currently.
AI written text is also following a very easy to spot pattern that seems hard for them to shake.

I don't think they are bot scrapers - the request pattern is wrong for it and the number of IPs is going against that.
Bot scrapers will be from a few dozen IPs at most and all in data centres; this isn't the case here.

[ron_1]

PCLinuxOS forums were down a few days ago due to attacks. I wonder if it's the same people.

[Moonchild]

Since they are also running phpbb, it's quite possible. If unmitigated, the attack will cause extremely heavy server load that will bring the forum down.

[Gemmaugr]

I think we can stop wondering. It's definitely a ddos attempt. https://repo.palemoon.org/MoonchildProd ... UXP/issues. Such pettiness.

[Moonchild]

oh.him again. luckily i have a nuke button for that kind of account.
Possible it's the same one as the traffic DoS attack, but without more information it could just be unrelated and timing. The repo political/religious/gay/etc. spammer just seems to be someone with a chip on his shoulder with too much time on his (assuming based on context) hands. Just wasting his time, really, it takes a few clicks to clean it up. Just get a life already

EDIT: Curiously, the repo spammer went through:

AS60729 - Stiftung Erneuerbare Freiheit
Domain: renewablefreedom.org
Route: 2a0b:f4c2::/40

Company: CIA TRIAD SECURITY LLC
Route: 2a0b:f4c2:1::/48
(A Delaware registered company)

If I really cared, I could home in on it much more, but I really don't feel like spending more than 5 minutes on it at the moment. Maybe if this person is so obsessed with Pale Moon, he'll read this and consider the risk taken by causing abuse. Can't even be bothered to report it right now.

[Kris_88]

EDIT: Curiously, the repo spammer went through:

Most likely, it was just someone's hacked computer or server...

[Moonchild]

Most likely, it was just someone's hacked computer or server...

Unlikely. This kind of behaviour isn't what someone with much wits would do XD

[Thad E G]

I tend to agree - but if it is, then I wonder what the point is. Clearly I've been able to mitigate the attack (without blocking whole swathes of subnets denying service for legitimate users)

Thank you! My country is definitely on the internet-hates-you list, although probably nowhere near as high as some. But there must be a billion people here who never do any harm out there.

But I'm so glad I retired before these things became so big. All I had to worry about was a fairly simple firewall, and an external services filtering email.

Keep up the good work. I'm sorry it gets harder everyday.

[Moonchild]

My country is definitely on the internet-hates-you list, although probably nowhere near as high as some.

I'm afraid it's definitely in the top 3 due to its persistently lax attitude towards large scale scam centers.

[Pelican]

A lot of sites have been reporting 5 times the normal traffic. A lot of it is coming from bots for AI research rush. If running phpBB you will be affected more because their crawling is a runaway train.

Apparently phpBB version 4.0 is coming soon.

[Moonchild]

A lot of it is coming from bots for AI research rush.

This isn't. It's obviously been a DoS attack of some sort.
Considering the repo and xref servers are being hit with regular bouts of it also (e.g. a SYN flood attack earlier today - reported to Hetzner), it's clearly a directed attempt at disrupting operations. Unfortunately for them I know how to make a fairly robust setup after a few decades of admin experience.