These requests originated from over 200 IP addresses – almost all owned by an ISP for a particular province in China. The confirmation emails for this volume of requests overwhelmed our email service. As a result, many arXiv users may not have received their daily emails. And other users may not have received their confirmation emails for registering accounts, or legitimate email change requests.
this should be easy to block, no? just 200 out of millions
The context is that the author of the tweet hates fast paced open research (which IMO is a net good for humanity) and makes up the strawman `"can't keep up" + "anything older than 6 months is irrelevant" in CS` quotes to justify that position.
There's timeless beauty in CS, but there's also a lot more fertile ground for research in CS, given how young the field is compared to the older sciences.
The author of that tweet clearly has an issue with the arxiv being an open repository where everyone can upload anything. There is nothing about open access in the tweet. And arxiv is not same as the concept or movement of open access. Most articles on Arxiv doesn't even have a proper license to fulfill the definition of Open Access in the BOAI declaration.
Further proof that the authors tweet is not about or against open access is that she publishes open access herself:
Arxiv is open access prepublication, and doesn't remove the need for peer review to get into actual journals. If you apply for a grant and you say "I was published on Arxiv" you are not getting that grant.
Additionally, Arxiv won't kick you off their platform if you post a preprint there, and then you get published in Nature.
In other words, the reason it does not change the point is that Arxiv does not weaken the publication process for the actual journals the preprint will be submitted to. You still need peer review to get published and you are still incentivised to do just that.
You could argue 'preprints ARE publishing' but I'd need to be convinced of that point because I don't agree for the reasons stated above.
I’ve hosted a few free services over the past 2 years. They are just utilities, nothing controversial, yet there are DDOS attacks ever few weeks from some Chinese IP ranges (especially Alibaba). Ended up just blocking the ASN as the JA3 fingerprints were spoofed and they were sending legitimate looking data (thus difficult to identify and block)
whois on the ip-address tells their range, also their asn with which you can find and block all their nets if necessary.
but block via firewall, not webserver
A million password resets is shockingly low for a DDOS, could this have been an university assignment gone wrong? I can imagine some clueless dean ordering all their engineering grads to submit research to arXiv. If they have 100-200K students, a single poorly written script to link the institution's SSO with automatically created arXiv accounts could easily overwhelm the system.
It was from about 10 accounts. Which we suspended. But it appears that they created new accounts overnight (daytime in China). arXiv is not well-equipped to play whack-a-mole.
And 10 accounts using 100 different IP addresses, would seem unlikely for an innocent project. And creating new accounts ...
Can you set a restriction so that each user cannot change the email if it has already been changed during the last hour/day? In this way you won't need to ban IPs while still allowing legitimate users to change their emails or to create new accounts.
Indira Gandhi National Open University has over 4 million students, and in China about 40% of university students are in STEM. It's certainly not impossible that this is coming from a single institution.
The question to ask yourself is: After seeing the service clearly degrade, why wouldn't you stop?
Also there may be a good reason why arXiv call it a DDoS attack - they can probably see the same emails being flipped multiple times, which would not be inline with an accidental script issue.
Look, arxiv.org is awesome and I love them, but they really can't expect the ITU or abuse-reporting groups to bail them out here.
If you have some web service that sends emails, it's on you to pick a sensible rate limit for it (not 1,000,000 messages per day unless you're Fastmail) and to hierarchically bucket that ratelimit by the routable prefix (first 24 bits) of the requester's IP address. As the bucket empties, respond more and more slowly. This way the worst a DDoSer can do is mildly annoy people who happen to use the same ISP that they do -- but eventually even those people will still get through.
I'm sorry, but this is just the sort of thing everybody has to do in order to preserve a decentralized Internet. Because if we don't all do this sort of stuff, pretty soon it won't be the Internet anymore, it'll be the CloudflareNet.
Alright go ahead, downvote me to negative-billion. I can handle it.
48 comments
[ 4.5 ms ] story [ 186 ms ] threadthis should be easy to block, no? just 200 out of millions
The email requests already happened. So blacklisting the IP addresses wouldn't prevent the email overload.
- revenge for rejected paper
- badly written scraping script
https://x.com/emilymbender/status/1696374958652522612
There's timeless beauty in CS, but there's also a lot more fertile ground for research in CS, given how young the field is compared to the older sciences.
and I've offered at least as much evidence as you have.
Further proof that the authors tweet is not about or against open access is that she publishes open access herself:
https://jlm.ipipan.waw.pl/index.php/JLM/article/view/292
https://nejlt.ep.liu.se/article/view/4017
https://dl.acm.org/doi/10.1145/3498366.3505816
The example was actually a Gatekeeper who values peer review before publication.
Additionally, Arxiv won't kick you off their platform if you post a preprint there, and then you get published in Nature.
In other words, the reason it does not change the point is that Arxiv does not weaken the publication process for the actual journals the preprint will be submitted to. You still need peer review to get published and you are still incentivised to do just that.
You could argue 'preprints ARE publishing' but I'd need to be convinced of that point because I don't agree for the reasons stated above.
To reproduce
The second one gets a different "error message": That's it.How to get a "z".
For some reason I can not access this link.
Does anyone here have experience working with an ISP in abuse cases like this one, specially a Chinese ISP?
I think this article is misleading; there's nothing terribly "distributed" about the DoS.
Happy to help discussing mitigation techniques. Long time user of ArXiv. Email in Bio.
And 10 accounts using 100 different IP addresses, would seem unlikely for an innocent project. And creating new accounts ...
Also there may be a good reason why arXiv call it a DDoS attack - they can probably see the same emails being flipped multiple times, which would not be inline with an accidental script issue.
If you have some web service that sends emails, it's on you to pick a sensible rate limit for it (not 1,000,000 messages per day unless you're Fastmail) and to hierarchically bucket that ratelimit by the routable prefix (first 24 bits) of the requester's IP address. As the bucket empties, respond more and more slowly. This way the worst a DDoSer can do is mildly annoy people who happen to use the same ISP that they do -- but eventually even those people will still get through.
I'm sorry, but this is just the sort of thing everybody has to do in order to preserve a decentralized Internet. Because if we don't all do this sort of stuff, pretty soon it won't be the Internet anymore, it'll be the CloudflareNet.
Alright go ahead, downvote me to negative-billion. I can handle it.
I tried, but HN seems to implement some kind of rate limiting. D'Oh