Top
Best
New

Posted by chmaynard 23 hours ago

An update on residential proxies and the scraper situation(lwn.net)
288 points | 300 commentspage 3
rao-v 17 hours ago|
I’m skeptical that the problem they are trying to solve is truly unreasonable bandwidth demands.

Sometimes it feels like what people want is to only serve websites and content to good normal users but not evil bad “scrapers” (because maybe maybe your content will be monetized in some nebulous way) but … you put your content up publicly on the web! That should be part of reasonable use!

EDIT: Lwn.net is perhaps not a fair target of my ire.

“There is also a desire to not impede the operation of legitimate search engines, the Internet Archive, and other such groups. Some sites may add explicit allowlists to, for example, give the dominant search engine access to the site. Such measures have the effect of further entrenching a monopoly that already serves us poorly and should be avoided. We have, thus far, succeeded in that.”

Is reasonable! Many others are not

duskwuff 14 hours ago||
> I’m skeptical that the problem they are trying to solve is truly unreasonable bandwidth demands.

Not necessarily bandwidth demands so much as processing demands. Scrapers have a tendency to hammer on parts of web sites that are computationally expensive to generate - e.g. search results, diffs and blame views in git forges, sorted/filtered/paginated lists, etc. Ordinary users may click a few of those links for things they want to see; scrapers will try to request all of them, even when 99% of them are redundant.

wiredfool 6 hours ago||
What’s more, they will scale up with increased resources on the site.

If you redline at 20 searches a sec, and put in 4 more workers, suddenly you’re serving 100r/sec to the bots, paying 5x for it, and your users are still seeing shit qos. I've seen multiple cores of nginx saturated just dealing with one dos/crawl run on a somewhat high profile site.

solid_fuel 7 hours ago|||
I don't think people sit around going "Grrrr who can I ban next?". Instead this stuff gets noticed because you see the webserver at 99% CPU utilization for 2 days straight, check the logs, and see you are somehow getting crawled by half the IPs in New York City.
Catloafdev 16 hours ago|||
If it weren't a real problem, these types of articles and services wouldn't exist.
inigyou 7 hours ago||
Plenty of complaints exist about things that are not real problems.
Catloafdev 2 hours ago||
Well that's not what's happening here, lol.
TZubiri 16 hours ago|||
Why the air quotes? Evading a ban and using (potentially ill gotten) residential ips to circumvent that refusal of service, is a bad actor.
inigyou 7 hours ago||
Surely that depends on the motivation for the ban.
hananova 5 hours ago||
No. When someone says you’re not welcome, you’re not welcome. Regardless of the reason.
inigyou 4 hours ago||
If I get kicked out of Epstein island because I refuse to **** a child, that doesn't make me a bad actor.
TZubiri 2 hours ago||
And then going there 1 million times under fake identities? Yeah, I'm sure that's not a bad actor.
trucks-refinish 15 hours ago||
[dead]
cyanydeez 22 hours ago||
mmm, in many cases these residential proxies are media boxes, and they consent as much as anyone else consents to what amazon, or google or facebook does; it's buried somewhere in the recesses of the TOS.

The question is more about why the US and others can't properly enforce the bullshit all this amounts to.

SR2Z 20 hours ago||
Because this isn't clearly against the law, nor should it be. If websites want to ban based on IP address lots of innocent users get caught in the cross-fire.

I'm not sure what the solution would look like - maybe Cloudflare's payment required for requests beyond a certain limit? But I think that the world needs user freedoms now more than ever.

bell-cot 21 hours ago|||
"He who has the gold makes the rules" is older than the pyramids.
mschuster91 20 hours ago|||
> The question is more about why the US and others can't properly enforce the bullshit all this amounts to.

It would cost too much money, either for police to raid all the physical shops and ebay sellers selling dodgy IPTV boxes, or for ISPs to hire enough competent support staff to monitor and respond to abuse@ email addresses and follow through.

TurdF3rguson 19 hours ago||
What exactly should be illegal here? Scraping websites? AI agents? Not following robots.txt?
aorth 11 hours ago||
The excessive scraping and ignoring robots.txt only breaks the informal social contract established over the past decades of the open internet.

The real problem is the companies offering money to developers if they include unrelated SDKs in their calculator or flashlight (for example) applications. Those SDKs add functionality to incorporate those devices into a network that can be used for scraping. The traffic is little, but is distributed over millions of residential devices all over the world, making it difficult to categorize or block. That should be illegal, and that's what Google et al can be expected to be policing on their app stores.

inigyou 7 hours ago||
On what grounds would it be illegal though? Things don't become illegal just because you don't like them. They may become illegal just because the president doesn't like them, but I don't think you're him, and in the absence of that, there has to be a majority of Congress and most of them want a reason.
robinsonb5 5 hours ago||
Because they don't have the informed consent* of the owner of the device wich ends up running the code?

* no, small print in a click-through agreement doesn't count.

inigyou 4 hours ago||
It's not illegal to run code on a device without informed consent to everything the code does. The CFAA may be excessively broad but it isn't that broad.
Avery29 16 hours ago||
Google itself is a huge database.Who makes these rules depends on who's leading the market.
teravor 14 hours ago||
I find the notion that you would use residential proxies to scrape LWN somewhat laughable, I'm reading this article using a VPN.

residential proxy bandwidth isn't that cheap, I could see it be used on a reddit (though i would probably just mass register accounts to bypass their block instead).

rwmj 13 hours ago||
I ran a gitweb server which was battered by bots so I eventually had to take it down. Gitweb! You can just connect using the git protocol and download everything vastly more efficiently!

In other words, they don't care at all. For them, residential bandwidth is completely free.

inigyou 7 hours ago||
Right. This whole controversy makes no sense as a pure scraping thing. It seems more like someone is trying to take the web offline.
eduction 21 hours ago||
Can BitTorrent’s architecture contribute anything useful here?

I admit this is a naive question. I have no idea how applicable bt is to web requests. This problem just seems to have a similar “too many people want this resource” shape.

fragmede 20 hours ago|
Yes but it's getting bot owners to use it is the problem. There's already the common crawl repository to start with but it isn't being used.
ccgreg 15 hours ago|||
Common Crawl's dataset was downloaded in full 100 times in 2025.

We agree that it would be great if it was even more widely used.

dylan604 16 hours ago|||
as well as the bot owners could would never believe that the torrent has been kept up to date. the only way to do that would compare to the actual site, so why not just scrape the actual site and be done with it?
ccgreg 15 hours ago||
Common Crawl's archive has metadata that says when each record (html file) was crawled.
charcircuit 15 hours ago||
But who stores the metadata for the last date the site updated so you know if it needs to be refetched or not.
ccgreg 11 hours ago||
We do. First off we have a public parquet-format index of all of the urls we crawl every month. And then that also lives in a HDFS table that determines when we want to recrawl a page we've crawled before.
charcircuit 10 hours ago||
Sorry, I wasn't clear. In order to know you have an up to date copy of the page you need two pieces of information:

1. When the page itself was last updated

2. When the crawled copy was last updated

In order to get an accurate date for 1, you have to crawl it, and if you are crawling it you might as well use that copy you just crawled.

The missing here is that for pretraining AI models should accept a cut off date and not worry about being perfectly up to date. Keeping things up to date is more useful developing internet search engines for grounding.

zarzavat 12 hours ago||
This is a predictable consequence of age verification laws and social media bans. Formerly VPNs were a nice to have but now they are a necessity in many countries to navigate the modern internet.

The cheapest way to get a VPN (and if you're a horny and broke teenager perhaps the only way) is to trade your clean but censored IP address for an uncensored IP address in another country. You accept the bot traffic in return, or externalize it to your parents or the owner of the internet connection.

selfhoster1312 12 hours ago|
That does not explain why so many residential VPNs operate with so many IPs in countries where there are no social media bans. Here in France:

- i know many people who buy shady IPTV boxes from stores/markets for like 50€/year

- i know some people who use "smart lightbulbs" and other nonsense

- almost everyone i know plays free smartphone games, which as LWN reminded, may contain a shady SDK

TZubiri 16 hours ago||
>We have not gone with tools like Anubis, partly because it causes annoying delays for those trying to get to the site, but also partly because it seems inevitable that the scrapers will eventually find their way around it. Indeed, there are some indications that is already happening. A proof-of-work requirement is not a huge obstacle when you have millions of other people's machines to do the work on.

The first argument that it introduces delays to users is solid, but I would advise reconsidering on the second one that a PoW workaround will be found. The moment it does you'll be able to tell because Bitcoin will crash to 0.

Will bots use infected computers to do compute to work around it? Maybe, but it requires a CPU in addition to a network reputation, 2 mechanisms are stronger than one.

CodesInChaos 7 hours ago||
> The moment it does you'll be able to tell because Bitcoin will crash to 0.

The "workaround" for PoW is running the PoW computation on hardware that's better suited for the task. Bitcoin mining has been using ASIC for many years now.

Let's say a legitimate user is willing to wait for one minute on a budget phone. Then your PoW is limited to what that phone can compute in one minute. But on the attacker's specialized hardware this computation only costs fractions of a penny, so they are barely hindered by it.

The SHA256 based PoW scheme has a very heavy ASIC advantage. People have tried to design PoW scheme that minimize the custom hardware advantage, but I'm not sure if they managed to close the gap far enough to make PoW feasible for this application.

inigyou 7 hours ago||
Residential proxy users don't have the ability to run compute on their proxies.
TZubiri 2 hours ago||
https://salad.com/salad-gateway-service

https://salad.com/earn

zb3 19 hours ago||
> widespread scraping of web sites in search of training data for large language models and related projects

This is a good thing, thanks to this we have powerful open source LLMs.

> This activity overwhelms sites with traffic.

When LLMs get good enough, we won't need those sites anymore :)

[not satire, this is what I think, without self-censorship]

More comments...