←back to thread

Ask HN: How to stop an AWS bot sending 2B requests/month?

252 points lgats | 3 comments | 17 Oct 25 05:28 UTC | HN request time: 0.593s | source

I have been struggling with a bot– 'Mozilla/5.0 (compatible; crawler)' coming from AWS Singapore – and sending an absurd number of requests to a domain of mine, averaging over 700 requests/second for several months now. Thankfully, CloudFlare is able to handle the traffic with a simple WAF rule and 444 response to reduce the outbound traffic.

I've submitted several complaints to AWS to get this traffic to stop, their typical followup is: We have engaged with our customer, and based on this engagement have determined that the reported activity does not require further action from AWS at this time.

I've tried various 4XX responses to see if the bot will back off, I've tried 30X redirects (which it follows) to no avail.

The traffic is hitting numbers that require me to re-negotiate my contract with CloudFlare and is otherwise a nuisance when reviewing analytics/logs.

I've considered redirecting the entirety of the traffic to aws abuse report page, but at this scall, it's essentially a small DDoS network and sending it anywhere could be considered abuse in itself.

Are there others that have similar experience?

Show context
swiftcoder ◴[17 Oct 25 06:59 UTC] No.45614001[source]
Making the obviously-abusive bot prohibitively expensive is one way to go, if you control the terminating server.

gzip bomb is good if the bot happens to be vulnerable, but even just slowing down their connection rate is often sufficient - waiting just 10 seconds before responding with your 404 is going to consume ~7,000 ports on their box, which should be enough to crash most linux processes (nginx + mod-http-echo is a really easy way to set this up)

replies(7): >>45614138 #>>45614240 #>>45614367 #>>45614560 #>>45619426 #>>45623137 #>>45628852 #
Orochikaku ◴[17 Oct 25 07:30 UTC] No.45614138[source]
Thinking along the same lines a PoW check like like anubis[1] may work for OP as well.

[1] https://github.com/TecharoHQ/anubis

replies(2): >>45614636 #>>45626996 #
hshdhdhehd ◴[17 Oct 25 09:02 UTC] No.45614636[source]
Avoid if you dont have to. It is not really good traffic friendly. Especially if current blocking works.
replies(2): >>45619737 #>>45621922 #
1. CaptainOfCoit ◴[17 Oct 25 17:56 UTC] No.45619737[source]
> Especially if current blocking works.

The submission and the context is when current blocking doesn't work...

replies(1): >>45625113 #
2. hshdhdhehd ◴[18 Oct 25 05:20 UTC] No.45625113[source]
> Thankfully, CloudFlare is able to handle the traffic with a simple WAF rule and 444 response to reduce the outbound traffic.

That is strictly less resource intensive than serving 200 and some challenge.

replies(1): >>45626544 #
3. CaptainOfCoit ◴[18 Oct 25 11:38 UTC] No.45626544[source]
Right, but if you re-read the submission, OP already tried that and found the costs to be potentially be too high, and are looking for alternatives...