Cloudflare Has a New Plan To Fight Bots -- and Climate Change

Cloudflare is ratcheting up its fight against bots with a new "fight mode," which it says will frustrate and disincentivize bot operators from their malicious activity. From a report: Bots are notorious for scraping websites and abusing developer access to download gobs of user data. All too often bots try to game the system by scraping concert or airline ticket prices to buy in bulk at their lowest price and sell them off for higher. Worse, some imitate real users and brute-force their way into websites with lists of stolen passwords. Cloudflare gets three billion bot requests each day. Now the company said it's "decided to fight back."

Its new "bot fight mode," which Cloudflare today enabled as a free opt-in feature for all accounts, will detect and serve bots with deliberately computationally intensive challenges. As the bot tries to crunch the impossible puzzle -- effectively a small bit of code only visible to the bot -- the bot's server will max out its processing power, churning up cloud resources and driving up costs for the bot operator. While the company says its efforts will dissuade bot activities in the long run, it recognizes its efforts in the short term will result in cloud servers working overtime, thus consuming more electricity and requiring more cooling -- all of which contribute to greater energy consumption.

Robots And Climate Change Are Attacking Cloudflare

[dryriver]

Its a courageous thing they are willing to fight them. I got an Independence Day vibe from the title of the submission alone. =)

Bots

[MikeDataLink]

I run a pretty popular blog and I get hit from bots constantly scraping my site, or trying to fill out forms with bogus information. 90% of this traffic comes from India. Which finally led me to just block any India IP address from filling out forms.

Sucks, but that was the only thing that finally put a stop to it.

India Spam

[dryriver]

A lot of spam in conventional forums also appears to come from India, the likely reason being that many computer literate people in India also have decent command of the English language - i.e. this is people who have some education. There is one computer graphics forum on the internet where people will post a question about how to do something with 3D software, and spammers actually formulate the beginning of a response, but ending in "check this URL for the full answer". The link typically leads to sites flogging cryptocurrency or similar.

Scrapers aren't malicious

[drinkypoo]

Scrapers aren't malicious, unless you run a site designed to fleece suckers. They provide the information that the people want, like price comparisons. And if you have the lowest price, they will result in traffic and sales. And if you know how to use caching, they shouldn't do any special harm to your site.

A better solution for people not trying to take advantage of ignorant users might be to make sure that scrapers get the information they want without having to load your whole page, which means actually outputting HTML, and not shoveling all the content into the page after the fact with JavaScript like a total noob.

Re:

[Barny]

Since they talk of putting code into the page, I assume they are going after the kinds of bots that like to fill out their forms and automatically interact as if they are a person doing things (meaning they need to run javascript).

I run a scraper for images (for reverse searching image sources), mostly snorting up opengraph data. This will not affect my scraper in the slightest.

It's rampant

[Impy the Impiuos Imp]

Nice. How are Slashdot's efforts going to fight troll farms gaming their once-sensible mod system, built on the notion only well-meaning moderations will occur?

Re:

[Anonymous Coward]

The beauty of Slashdot's moderation system is that it prevent circlejerks from downmodding an unpopular opinion into oblivion. Fuck off back to Ars Technica if you want that.

It Happens In The Firehose

[dryriver]

Actually, downmodding to oblivion does happen in the Firehose. If you post a story that, er, ruffles "big money" feathers a bit, quite often it is downmodded from the "Popular" section of the Firehose to "All" in less than 10 minutes of submitting. Strangely enough, other "non trollfarm" Slashdotters then spot the submission after the "10 minute downmod storm" has passed and upmod the submission into "Popular" territory again. So you submit, trolls successfully torpedo the submission out of Popular, and then regular users - sometimes at least - manage to upvote enough to put the submission on the frontpage, and open it up to discussion nevertheless.

A win-win scenario

[SuperKendall]

Well all know that cows cause global warming, right?

So to offset the carbon increase from the Cloudfare Battlin' Bot mode, the answer is right in front of us - everyone should switch to eating burgers made from bot operators!

Re:

[dryriver]

Things would go quicker if the bots turned on their makers and ate them. =)

Reselling plane tickets?

[genka]

Is scalping plane tickets a thing? I've never come across a site offering tickets unavailable elsewhere.

Fighting Climate Change?

[CrimsonAvenger]

Sounds more like they're encouraging it.

Forcing botnets to use more electricity isn't actually "fighting" climate change, but I guess as long as you call it "fighting climate change" then you've accomplished your goal of reducing AGW....

Re:

[MikeDataLink]

Sounds more like they're encouraging it.

Forcing botnets to use more electricity isn't actually "fighting" climate change, but I guess as long as you call it "fighting climate change" then you've accomplished your goal of reducing AGW....

I know reading the article is hard, but you should totally due. Because they like totally covered this dude.

Like their CAPTCHA block?

[WoodstockJeff]

Cloudflare already has a mode where it will chain an infinite number of recaptcha challenges together if it decides it doesn't like your browser agent. When it pops up on sites, I just change browsers and I'm instantly not a bad person.

Re:Like their CAPTCHA block?

[Hentes]

The same often happens to me when I disable scripts. The future of captcha seems to be that you either let them run their spyware on your machine or they just decide that you're a bot.

Re: Like their CAPTCHA block?

[Malays Boweman]

It's easier to use a browser that lets you change the User Agent string. On mobile, it really helps with sites that force a dumbed down super-gimped version of their pages (or an "app") on mobile users, or deems you a dirty, smelly mobile user unworthy of accessing their content (Sourceforge, I'm looking at YOU!)

Old idea

[AlexanderPatrakov]

I recollect that in the past iptables had an extension (TARPIT) that games the TCP window mechanism, so that it becomes cumbersome for the remote system to keep the TCP connection, or even to close it properly. Now CloudFlare implements the same at layer 8.

robots.txt trap

[JustAnotherOldGuy]

I used to put a "Disallow" line in my robots.txt file that lead to an endless series of programmatically-generated pages filled with random crap and lots of juicy (but fake) email addresses.

The bad bots that read the robots.txt file would follow the link and get mired in shit for hours (and sometimes for days!).

After a while I modified the code and started feeding the bots their own email addresses, so they probably sent themselves quite a bit of spam.

It was hilarious to watch the bots painfully crawl page after page after page in a fruitless quest that never ended...

Re:

[gigne]

That is a pretty good idea. Any idea if it still works, or did the bots get smarter?

Re:robots.txt trap

[JustAnotherOldGuy]

Oh yeah, they still dutifully follow the Disallow links and thrash around in the La Brea Link Pit for a few hours.

I used to keep an eye on it just to see what was going on, but if you've seen one bot trip over its own dick, you've seen 'em all.

Lololol

[i286NiNJA]

It'd be cool if you took your manual spam blacklist and fed it out. As soon as someone gets into your inbox they're done. For good measure you could post it to usenet too. Alt.sex.stories; email goes to sender, subject, and body.

Reminds me of the Borg...

[Akardam]

... and the plan Starfleet had to intriduce a very similar concept to destroy them. I wonder if Starfleet had followed through, if the Borg's carbon footprint would have spiked before they went kaput. Oh well, suppose we'll never know.

Re: Reminds me of the Borg...

[Malays Boweman]

I'd think a race as advanced as the Borg would be able to recongnize when it's system begin to overload after being given a bogus puzzle to solve. Surely they've adopted better security practices after Cmdr. Data sent that bogus "sleep" command to the control network of one of their vessels?

HCF, or better

[pz]

It would be awesome if there were a way to serve the mythical Halt-and-Catch-Fire (HCF) instruction to the bots. Or, equivalently, just a HALT instruction. Or a WAIT instruction that would never get its interrupt. My inner 5-year-old imp is nearly as titillated with their solution of serving computationally difficult programs (presumably obfuscated in random ways so that the bots aren't able to recognize and drop them).

The adult in me thinks serving them something actually useful, such as problems from the BOINC network like SETI@home, would be an even better solution.

Re:

[i286NiNJA]

Well I mean they can shrink the TCP window down very small. You could then even protect your services by keeping the TCP window unusually small for just a little bit. They could also tell the remote system they wanna use gzip compression to send compression bomb with a gif bomb or something that's been run through a fuzzing framework, there's all sorts of opportunity to give to jerk them around all different ways at once.

If they wanted a long game they could start fuzzing different graphics libraries unt