Top
Best
New

Posted by chmaynard 20 hours ago

An update on residential proxies and the scraper situation(lwn.net)
274 points | 291 comments
harshreality 16 hours ago|
> ...we have tried to minimize the impact on real readers as much as possible. We have not gone with tools like Anubis, partly because it causes annoying delays for those trying to get to the site, but also partly because it seems inevitable that the scrapers will eventually find their way around it. Indeed, there are some indications that is already happening. A proof-of-work requirement is not a huge obstacle when you have millions of other people's machines to do the work on.

It's massively less annoying than a captcha, which is both a longer delay (typically, at present) and a massive cognitive distraction/roadblock.

The anubis author has stated they recognize it's an arms race, but PoW scales. Captchas and other signals are already at the end of the road; any additional difficulty increases false bot-positives, which are already unacceptably high.

For websites running dynamic languages, a binary (anubis is in go) sentry that operates before[1] the website is forced to expend any resources, is usually a large improvement over a site-hosted captcha. I would rather, and I think most humans would agree, have to wait a few seconds, maybe even closer to a minute in the future, to get a website access token good for a day or a week, than be forced to solve a captcha.

The dilemma for bots: when tokens are bound to the connecting ip, scrapers must limit the connecting IP pool for each site they want to scrape, becoming much more obvious and easy to block, or they have to use massive amounts of compute.

[1] this is true regardless of whether anubis is in reverse proxy mode or auth mode.

jsnell 5 hours ago||
Proof of work does not scale. It trades something fungible and incredibly cheap (CPU) for something incredibly expensive (user-visible latency). There is no set of parameters where the cost is going to be a meaningful deterrent to any kind of abuse (even something as low-yield as scraping) without adding crippling amounts of latency to real users.

> The dilemma for bots: when tokens are bound to the connecting ip, scrapers must limit the connecting IP pool for each site they want to scrape, becoming much more obvious and easy to block, or they have to use massive amounts of compute.

There is no dilemma. They get a token, they maybe do some automated multi-armed bandit per-site to figure out how to maximize the extraction rate they get from a single token, and then they use an IP for that many requests / that amount of time before ditching it.

out_of_protocol 2 hours ago||
> It trades something fungible and incredibly cheap (CPU)

it could be RAM-bound, which is very much NOT cheap nowadays :)

dannyfritz07 1 hour ago|||
Yes, but the people with the RAM nowadays are the data centers, not the end users.
jsnell 1 hour ago|||
It doesn't make the economics any different. In a browser environment, you're maybe looking at the acceptable lease being 100MB for 1 second. Much more than that, and you start hitting limits of what browsers will let you do on low-end phones. Longer than that, and we're back to the user-observable latencies being too long.

100MB for 1 second just is not much of a deterrent.

Groxx 14 hours ago|||
Anubis is by far the least annoying throttler I encounter. Entirely agreed, just crank it up when you get a flood, I much prefer waiting a couple seconds to interacting with custom UI for tens of seconds.

I'm so glad to see that (essentially) HashCash is coming back. Now we just need it for email, like it was originally designed for...

Aurornis 40 minutes ago|||
> just crank it up when you get a flood,

A few months ago there was a story posted here about someone who completely eliminated crawlers on their website with Anubis.

I think it was getting upvoted before users were clicking the article because if you did, you had to leave the Anubis PoW page open for several minutes before you could get into the site. The Anubis difficulty scale is unintuitive and the difference between a small delay and becoming unusable is easy to cross.

Gigachad 9 hours ago||||
I looked this up and realised it’s the page I’d seen briefly on a range of websites lately. It’s not annoyed me at all. Not nearly as much as having to complete captchas with slow refreshing tiles.
TomatoCo 1 hour ago|||
I've usually been more annoyed at the surprise dissonance of "was that an anime girl on kernel.org?" than annoyed at the delay.
inigyou 5 hours ago|||
A fun fact about Google captchas: they've often decided whether you will succeed or fail the captcha before you do the captcha.
zahllos 1 hour ago|||
I implemented something similar for my bot defences. If headless chrome is detected you still get the same anubis-style PoW but even if you submit the right answer you get rejected.
RickHull 4 hours ago|||
This seems nonsensical. Care to elaborate?
anon7000 1 hour ago|||
The captcha itself (matching pictures to text) is mostly for ML training data. I think pass/fail is mostly based on heuristics like how you moved your mouse which could get analyzed before you complete the captcha. https://www.techradar.com/news/captcha-if-you-can-how-youve-...

reason why is 1. Google and others really needed the training data, and 2. it probably helped justify the cost of providing the captcha service for free worldwide (old free tier was 1M/mo)

acdha 1 hour ago||
[dead]
inigyou 4 hours ago|||
If Google determines you're an undesirable user, doing the captcha is just an exercise to waste your time.
boramalper 4 hours ago|||
I certainly experienced this (the vicious try-again cycle) but curious if you have any sources for this?
applfanboysbgon 1 hour ago||
A person's testimony is a source. I can add mine: you can tell when you're truly blocked because if you click for the accessibility audio-based captcha it will actually tell you you're blocked (but, if you did the visual captcha, would simply loop forever while telling you you did it wrong).

I don't think you'll find an article by Google saying "yes, we sometimes completely block users while making it look like they're not blocked and wasting their time".

herpdyderp 2 hours ago|||
That explains why I can never get past Google's captchas! I don't even automate Google searches, I wonder why they don't like me.
j027 1 hour ago||
Depending on the IP reputation as well as the kind of IP address you have, this can happen.

Google also prefers if you have a Google account logged in.

miyuru 8 hours ago||||
For me Cloudflare is worse, it takes more than 5 seconds, where as anubius take 1-2 secs.

funny with all the IP information they have, cloudflare cannot do a better job. (I am on IPv6)

and most of the time, its on marketing product pages like in framework main site, which can be cached.

freehorse 6 hours ago||
Imo the worst is recaptcha. At least with cloudflare the work you have to provide is minimal. With recaptcha it can take me much longer than 5 seconds, and lately I have trouble even completing their challenges correctly. Nowadays if I see a (recaptcha) captcha I drop the site unless I must visit it for some reason, it is not worth the time, the effort or the annoyance.
miki123211 5 hours ago||
Most CF / Recaptcha problems are users going "off the golden path", and not realizing that their config changes are at fault.

If you're on a consumer router, using a mainstream stock browser with stock settings (maybe plus uBlock Origin), with your Google account logged in, it's very, very likely to just work. If you're part of the .01% of users with opinions about that sort of thing... you're not worth optimizing for.

freehorse 5 hours ago|||
At least for me, CF is fine; recaptcha is the only one I really have problems with.

I dont care what recaptcha wants to optimize for. I dont think that using a vpn is that a rare thing anyway. If others have figured out how to do it without requiring spending 30 seconds to solve a captcha, I dont see why websites still use recaptcha/captchas for that.

And that it is "my fault" not being logged into google I was least expecting to see here.

aand16 1 hour ago||
> that it is "my fault" not being logged into google I was least expecting to see here.

Parent was just starting a fact of how our digital overlords determine the probability of your browser being a bot. Why take it personal?

Cakez0r 5 hours ago||||
If you don't live in a first world country then you will also find yourself on the "too bad, don't care" list.
aiiotnoodle 5 hours ago|||
A lot of users also run cheap cracked fire sticks and other low reputation hardware that's proxying their residential traffic for nefarious reasons which makes all the big providers put up their guard.
alightsoul 13 hours ago||||
From my understanding this is also how cloudflare bot protection has worked for a long time, and then they look for entropy in user input to confirm the user is human. Also how recaptcha without images works.
jazzyjackson 8 hours ago|||
Google and Cloudflare both are not just looking at entropy of mouse movements, that was cracked years ago, they are fingerprinting you and correlating your session with all your activity cross domains to score your botlike behavior.
potamic 6 hours ago|||
I doubt they are doing it. You just have to get on a VPN to and see yourself being flooded with captchas despite browsing the web like a normal human and solving dozens of captchas along the way.
alightsoul 4 hours ago||
I guess that raises the bot score given that the vpn IP is a data Center IP and thus in a lot of ban lists
acdha 1 hour ago||
Also some of the free VPN apps support themselves by proxying this kind of traffic:

https://www.kaspersky.com/blog/what-is-wrong-with-free-vpn-s...

alightsoul 4 hours ago|||
Which also involves detecting entropy across sites I guess
fc417fc802 5 hours ago||||
Supposedly, but not really. I regularly encounter sites where cloudflare serves me with an ambiguous ban notice rather than a proof of work. What's worse is that these apparent IP bans take effect even if I already had a valid active session (ie previously passed the check).

Yes, a VPN involved. That doesn't make it okay and notice that anubis by default works without issue (though possibly with a more difficult challenge) in the exact same scenario.

alightsoul 4 hours ago||
There's lists of data center IPs. You're probably in them and That's why you're getting banned
Rebelgecko 2 hours ago|||
Cloudflare often just straight up blocks me or makes me do a captcha. IMO those are both much worse than Anubis
Chu4eeno 10 hours ago||||
Except when it throws you into a reload loop. It's pretty buggy, and trivial to bypass.

And contrary to grandparent, PoW only worked because it was a novel thing to work around, a simple "type human" prompt would've worked as well.

When anubis gets widespread enough users will still run the PoW in javascript or whatever while the scrapers will run much more optimized native code, so no, it doesn't scale.

harshreality 7 hours ago||
Putting aside the question of whether it will continue to work, even somewhat, against botnets, I find your first paragraph confusing.

Reload loops, or being able to "bypass" anubis (unless you merely mean bypassing it for the token validity period by solving a challenge), sound like misconfigurations. There's no reason for anubis itself to cause reload loops; it's tricky to configure a webserver to use it in some scenarios.

Any ability to bypass anubis probably means the site is using it in auth/challenge mode only, and then misconfigured their webserver's auth checking. Or it's a bug. If you mean the double-spend tavis mentioned in his blog post which previously made the HN frontpage, that was patched right after it was reported to the maintainer almost a year ago.

jimmydorry 10 hours ago|||
PoW barely affects the "residential proxies" aka. malware botfarms. The IPs are free for them and siphoning additional system resources for PoW doesn't matter at all for them. PoW only affects the large centralised scraping by the AI providers, which are not operating behind "residential proxies".
inigyou 5 hours ago|||
Residential proxy bandwidth is extremely expensive, comparatively speaking. It can be up to $1 per GB but is more typically about $0.20 per GB.
anonym29 6 hours ago||||
Most users of residential proxies just get a SOCKS5 address and routing, they don't actually get computational resources of the infected systems beyond that. The user of the proxies, the operator of what the article describes as a control node, would be the device responsible for the PoW.

Do you have any evidence that AI providers aren't using residential proxies?

tgsovlerkhgsel 5 hours ago|||
If you pop my machine and use it to route 100 MBit/s, I might not notice for months.

If I hear the fan spinning at night, you're probably getting caught immediately.

If you pop my mom's TV box and use it to route data within the connection's capabilities, you're getting away with it. If you consume a little bit of resources, still. If you consume enough to be useful for these kind of challenges, chances are her TV playback will start to stutter, which will be resolved by taking the compromised TV box, and removing the malware using advanced mechanical means called "a trash compactor".

gruez 3 hours ago|||
>chances are her TV playback will start to stutter

video decoding is hardware accelerated, and there's probably enough excess compute to be able to do some sort of PoW challenge. Besides, unlike humans, bots aren't in a hurry, so they can spread out the work across a long time to minimize disruption.

ambigious7777 3 hours ago|||
the device acts as a proxy. i don't think any browser is running on the device, it is just forwarding packets.
mootothemax 11 hours ago|||
> The anubis author has stated they recognize it's an arms race, but PoW scales.

The scraper wars are largely between script kiddies and people with both deep intimate networking and DOM knowledge. Yes greyhairs, I’m looking at you.

The problem is, you can’t PoW every page load and resource request because the user experience will suck and people will run away. And that window - the gap between what people will tolerate vs draconian enforcement - is exactly what the scrapers exploit.

And looking at the PoW options out there - I’ve seen at least one PoW WAF (honestly can’t remember if azure or amazon) have their PoW boil down to repeated trigonometric functions, ie very optimisable.

It’s a neat concept, but the answer and future to my eyes look bleak.

miki123211 5 hours ago|||
Oh, but you can PoW every page.

Your typical end user doesn't switch IPs that often, so it's fine to Anubis them again when they do. A scraper, on the other hand, has a tradeoff to make between rotating ips often (requiring a challenge on every request) or keeping only a few IPs (making cross-request identification much more valuable and reliable).

Aurornis 36 minutes ago||
> Oh, but you can PoW every page.

They meant you can’t PoW every page transition.

If clicking every link on your website throws you back to another Anubis page for 2-3 seconds, users will bounce.

That’s why Anubis does an up front challenge and then you’re good for a while. It’s a really low cost for the scrapers.

harshreality 9 hours ago|||
Anubis's default 1-week token lifetime may not be nearly enough to dissuade enough scraper networks to make a difference, particularly with the default weight->difficulty level hierarchy, but that's for individual site admins to determine.

We can all argue based on how we envision "ideal" scraper networks being run and whether the web-PoW concept would stand up to that. However, what matters at present is that anubis helps many sites cope with misbehaving bot scrapers written by the script kiddies you mention, who don't care if the internet burns as long as they finish their scrape 1 hour faster. If anubis motivates them to devote a few brain cells to make their scrapers smarter, they may also fix the scrapers to not take down the sites they're scraping.

PlasmaPower 13 hours ago|||
I don't think PoW scales, because if the bot authors get serious they'll start using native implementations that are much more efficient than the web ones real users are running. In theory maybe Anubis could start using WebGPU to help close that gap, but then anyone without WebGPU support is out of luck.

Then again, a large portion of the problem seems to be bots making way too many requests and in general not being optimized in the first place, and this does help filter those out.

fc417fc802 5 hours ago|||
If that happens the browser engines (all what, 3 of them?) can add a PoW API to call into native code. Or a pathologically scalar algorithm can be adopted so that wasm is good enough. RandomX or something close to it probably qualifies.
ammario 11 hours ago|||
There are PoW approaches that even the playing field between data centers and desktops. RandomX is my favorite.
xena 11 hours ago|||
For what it's worth I'm working on hashx support. It's just going to take a bit to ship while I do browser testing with broken browser configs.
mootothemax 11 hours ago|||
Interesting. How do they tell the difference between legitimate and forged ip owner records?
anonym29 6 hours ago||
It's not about traffic identification at all, but rather a hashing algorithm that is deliberately resistant to parallelization and GPU/ASIC acceleration, which shrinks the gap in solving speed between the fastest systems (i.e. datacenter-class compute resources) and typical systems (e.g. the CPU in your smartphone or laptop).
Sesse__ 4 hours ago||
Uh, is it resistant to parallelization across multiple sites? Because that's the situation for the scrapers. They're not trying to solve a single PoW challenge across many cores.
anonym29 4 hours ago||
Typically, the machine doing the content processing, including solving PoW, is the centralized "control" node described in the article, not the machines who's IP addresses are being used. In typical residential proxy networks, the residential proxies are exposed to the customer (the person paying for and using the proxies) as just SOCKS5 addresses, and no computational power from those compromised devices is made available for the scraper besides that used to power the SOCKS5 server itself, the customer is just paying for the transport and address (and indeed, is often billed on either a per-GB or per-IP basis).

In effect, if the customer (the entity paying for and using the proxies) wants to solve PoW challenges through those connections, it is indeed the customer who must pay that compute cost, not the compromised devices.

Note that this is the case for a majority of, but not all, residential proxy networks, which often are built through quasi-voluntary distribution channels, including SDKs included in otherwise legitimate mobile applications distributed through Apple's App Store and Google Play.

These distribution channels tend to be categorically unavailable (or at least unreliable) for true RAT-style malware that enables remote operators to dynamically assign arbitrary computational workloads to client devices.

This isn't to say that true botnets built with actual malware delivered through either software exploits, phishing attacks, or watering hole attacks don't also perform as residential proxy networks, but such categories are a relatively small subset of all residential proxy networks, and there are much higher ROI malicious activities to be performed on these devices rather than serving as relatively mundane traffic networks for scraping.

Sesse__ 3 hours ago||
That's a completely different question, your claim was about parallelism.
setupminimal 4 hours ago|||
Well, we don't use a captcha either. If it were a choice between a captcha and a proof of work system, we'd have to reevaluate things. Luckily, for now, we're able to get away with a much lighter touch.
m463 14 hours ago|||
At least anubis works for me. (I run umatrix)

Unfortunately whatever HN is using routinely blocks my login with "Sorry."

some websites just always give me 403.

duskwuff 13 hours ago|||
> Unfortunately whatever HN is using routinely blocks my login with "Sorry."

I believe that's the HN application itself, not a WAF in front of it.

asdfsa32 13 hours ago||
HN is surprisingly very very guilty of a whole lot of anti-user patterns and behaviour that other companies get regularly lamented.

Poor accessibility, bad mobile support, no options to delete content beyond a narrow window.

hurfdurf 9 hours ago|||

   no options to delete content beyond a narrow window.
Good.
pocksuppet 57 minutes ago||||

    Poor accessibility
Good.
kps 2 hours ago||||

   bad mobile support
Good.
nkrisc 1 hour ago||
Why is that good?
ambigious7777 3 hours ago|||
i personally like using http://hcker.news as a reader, its much nicer
Chu4eeno 10 hours ago|||
[dead]
geocar 8 hours ago|||
> but PoW scales

Not if the honest party is doing it in a browser: The same computer can so any POW so much faster in C than any amount jf JS and WASM that it will never ever ever be a contest.

> becoming much more obvious and easy to block, or they have to use massive amounts of compute.

If you believe this, please contact me: I think compute is free[1] and can probably help you out.

[1]: https://news.ycombinator.com/item?id=30175269

swinglock 8 hours ago|||
Can you not design a PoW that is most efficient in a browser? Don't brute force hashes like Hashcash/Bitcoin, do something similar to RandomX instead but in JS. Browsers ought to run the fastest JS interpreters already so if interpreting JS becomes the bulk of the work, that attack might not work. Maybe even involve the DOM or whatever else makes sense.
dorgo 7 hours ago|||
[flagged]
noncoml 11 hours ago|||
Or you can go full Reddit and just block anything that seems even remotely suspicious.

Your sibling, roommate, neighbor that uses your internet, previous IP owner, posts too much? You get blocked too.

Using VPN? Blocked.

Your iPhone is too old, blocked.

Your screen brightness too low? Believe or not, blocked.

ValdikSS 9 hours ago|||
My forum got scraped so hard that the ISP blackholed the IPv4 several times a week.

I've ended up putting only IPv6 on the domain. It's running this way for 2 years already.

rwmj 10 hours ago||||
Even worse, not blocked, shadowbanned.
MikeRichardson 8 hours ago||||
Parks and Rec reference?
lsaferite 10 hours ago||||
> Your screen brightness too low? Believe or not, blocked.

... What?!

pineapplepizza6 4 hours ago|||
[dead]
armchairhacker 9 hours ago|||
PoW can theoretically scale effectively infinite because it can mine cryptocurrency. Millions of compromised IoT devices hitting your server? Now you have enough money for a faster server.

It doesn’t matter that the challenge must be verified: present multiple challenges, some are verified while others mine crypto.

Sesse__ 1 hour ago||
This is called “installing a cryptominer on your web page” and is generally considered illegitimate.
mschuster91 4 hours ago|||
> The dilemma for bots: when tokens are bound to the connecting ip, scrapers must limit the connecting IP pool for each site they want to scrape, becoming much more obvious and easy to block, or they have to use massive amounts of compute.

You can't do that any more. Too many ISPs, especially mobile carriers, don't hand out anything resembling a fixed IP address any more. It's CGNAT and constantly changing IP addresses alllll the time now.

pocksuppet 55 minutes ago||
On a small enough site (even LWN might qualify) the chance of two random sets of client IPs intersecting can be quite low.

Private trackers do this. If they ban a user that geolocates to a certain city and ISP, they'll ban new signups from that city and ISP because there's probably only a few users from the same city and ISP. And then report to their friends at other trackers, that a user with that city and ISP is trying to evade a ban.

iiiwio 8 hours ago||
[flagged]
mips_avatar 20 hours ago||
I feel like the solution is a better common crawl. As nice as it would be to block the frontier AI labs from getting access to information, we should reset the baseline of information accessibility so there's less marginal advantage on these labs.

I worry a lot of the anti scraping rhetoric will just injure the open web and put somebody like cloudflare in charge.

andai 17 hours ago||
What really confuses me is ... people always say, it's because companies are gathering data for AI training. Then why would they need to scrape the same page thousands of times per day?

Edit: the article says millions of times per hour? (!?)

The article is also astonished by this, and speculates it might be some kind of underground AI labs but... millions of them? Or does it only take one with too much money and a badly configured scraping setup?

dgacmu 3 hours ago|||
I had meta's crawler hitting the pi searcher at something like 5qps for days on end, just ... querying for substrings of pi, ignoring robots.txt, etc. it wasn't enough to break anything but it triggered a lot of alerts.

I can imagine that sites with dynamic content and potentially unbounded query types or pathnames are in danger from particularly stupid crawlers.

leros 8 minutes ago||
Meta has hit me with over 1,000 requests per second. Luckily it tripped my rate limiting but geez.
szatkus 2 hours ago||||
I always thought it's the web search tool.

Grok actually shows a number of sources used for an answer. Once I asked it something simple and it apparently scanned 200 different websites. And it was just a short prompt. Now imagine millions of users asking for something multiple times a day.

bigiain 12 hours ago||||
> a badly configured scraping setup?

Cynical-me assumes every single AI company is vibe-coding everything, and _all_ their scrapers are as badly written as the typical publicly available scraper code and tutorial - mostly written by self promoting spammers and SEO "experts" in the late 2010s.

Any they all DGAF about wasting website owners server/network resources, of the CPU and network resources of the "dumb schmucks" who have a free vpn installed or a factory-hacked cheapo media box or mobile game the developer has surreptitiously monetised with a residential proxy sdk.

It also wouldn't surprise me at all to find there are dozens of competing training data acquisition teams at every frontier and wannabe frontier AI company - scraping the entire web in parallel to meet internal KPIs. Half of which have lost entire datasets due to vibe coded storage and archive setups.

pineapplepizza6 3 hours ago||
[dead]
mips_avatar 15 hours ago||||
I kind of wish the recent Google monopoly court ruling had forced Google to open up their index to anyone, not just Perplexity/other big players.
catdog 13 hours ago||
That's really a huge issue right now (to some extent even before the AI hype) that almost everywhere google is effectively the only entity explicitly allowed to scrape.
andai 1 hour ago||
Yeah. It was always like that. It's like that comic Know The Work Rules ;)
catdog 13 hours ago||||
Maybe they have just too much money at hand, would not surprise me, people are still investing into gen AI like there is no tomorrow. Also, for the completely criminal operations, you only have to find a way to infect and distribute your bot to, e.g. some common internet of shit device. Scaling is basically free afterwards as you don't need to ask anyone. The article also hints that those are actually the biggest problem.

Then there is probably also a lot of time pressure on the people implementing and operating those scrapers so they have even less incentive to optimize their code.

armchairhacker 9 hours ago||||
It should really just be called DDoS, at a certain level of incompetence intent doesn’t matter. You’re right that there’s zero (information gathering) benefit over reasonable scraping which wouldn’t cripple the site.

Who’s doing it, are they even using the data?

procaryote 8 hours ago||||
750k items in their content management sysem. N independent labs crawling wanting to check that every day could easily give bursts of millions per hour

Millions per hour is tens per second though; perhaps the fix is performance improvements

setupminimal 4 hours ago|||
We have put in a number of performance improvements, yes. The nice thing about those is that they also make the site snappier when it's not under load. Right now we have just over a million items in our CMS, plus our publicly available mailing list archives, which are much larger, even if they're less frequently referenced.
andai 1 hour ago||||
Yeah we can just rewrite the web servers in Rust ;)

That'll be great until.. they rewrite the scrapers in Rust! Then we're really hosed!

Jabbles 7 hours ago|||
1,000,000 / 3,600 = ~278
axus 12 hours ago||||
Maybe someone is paid per scrape, without reduction in payment for duplicates.

Maybe every web query for Linux commands in $LARGE_COUNTRY checks all the Linux websites again.

cyberax 13 hours ago||||
Hah. I have a homelab with a couple of sites, including a personal Forgejo installation.

Last night my server turned off because it went into thermal protection shutdown. Turns out, my all-in-one cooler has inoperative fans, which I normally never really notice. The passive heat dissipation from the water cooler is more than enough.

However, this time they hammered my computer for 12 hours with about 200 requests per _second_ to my Forgejo.

ezst 12 hours ago||
The paradox of them selling "intelligence on demand" or "coding agents rivaling the best developers" and yet having dumb as fart bots/scrapers is lost on many. But not all.
alightsoul 13 hours ago||||
Maybe they are aggressively scanning for updates on the page
inigyou 5 hours ago||||
It isn't. AI scraping has nothing to do with it, for the reasons you said. Someone wants the web to go offline, they are DDoSing the entire web, and it's working. For some reason we are tackling the symptom instead of finding out who that person is. Come on, it can't be that hard to subpoena Bright Data. The law enforcement system knows how to track down someone who's trying to be anonymous on the internet.
andai 1 hour ago||
So who would benefit from the entire web going offline?

Which powerful entities have historically hated a free and open internet?

...all of them??

stavros 9 hours ago|||
It's not AI companies scraping these websites, it's AI companies creating a massively profitable need for data, and every random Joe with vibe coded scrapers tries to make a buck out of it.
ronsor 13 hours ago|||
Ironically in early 2023 a lot of websites went out of their way to block Common Crawl. Unsurprisingly that shifted scraping toward individual actors whereas the previous solution in research was to download CC dumps and process them.
ccgreg 11 hours ago||
We aren't sure if that really made a significant difference in Common Crawl's data quality. It does hurt our dataset from a humanities point of view, alas.
II2II 12 hours ago|||
I'm sure there are those who would participate, either because they want their data to be captured by AI labs or as a form of compromise.

That said, the approach is flawed. It looks like the people doing the scraping want everything. There are some people who do not want their data to be captured by LLMs. A common crawl would make it easier to those people to opt out, limit what is captured, or to poison the data. (I'm assuming the only way to avoid fragmentation is for the crawl to be done in the open and by consent.) Then there is the question of who would pay for the crawling and hosting. You could try charging for access to the dataset, but that would only encourage others to develop and sell their own dataset (especially since there are likely many who would want their interest in such a dataset to be confidential).

ccgreg 11 hours ago||
If you're referring to Common Crawl, which has existed since 2008, indeed your predictions are somewhat accurate. It's easy to opt out or limit what is collected. The crawling itself is inexpensive to us and the hosting is from the AWS Open Dataset Sponsorship Program. And there's no charge for downloading it.
mips_avatar 10 hours ago||
Thanks for making common crawl as good as it is. It’s a really important part of making the Internet better
ccgreg 9 hours ago||
Appreciate your kind words! Many people have worked at Common Crawl over the years, and it's been a labor of love fueled by positive comments like yours and the large list of PhD theses helped by our public web dataset.
jay_kyburz 19 hours ago|||
I agree, if up-to-data data was available somewhere else and free, there would be no reason to pay hackers and scrape.

You could perhaps even get website operators to "push" new data to a common crawl database. The scrapers would learn there is no value on scraping X domain because the data is available elsewhere more easily.

flaburgan 2 hours ago|||
Well this is not what is happening in practice, Wikipedia / Wikidata, OpenStreetMap, OpenFoodFacts... All provide APIs and even a full dump of their database available to download for free, but no, the stupid bots still DDoS them 24h/24.
pocksuppet 52 minutes ago||
Why don't they take legal action?
jay_kyburz 19 hours ago|||
How about a website header with a link to a static zip that contains the whole website in one hit. The Zip could be hosted on some big public sever. Perhaps even mirrored locally for each nation.
Symbiote 12 hours ago|||
I have essentially this at work, but the scrapers ignore it. (Or at least many, many scrapers ignore it.)
mips_avatar 18 hours ago|||
that's hard to do with rendered content, oftentimes the result depends on a backend service. Maybe you should make the service it's running public but that might be a line most aren't willing to cross.
jay_kyburz 18 hours ago||
I was thinking you scrape your own website every day in the middle of the night when traffic is low, and make that available. They can come and collect it every day if they want to.
mips_avatar 17 hours ago||
Yeah. Though I guess the point I thought of was like a deals site. That would have infinite pages and content
nobodywillobsrv 17 hours ago||
Feels like it would be a good time for freenet and the like to catch on.
georgyo 2 hours ago||
The article at the end talks about how is very easy for arbitrary apps from app stores can install a residential proxy on your phone.

10 years ago, apps had to explicitly state if they needed network access. And then the powers that be decided that really all apps need network access no matter what. And both ios and android make it hard to deny apps network access.

But really, this finally explains the hordes of really basic boring games that just advertise other boring games. Idle games and the like that really just want you to keep your phone unlocked and open. Millions of downloads on the app stores for entirely offline content (and ads) and no way to block the network access.

Aurornis 32 minutes ago||
The Bright Data “free” VPN they’re talking about requires the user to go through steps to enable it.

These aren’t as simple as downloading a free game and then the phone is compromised as long as it’s installed.

The users who install these things don’t care about permissions prompts. They’ll follow instructions to tap any prompt the instructions ask. They want the free thing and don’t care what they have to do to get it.

georgyo 11 minutes ago||
The article also talks about NetNut, which was embed in many apps released into the app stores.
dannyfritz07 1 hour ago||
GrapheneOS allows you to deny network access per app pretty trivially. Google Play services make it a bit more difficult because the app might marshall the network request through that; I'm not sure how to verify that behavior when it happens.
igoose1 8 minutes ago||
Thanks for mentioning GrapheneOS. I'll just explain to others what "pretty trivially" means here. GrapheneOS adds a huge checkmark "Network access?" when you install an app. It's impossible to miss.
sixtyj 19 hours ago||
The issue with scrapping is the intensity and volume of bots.

I think that nobody would care if I use wget or curl for few pages, e.g. because I would like to read a site as offline or archive it.

Btw average age of any page is 10 years. Deletion or structural change after acquisition is common, Signal vs Noise site recent wipe out could serve as an example why we need to archive sites.

ccgreg 18 hours ago||
A lot of websites want "bot defense" due to high volume scrapers, and that "bot defense" often also ends up blocking low-volume wget/curl and polite crawlers like Common Crawl's CCBot.
sumedh 18 hours ago||
Cloudflare can verify certain bots when they come from known ip addresses. So if your site is using cloudflare it can let CCBot if it has done the verification.
m463 10 hours ago|||
cloudflare routinely denies my human-piloted browser now, on many sites.
ambigious7777 3 hours ago||
you're not a bot thats irrelevant
pineapplepizza6 3 hours ago|||
[dead]
2000UltraDeluxe 6 hours ago||
> I think that nobody would care if I use wget or curl for few pages

If only you were the only one doing it...

setheron 1 hour ago||
https://fzakaria.com/2026/07/09/who-does-anubis-actually-sto...

I wrote about this recently as well.

dang 17 hours ago||
One article mentioned in the OP was discussed here:

Disrupting the largest residential proxy network - https://news.ycombinator.com/item?id=46802748 - Jan 2026 (221 comments)

fragmede 17 hours ago|
How does HN fare with scraper load? Is it just CDN and pay the extra bandwidth bill for anon hit requests?
dang 15 hours ago|||
It's really bad. I found myself identifying with everything Jonathan wrote in the OP - so much so that I thought of asking to compare notes on mitigation measures.
kordlessagain 1 hour ago|||
I came up with the idea and helped build Grub, the distributed crawler. Looksmart bought it, ran it for a time, then sold it to Wikimedia. I reclaimed the name recently (abandoned mark) and have a new crawler now that is agentic. I use it for my own research runs, and it's not my main focus at this point, nor am I trying to get it attention. A lot of LLMs and coding agents can easily fetch content if it is needed and we're blind to how they do it. See the Claude plugin for Chrome as an example of using it in a user-in-the-loop solution. That said, I've been spending a little time thinking about how to bake the contract into the crawler, as opposed to expecting someone else to act ethically using it.

Grub was, in a very real way, a botnet. And, we harmed site owners when we were operating at full capacity. There were a few bugs in the early days where we would reschedule a site because the ingestion in the server broke, which then caused the page to be rescheduled. Stupid error, and we fixed it, but it's illustrative of the fact even good intentions isn't enough here.

What I've come up with over the years is similar to the idea Cloudflare is implementing with payments to site owners by charging the crawlers. My objection to Cloudflare's implementation is based on a personal opinion about Cloudflare being a single point of failure and also a decrypted choke point. Their ideas about how to handle crawlers, and pay for the load on the sites is solid. It presumes to use the 402 response to demand payment. I'm clearly biased about Cloudflare, but that's my prerogative here.

It may be possible to solve this with cryptocurrency, in a distributed way, and I've prototyped a system that uses the Lightning Network to handle the payments from a 402 response. Lightning Labs also worked on a project called Apeture for a time that did something similar.

HN's site knows every item ID, and it knows fresh IDs get read in a predictable distribution while old ones mostly sleep. Sustained access outside that is itself the scraper signal. No IP reputation needed, which matters now that residential proxies burn an address after a handful of requests.

Karma gives you a clean way to let humans through. Issue logged-in accounts with decent karma a token whose cold-content budget scales with it (the karma), so an account with history scrolling back through a 2014 thread just reads it. Karma should gate the tier, not be spent as currency, or upvote rings become a crawling business.

Anonymous readers who deep link into one old thread from a search engine get the first fetch or two free (and you watch the article IDs, not the IPs). What remains after those carve-outs is bulk traversal of cold IDs with no identity attached, and that traffic gets rate limited and answered with a 402: pay per page over Lightning, priced at a healthy multiple of what residential proxy bandwidth already costs, or come back slowly for free.

There are probably holes in these thoughts. It's one of the harder problems to solve, for sure.

oasisbob 11 hours ago||||
As someone dealing with similar on a large site, I'd love to see a private community to discuss some of these issues.
cookmeplox 11 hours ago|||
I have a medium-sized Discord server of web sysadmin people (mostly wiki operators) that came together after I wrote a similar blog post [1] about how the LLM scrapers/resproxies are making it suck to run wikis. Not sure if there's other private communities out there, but feel free to email me if you want to join

[1] - https://weirdgloop.org/blog/clankers

BLKNSLVR 9 hours ago|||
Disclaimer: this works for my very small number of personal services that I run. I have no idea how this would (or probably wouldn't) scale at all. Also, the methodology I describe below is based on what I'm able to do technically, which is pretty much limited to bash scripting.

On my external-most device I have a firewall that logs addresses that attempt to connect to ports behind which there are no services, and therefore there is no reason for the existence of that traffic (at least as far as I'm concerned), and therefore I treat it as malicious.

The address is recorded and goes into a database.

Periodically, the database is dumped to a file in a format that the firewall reads, and all the 'malicious' addresses detected above are added to a list so that those addresses are blocked from accessing the legitimate service ports. (analogy: if you throw an egg at my outdoor wall, I'm not going to let you into my house through the door because I don't want egg on my furniture).

I have a blocking period of about 3 months - because the things I run are important to exactly a single person. A blocking period much shorter would be recommended to prevent the gross-overblocking of legitimate users who may have un-lucked into being assigned a residential IP address that was previously used in a proxy-scan-scam.

Discard this if it's a stupid idea at-scale, but I quite the like the 'idea' of it, and I made it work, mainly for the technical challenge.

Project is here on Github: https://github.com/UninvitedActivity/UninvitedActivity

dchest 2 hours ago|||
I did something like this using fail2ban for some time, but 1) it didn't help much due to the larger number of IPs, 2) it blocked widely used VPN services.
sunnybeetroot 6 hours ago||||
It’s a great idea but not sure for larger websites when these residential proxy platforms are using innocent user ip addresses. Then you’re left blocking innocent users. It’s a tough call.
inigyou 5 hours ago|||
Most residential users change their IP address every 24 hours.
khurs 14 hours ago|||
Ive been seeing a 'sorry' message occasionally when accessing older pages.

Is that a side effect of whatever you are doing?

dang 13 hours ago||
It was, but there were too many legit users getting affected, so we turned most of that off a few days ago. Are you still seeing it?
khurs 12 hours ago|||
Not in last day no.
dang 11 hours ago||
Ok that's good - if you get it again can you let us know at hn@ycombinator.com? We definitely don't want to exclude legit users.
khurs 7 hours ago|||
Yes will do
Aachen 4 hours ago|||
LI've emailed there in May and June about different topics and gotten no reply to a request to confirm receipt. Is there a backup method for when your algorithm throws people's email away without even informing the sender with a delivery failure notification?
dang 1 hour ago||
We get thousands of emails - far too many to even read them all, let alone respond the way we would like to.

There are other reasons why we might not respond, but overload is the main one.

Edit: I only see one email in the archive related to your account. It was from Sept 2024 and we responded to it. Are you talking about a different account?

Bender 17 hours ago||||
Not dang and not the person you are asking but there is no CDN. HN is just two servers running BSD one active and one standby. HN is all text so there is not much bandwidth usage.

I did an experiment and linked from HN to my lame blog site and disabled all my anti-scraping measures. Even with all the bots I did not see that much traffic. I suspect some people are specifically being targeted by very poorly configured or very poorly written archiving scripts. Just one example thread discussing this with someone on HN [1]. Each case of being targeted will require looking at generalized characteristics but most are easy to stop in my opinion and experience.

[1] - https://news.ycombinator.com/item?id=48416693

dredmorbius 17 hours ago||
And the backup is field-tested to fall over within a few hours of the primary ;-)

<https://news.ycombinator.com/item?id=32048148>

<https://news.ycombinator.com/item?id=32031243>

(AFAIK that specific failure mode has in fact been addressed.)

dredmorbius 17 hours ago|||
For one datapoint ...

I have a custom HN CSS which includes some formatting of different sets of user accounts. Admins, for example, get orange highlighting and a dragon emoji (for one does not meddle in the affairs of ...).

Also included are leaders, which is the one part of my CSS build script which is, or at least was until a few minutes ago, dynamic. Presently HN is returning "sorry" to my curl request. Given that I run that build manually a few times a month, it's not a matter of hitting HN with frequent scrapes. But HN has become increasingly scrape-hostile over time.

Back in 2023 I did a crawl of all of HN's front-page daily history (365.25 days/year * 17 years, so about 6,200 requests), to answer a question which had come up about what was/wasn't mentioned in submission titles. That scrape included a delay (probably either 1 or 10 seconds, possibly more, I don't recall which and may have run the fetch directly from the command line), and ran (initially) without issues. I don't think it would fly today.

I reported on findings at the time and several times since:

<https://news.ycombinator.com/item?id=36078578>

<https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...>

fragmede 16 hours ago||
HN is exported to firebase, which you can hit directly, for that sort of purpose

https://github.com/HackerNews/API

dredmorbius 16 hours ago|||
I know that.

I've not worked with the API, and there's the blessing/curse (blurse‽) that HTML is a known, if poor, standard.

API always translates to "one more thing to learn, that's applicable to a single-use case". HTML scraping / sorting I can apply across multiple sites.

That said, a standard, say, JSON packaging of website contents available on request might be fun to have.

fragmede 14 hours ago||
I feel less bad hammering firebase in a "while True:" loop vs hitting HN's servers.
dredmorbius 11 hours ago||
12,000 times less bad? <https://news.ycombinator.com/item?id=48868910>
fragmede 4 hours ago||
Between me and you, I don't think Google would register that amongst the noise of just running the service anyway on their monitoring systems.

You're right to point out that if you're trying to get the contents of dead objects the API is of no use though.

dredmorbius 2 hours ago||
Google might not register it, but in some related testing, even a few hundred requests through the API (serial, not concurrent) takes much longer than a single "Past" page request would, even if the latter were substantially rate-limited. Of course, if those requests (to HN itself rather than the API) are blocked entirely, that's a moot issue.

On dead/flagged items, there's some value. Whilst the title/URL context aren't available, just knowing what fraction of submissions and comments are moderated is interesting data, and it is possible to construct patterns against specific accounts.

I'm frequently encountering what appear to be banned accounts. Being able to trace those through the API to see where and when they were banned, or now much moderated activity they're generating, can be useful. I'm relying heavily on the "/replies?id=<UID>&by=<moderator>" search endpoint (generally dang, tomhow, sctb, or pg as mod) currently to find out if there was a specific ban admonishment from a moderator. That's often but not always the case.

But it's not possible, say, to tell through the API what sites are banned. Looking at site history with "showdead" enabled can tell you that though, e.g.:

<https://news.ycombinator.com/from?site=synthetica.cloud>

(From the New queue, one of several "dead" submissions not flagged, suggesting a site ban.)

Hypothesizing an undocumented "site" API endpoint ... doesn't seem to check out:

    https://hacker-news.firebaseio.com/v0/site/synthetica.cloud?print=pretty
Returns:

    not found
(Similarly for "domain", "url", and "URL".)

And there's the "day" endpoint doesn't seem to work either, though it conspicuously does not report "not found", e.g.:

    https://hacker-news.firebaseio.com/v0/day/2025-07-10?print=pretty
(I've tried a few other date format variants, including Unix time (seconds) without success.)
dredmorbius 11 hours ago|||
Looking at the API ...

... it's starting to make sense, but ...

... the API is geared at requesting specific content items (posts, comments, users). There doesn't seem to be a way to directly make a request for a front-page history page (that is, the 30 items archived on a given date. Say, 2008-11-05:

<https://news.ycombinator.com/front?day=2008-11-05>

It's the collection of 30 items from that date I'm interested in. For my scraping, I don't actually need to further query the individual posts as I've got the elements I'm interested in (title, date, story position, URL, votes, comment count, submitter, site/domain) from the index page itself, parsed out of the HTML. The "Past" entries alone are a significant (though not huge) request load. To update the past three years would be about another 1,000 requests, which, if fulfilled and modestly rate-limited would hopefully not keel the servers over.

Once I've pulled in those "Past" pages, I could of course do further API queries, though at this point I don't see any specific need to do so.

I suppose that requesting the "past" links be included in the API set could be a request I might make of HN, or the ability to request, say, all submissions (or comments!) for a given date.

There are groups which have done HN analytics in the past using the API, for example Whaly.io:

"A Year on Hacker News" <https://news.ycombinator.com/item?id=31295219>

"Top Hacker News commenters of 2021" <https://news.ycombinator.com/item?id=29778994>

"What Happened This Year on Hacker News (2021)" <https://news.ycombinator.com/item?id=29769470>

I could look more into their methodology to see if I can use similar approaches.

The existence of "dead" and "deleted" values does seem interesting. I might do some playing with those to see what shows up (I suspect that most additional information is suppressed...)

OK, looking at a recent dead atomic128 comment:

  $ curl -s 'https://hacker-news.firebaseio.com/v0/item/48820709.json?print=pretty'
  {
    "by" : "atomic128",
    "dead" : true,
    "id" : 48820709,
    "parent" : 48819517,
    "text" : "[flagged]",
    "time" : 1783444517,
    "type" : "comment"
  }
So userID is visible.

And from a current dead submission in the New queue:

  $ curl -s 'https://hacker-news.firebaseio.com/v0/item/48868688.json?print=pretty'
  {
    "by" : "millwright-sw",
    "dead" : true,
    "id" : 48868688,
    "score" : 1,
    "time" : 1783743361,
    "type" : "story"
  }
That's missing the title and URL, as I suspected it would, though the submitter UID is available.

To get top stories by date I'd actually have to submit more requests, walking through item numbers, splitting out comments and stories. Based on Whaly's 2021 retrospective, with about 4.2 million items (stories + comments) posted in total, that's about 12,000 items per day. Versus, well, one "Past" page result...

jappgar 2 hours ago||
I was involved in both sides of this battle over ten years ago. Things haven't changed all that much.

It's important to note that neither side has moral legitimacy. Not everyone who carries a rifle is a enemy. Not everyone wearing body armor is a saint.

I have given up on the idea that "human vs bot" matters at all when it comes to anything other than voting (which should only be done in person with paper and pen, by the way.)

You could make an argument that "likes" are a form of voting, but you shouldn't. We need to abandon the idea of supposedly democratized algorithms and focus instead on actual democracy.

tingletech 20 hours ago||
The comments are not showing up for me now, but when they were still showing for anonymous users, there was a link to https://commoncrawl.org. I've been sort of worried about letting agents hit websites, I wonder if a fetch_url agent tool could be made to look in common crawl first before hitting the web for it?
colinsane 17 hours ago|
just their smallest dataset looks to be 6 TB _compressed_. not a thing you can really ship as part of the agent. but if somebody made a fetch_url tool that sharded that across all users of it, i'd give it a try. could probably just layer that on top of bittorrent or IPFS or something.
binarymax 14 hours ago|||
It’s not that hard. I’ve done this. The list of URLs for a crawl is several hundred gigs. Easily fits in a lookup index on a single instance.
dylan604 14 hours ago|||
If you scrape 6TB from across the web or grab it from one place, it's still 6TB
everfrustrated 19 hours ago||
I wonder how much of this is traffic caused by peoples agents using web tools causing searches and fetches rather than general trawls of the internet.
corbet 19 hours ago||
Very little of it. When you see a million IPs systematically working their way through your URL space, it's pretty clear that there's a central control node behind it all.
everfrustrated 19 hours ago||
Your earlier article suggests you aren't using a CDN. Might be well worth looking into - not for any bot detection so much as just having a good old fashioned cache in front of you.
solid_fuel 5 hours ago|||
Caches only help for pages that have been requested recently. The behavior of crawlers - going from one page to the next across the whole site - will probably not be mitigated significantly by a cache.
mplewis 11 hours ago|||
As someone who operates a wiki, this does not solve the problem.
noxvilleza 18 hours ago|||
Most well-known/large agentic web tools I've seen are actually super honest about who they are -- even when they write out scripts they're very keen to identify themselves using user-agents. Most of the time those tools are fine - it's the ones that happen to have a random choice of the 5 most common Chrome/Firefox user-agents making sequential scrapes but cycling through IPs on African and South American residential IPs that are the problem!
TurdF3rguson 17 hours ago||
Yes I've seen it. ClaudeBot will gleefully announce itself when it hammers my niche website a million times a day.
pixelesque 9 hours ago|||
Semi-off-topic but...

On my sites, I see ClaudeBot consistently (and has been like this for over a year) ask for "${SITE}.com/base_dir1" and then get the redirect (Caddy does this automatically) to get "${SITE}.com/base1/base_dir1/" (trailing slash).

The hrefs on my sites include the trailing slashes for directories, so looks like ClaudeBot's internal code is stripping them off before requesting them, and therefore essentially makes almost 2x the requests to my sites for directories, half of them ending up being redirects back to the same url but with the trailing slash.

noxvilleza 16 hours ago|||
At least those bots are easy to block though. I run a niche stats website for an esport and I have no idea why there's loads of residential trawlers/botnets with 10k+ IPs trying to get that data - most of what they scrape is directly available from Valve's APIs.
TurdF3rguson 15 hours ago|||
> I have no idea why there's loads of residential trawlers/botnets with 10k+ IPs trying to get that data

Probably as simple as the fact that there are unmetered residential proxy plans, which means once you're already paying for one, there's no reason not to use it for everything.

inigyou 5 hours ago||||
If you block it, it comes back with a residential proxy network and headless Chrome. Better not to block based on the obvious signs.
solid_fuel 5 hours ago|||
Blocking is too obvious. I would prefer to feed back false information but only to LLM crawlers.
dawnerd 18 hours ago||
I've seen some logs where a bunch of random ips were hitting a client's search endpoint feeding what looked like user questions to it. Of course none of them returned anything useful but it was causing a lot of strain and even causing the site to go down (gotta love wordpress's stock search).

I'm guessing the training companies are taking real/synthesized user queries and trying to distill what they can from site searches.

ArtTimeInvestor 10 hours ago|
In theory, proof of work that is used to mine a cryptocurrency could be a solution.

Bitcoin and others are already secured via massive pow computations. If we could shift that into browsers, no additional energy would be used and we could solve an issue that has been unsolved for too long: How to pay websites that provide useful information other than with ads.

The question is which resources typical consumer hardware has that large centralized compute power does not. In-browser POW to pay websites would only be possible if such a resource exists.

I am not familiar with the topic, but maybe CPU power and memory? Both seem significant in a typical consumer device.

Napkin math: If a consumer device can generate $100 per month, that would be 100/30/24/60/60=$0.00004 per second. If the user waits for 5 seconds before the first pageview, that would then make the website provider $0.0002 per visitor. Serving a million visitors per month is nowadays easily possible on a $10/month machine. So the $0.0002x1000000 = $200 would make the website a nice profit.

RetroTechie 1 minute ago||
Better skip the PoW part as it'll be wildly inefficient for most of the work done.

Instead, exchange web traffic for actual $. Say, some kind of tokens that are easily turned back into hard cash through a 3rd party.

Requesting a 100KB file? Okay, that'll be a $0.00002 token, please! (visitor's user agent provides it in a manner transparent to regular web users). Requesting a 3MB image? Okay, that'll be a $0.0005 token, please!

Result: niche websites earn hard cash. It doesn't matter much if you're hammered as long as the hammering comes with a corresponding flow of tokens (read: $). No token(s)? No service.

Regular web users would pay for those tokens through their normal internet service fees, and otherwise not be bothered. Massive scrapers would have to pay somehow for the tokens to be served web data at all.

In effect: put the bulk of public web sites behind a paywall. But with the bar low enough & in a manner that it's transparent for regular web users. Clicked "reload" by accident? Oops, internet service bill got upped by 2 micro-$.

EffrafaxOfWug 3 hours ago|||
First of all I am very critical of the $100 per consumer device per month figure.

Also all major browsers block crypto miners on webpages now (for good reasons) so it may prove difficult to allow "good" mining scripts while still blocking "bad" ones.

I don't think this is a practical solution

Loic 10 hours ago|||
Proof of work, even "custom", where the user does not need a particular interaction with the page, does not work. The scrapers are running headless Chrome and solving the work. They do not care, they do not pay the bill, the compromised system's owner pays the bill.

I have such system for the registration form on one of my website to prevent the double validation of emails to be used to spam emails of victims. The PoW challenge prevents less than 10% of the bots.

ArtTimeInvestor 9 hours ago|||
Thats why I said proof of work that is used to mine a cryptocurrency to pay the bills of websites that serve information.

As long as the website gets paid more than the cost of serving the pages, it does not matter if a human or a bot did the POW.

Securing signup forms is another issue. Maybe related. But not what I was referring to.

Loic 8 hours ago||
Very good point, I missed the point that the PoW is paying the publisher. I will have to dig into this, this is a pretty nice idea.
inigyou 5 hours ago|||
Residential proxy users don't get to run computation on the proxies.
karlgkk 10 hours ago|||
Proof of work captchas are widely deployed, especially on more niche sites. Kiwiflare is one (used for a harassment forum)
inigyou 5 hours ago||
You could've just said Anubis to avoid giving those guys advertisement.
emil-lp 9 hours ago|||
Proof of work doesn't help if the abuser is massively decentralized and is using other peoples moneys.
coredev_ 9 hours ago||
They discuss why this might be a bad idea in the article.
armchairhacker 9 hours ago||
They discuss why proof of work is bad, not crypto

> partly because it causes annoying delays for those trying to get to the site

This is true but usually a small issue. It’s further alleviated by cached tokens so you only have to solve the challenge once in a while per site, and a login token may let you skip it.

> partly because it seems inevitable that the scrapers will eventually find their way around it…A proof-of-work requirement is not a huge obstacle when you have millions of other people's machines to do the work on.

Solved by making money off it.

More comments...