←back to thread

The internet is no longer a safe haven

(brainbaking.com)
253 points akyuu | 3 comments | 16 Nov 25 13:12 UTC | HN request time: 0.647s | source
Show context
BinaryIgor ◴[16 Nov 25 13:36 UTC] No.45945045[source]
I wonder why is it that we get an increase in these automated scrapers and attacks as of late (some few years); is there better (open-source?) technology that allows it? Is it because hosting infrastructure is cheaper also for the attackers? Both? Something else?

Maybe the long-term solution for such attacks is to hide most of the internet behind some kind of Proof of Work system/network, so that mostly humans get to access to our websites, not machines.

replies(6): >>45945393 #>>45945467 #>>45945584 #>>45945643 #>>45945917 #>>45945959 #
marginalia_nu ◴[16 Nov 25 14:41 UTC] No.45945467[source]
What's missing is effective international law enforcement. This is a legal problem first and foremost. As long as it's as easy as it is to get away with this stuff by just routing the traffic through a Russian or Singaporean node, it's going to keep happening. With international diplomacy going the way it has been, odds of that changing aren't fantastic.

The web is really stuck between a rock and a hard place when it comes to this. Proof of work helps website owners, but makes life harder for all discovery tools and search engines.

An independent standard for request signing and building some sort of reputation database for verified crawlers could be part of a solution, though that causes problems with websites feeding crawlers different content than users, an does nothing to fix the Sybil attack problem.

replies(4): >>45945725 #>>45945809 #>>45945986 #>>45946661 #
luckylion ◴[16 Nov 25 15:18 UTC] No.45945725[source]
It's not necessarily going through a Russian or Singaporean node though, on the sites I'm responsible for, AWS, GCP, Azure are in the top 5 for attackers. It's just that they don't care _at all_ about that happening.

I don't think you need world-wide law-enforcement, it'll be a big step ahead if you make owners & operators liable. You can limit exposure so nobody gets absolutely ruined, but anyone running wordpress 4.2 and getting their VPS abused for attacks currently has 0 incentive to change anything unless their website goes down. Give them a penalty of a few hundred dollars and suddenly they do. To keep things simple, collect from the hosters, they can then charge their customers, and suddenly they'll be interested in it as well, because they don't want to deal with that.

The criminals are not held liable, and neither are their enablers. There's very little chance anything will change that way.

replies(1): >>45946156 #
1. mrweasel ◴[16 Nov 25 16:14 UTC] No.45946156[source]
The big cloud provides needs to step up and take responsibility. I understand that it can't be to easy to do, but we really do need a way to contact e.g. AWS and tell them to shut of a costumer. I have no problem with someone scraping our websites, but I care that they don't do so responsibly, slow down when we start responding slower, don't assume that you can just go full throttle, crash our site, wait, and then do it again once we start responding again.

You're absolutely right: AWS, GCP, Azure and others, they do not care and especially AWS and GCP are massive enablers.

replies(1): >>45946560 #
2. ctoth ◴[16 Nov 25 17:03 UTC] No.45946560[source]
> we really do need a way to contact e.g. AWS and tell them to shut of a costumer.

You realize you just described the infrastructure for far worse abuse than a misconfigured scraper, right?

replies(1): >>45947001 #
3. mrweasel ◴[16 Nov 25 17:58 UTC] No.45947001[source]
I'm very aware of that, yes. There needs to be a good process, the current situation where AWS simply does not care, or doesn't know also isn't particularly good. One solution could be for victims to notify AWS that a number of specified IP are generating an excessive amount of traffic. An operator could then verify with AWS traffic logs, notify the customer that they are causing issue and only after a failure to respond could the customer be shut down.

You're not wrong that abuse would be a massive issue, but I'm on the other side of this and need Amazon to do something, anything.