←back to thread

Cloudflare scrubs Aisuru botnet from top domains list

(krebsonsecurity.com)
97 points jtbayly | 8 comments | 08 Nov 25 16:25 UTC | HN request time: 0.42s | source | bottom
Show context
bradly ◴[08 Nov 25 18:02 UTC] No.45858587[source]
> We should have two rankings: one representing trust and real human use, and another derived from raw DNS volume.

Isn't identifying real humans an unsolved problem? I'm not sure efforts to hide the truth that these domain are actually the most requested domains does anyone any favors. Is there something using these rankings as an authoritative list or are they just vanity metrics similar to the Alexa Top Site rankings of yore? If they are authoritative, then Cloudflare defining "trusted" is going to be problematic as I would expect them to hide that logic to avoid gaming.

replies(1): >>45858640 #
1. iamkonstantin ◴[08 Nov 25 18:08 UTC] No.45858640[source]
> Isn't identifying real humans an unsolved problem?

I'm not sure this was ever a problem to begin with. The obsession with "confirm you are human" has created a lot of "bureaucracy" on technical level without actually protecting websites from unauthorised use. Why not actually bite the bullet and allow automations to interact with web resources instead of bothering humans to solve puzzles 10 times per day?

> Cloudflare defining "trusted"

They would love to monetise the opportunity, no doubt

replies(2): >>45858699 #>>45858808 #
2. nickff ◴[08 Nov 25 18:15 UTC] No.45858699[source]
>"Why not actually bite the bullet and allow automations to interact with web resources instead of bothering humans to solve puzzles 10 times per day?"

This is a great idea if you've developed your 'full-stack', but if you're interfacing with others, it often doesn't work well. For example, if you use an external payment processor, and allow bots to constantly test stolen credit card data, you will eventually get booted from the service.

replies(2): >>45858797 #>>45858882 #
3. isodev ◴[08 Nov 25 18:30 UTC] No.45858797[source]
I think the comment means we have these “institutional” problems that we’re constantly protecting with tricks like captchas instead of actually addressing why a payment processor would have a problem with that or be unable to handle it in their own way.
4. bradly ◴[08 Nov 25 18:32 UTC] No.45858808[source]
> I'm not sure this was ever a problem to begin with. The obsession with "confirm you are human" has created a lot of "bureaucracy" on technical level without actually protecting websites from unauthorised use. Why not actually bite the bullet and allow automations to interact with web resources instead of bothering humans to solve puzzles 10 times per day?

I mostly just let the bots have my sites, but I also don't have anything popular enough that it costs me money to do so. If I was paying for extra compute or bandwidth to accommodate bots, I may have a stronger stance.

I do feel a burden with my private site that has a request an account form that has no captcha or bot blocking technology. Fake account requests are 100 to 1 real account, but this is my burden as a site owner, not my users' burden. Currently the fake account requests are easy enough to scan and I think I do a good job of picking out the humans, but I can't be sure and I fear this works because I run small software.

replies(1): >>45859114 #
5. AnthonyMouse ◴[08 Nov 25 18:41 UTC] No.45858882[source]
The average normal user would go months to years between needing to update payment info, so why would that require them to solve puzzles 10 times a day?

That is also notably a completely unnecessary dumpster fire created by the credit card companies. Hey guys, how about an API that will request the credit card company to send a text/email to the cardholder asking them to confirm they want to make a payment to Your Company, and then let your company know in real time whether they said yes? Use that once when they first add the card and you're not going to be a very useful service for card testing.

replies(1): >>45859000 #
6. CamouflagedKiwi ◴[08 Nov 25 18:58 UTC] No.45859000{3}[source]
Isn't that basically 3DSecure / Verified by Visa?
replies(1): >>45859174 #
7. jacquesm ◴[08 Nov 25 19:12 UTC] No.45859114[source]
I send them on endless redirect loops with very slow responses. Cost me very little bandwidth and it effectively traps one bot process that then isn't available for useful work. Multiply by suitably large 'n' and they might even decide to start to play nice.
8. AnthonyMouse ◴[08 Nov 25 19:20 UTC] No.45859174{4}[source]
It's what those things should have been.

What you need is for all card issuers to be required to implement it by the network. Otherwise you'll still have people showing up to test all the cards that don't support it and the payment processors would still kick you off for that.