Most active commenters
  • SoftTalker(3)
  • arbol(3)

←back to thread

The internet is no longer a safe haven

(brainbaking.com)
253 points akyuu | 15 comments | 16 Nov 25 13:12 UTC | HN request time: 0.001s | source | bottom
1. zdc1 ◴[16 Nov 25 16:06 UTC] No.45946090[source]
I wonder if you can have a chain of "invisible" links on your site that a normal person wouldn't see or click. The links can go page A -> page B -> page C, where a request for C = instant IP ban.
replies(6): >>45946123 #>>45946168 #>>45946230 #>>45946235 #>>45946449 #>>45946612 #
2. chrisweekly ◴[16 Nov 25 16:09 UTC] No.45946123[source]
IP addresses from scrapers are innumerable and in constant rotation.
3. SkiFire13 ◴[16 Nov 25 16:16 UTC] No.45946168[source]
Scrapers nowadays can use residential and mobile IPs, so banning by IP, even if actual malicious requests are coming from them, can also prevent actual unrelated people from accessing your service.
replies(2): >>45946597 #>>45946829 #
4. Habgdnv ◴[16 Nov 25 16:22 UTC] No.45946230[source]
I self host and I have something like this but more obvious: i wrote a web service that talks to my mikrotik via API and add the IP of the requester to the block list with a 30 day timeout (configurable ofc). It hostname is "bot-ban-me.myexamplesite.com" and it is like a normal site in my reverse proxy. So when I request a cert this hostname is in the cert, and in the first few minutes i can catch lots of bad apples. I do not expect anyone to ever type this. I do not mention the address or anything anywhere, so the only way to land there is to watch the CT logs.
5. trescenzi ◴[16 Nov 25 16:22 UTC] No.45946235[source]
There was an article just yesterday which detailed doing this as not in order to ban but in order to waste time. You can also zip bomb people which is entertaining but probably not super effective.

https://herman.bearblog.dev/messing-with-bots/

https://news.ycombinator.com/item?id=45935729

6. wibbily ◴[16 Nov 25 16:48 UTC] No.45946449[source]
I do something like this. Every page gets an invisible link to a honeypot. Click the link, 48hr ban.

Honestly I have no idea how well it works, my logs are still full of bots. *Slow* bots, though. As long as they’re not ddosing me I guess it’s fine?

7. SoftTalker ◴[16 Nov 25 17:08 UTC] No.45946597[source]
Unless you're running a very popular service, unlikely that a random residential IP would be both compromised by a malicious VPN and also trying to access your site legitimately.
replies(2): >>45946944 #>>45948845 #
8. SoftTalker ◴[16 Nov 25 17:10 UTC] No.45946612[source]
We do something similar for ssh. If a remote connection tries to log in as "root" or "admin" or any number of other usernames that indicate a probe for vulnerable configurations, that's an insta-ban for that IP address (banned not only for SSH but for everything).
9. theoreticalmal ◴[16 Nov 25 17:36 UTC] No.45946829[source]
How can a scraper get a mobile IP address?
replies(1): >>45946929 #
10. arbol ◴[16 Nov 25 17:49 UTC] No.45946929{3}[source]
Just one of many offering this service https://brightdata.com/proxy-types/mobile-proxies
11. arbol ◴[16 Nov 25 17:51 UTC] No.45946944{3}[source]
Lots of people have chrome extensions installed that use their connection like proxy so this is more common than you think
replies(1): >>45947212 #
12. SoftTalker ◴[16 Nov 25 18:26 UTC] No.45947212{4}[source]
Can you provide any examples of these extensions? I'm not doubting you, just curious.
replies(2): >>45947910 #>>45949741 #
13. arbol ◴[16 Nov 25 19:57 UTC] No.45947910{5}[source]
There's one mentioned here: https://www.bleepingcomputer.com/news/security/data-stealing...

Anyone who owns a chrome extension with 50k+ installs is regularly asked to sell it to people (myself included). The people who buy the extensions try to monetize them any way they can, like proxying traffic for malicious scrapers / attacks.

14. esseph ◴[16 Nov 25 22:04 UTC] No.45948845{3}[source]
Botnets are massive these days.

Also a lot of big companies are paying for residential "proxies" to scrape traffic from for AI.

15. snthd ◴[17 Nov 25 00:13 UTC] No.45949741{5}[source]
Bright VPN

https://en.wikipedia.org/wiki/Bright_Data