Evidence for the DDoS attack that bigtech LLM scrapers actually are.

  • froztbyte@awful.systems
    link
    fedilink
    English
    arrow-up
    6
    ·
    21 days ago

    the threshold is proportional to 1.5^(32-subnet_mask)

    what are you basing that prefix length decision off? whois/NIC allocation data?

    is the decision loop running locally to any given f2b instance, or do you aggregate for processing then distribute blocklist?

    either way, seems like an interesting approach for catching the type of shit that likes to snowshoe from random cloud providers while lying in agent signature

    • pcouy@lemmy.pierre-couy.fr
      link
      fedilink
      English
      arrow-up
      4
      ·
      20 days ago

      CIDR ranges (a.b.c.d/subnet_mask) contain 2^(32-subnet_mask) IP addresses. The 1.5 I’m using controls the filter’s sensitivity and can be tuned to anything between 1 and 2

      Using 1 or smaller would mean that the filter gets triggered earlier for larger ranges (we want to avoid this so that a single IP can’t trick you into banning a /16)

      Using 2 or more would mean you tolerate more fail/IP for larger ranges, making you ban all smaller subranges before the filter gets a chance to trigger on a larger range.

      This is running locally to a single f2b instance, but should work pretty much the same with aggregated logs from multiple instances

      • froztbyte@awful.systems
        link
        fedilink
        English
        arrow-up
        3
        ·
        20 days ago

        I’m aware of the construction of a CIDR prefix, I meant what are you using to categorise IPs from requests to look up mask size? whois? using published NIC/RIR data? what’s in BGP/routedumps? other?