←back to thread

Blocking LLM crawlers without JavaScript

(www.owl.is)
198 points todsacerdoti | 1 comments | 15 Nov 25 23:30 UTC | HN request time: 0s | source
Show context
daveoc64 ◴[16 Nov 25 02:08 UTC] No.45942146[source]
Seems pretty easy to cause problems for other people with this.

If you follow the link at the end of my comment, you'll be flagged as an LLM.

You could put this in an img tag on a forum or similar and cause mischief.

Don't follow the link below:

https://www.owl.is/stick-och-brinn/

If you do follow that link, you can just clear cookies for the site to be unblocked.

replies(6): >>45942157 #>>45942369 #>>45942605 #>>45943678 #>>45945678 #>>45947272 #
kazinator ◴[16 Nov 25 02:53 UTC] No.45942369[source]
You do not have a meta refresh timer that will skip your entire comment and redirect to the good page in a fraction of a second too short for a person to react.

You also have not used <p hidden> to conceal the paragraph with the link from human eyes.

replies(1): >>45942556 #
nvader ◴[16 Nov 25 03:38 UTC] No.45942556[source]
I think his point is that the link can be weaponized by others to deny service to his website, if they can get you to click on it elsewhere.
replies(1): >>45942877 #
kazinator ◴[16 Nov 25 04:56 UTC] No.45942877{3}[source]
I see.

Moreover, there is no easy way to distinguish such a fetch from one generated by the bad actors that this is intended against.

When the bots follow the trampoline page's link to the honeypot, they will

- not necessarily fetch it soon afterward;

- not necessarily fetch it from the same IP address;

- not necessarily supply the trampoline page as the Referer.

Therefore you must assume that out-of-the-blue fetches of the honeypot page from a previously unseen IP address must be bad actors.

I've mostly given up on honeypotting and banning schemes on my webserver. A lot of attacks I see are single fetches of one page out of the blue from a random address that never appears again (making it pointless to ban them).

Pages are protected by having to obtain a cookie from answering a skill testing question.

replies(1): >>45945107 #
chasing0entropy ◴[16 Nov 25 13:44 UTC] No.45945107{4}[source]
Your solution is by far the best one. Especially if the skill testing involves counting the number of letter es's in the word lettereses...
replies(1): >>45948970 #
1. kazinator ◴[16 Nov 25 22:19 UTC] No.45948970{5}[source]
You tend to find a decent solution when you're under attack and iterate until something works, and then iterate more to fine tune it after complaints of breakages from legitimate users (such as downstream distro packages pulling from your CGIT).