48 comments

[ 4.5 ms ] story [ 186 ms ] thread
These requests originated from over 200 IP addresses – almost all owned by an ISP for a particular province in China. The confirmation emails for this volume of requests overwhelmed our email service. As a result, many arXiv users may not have received their daily emails. And other users may not have received their confirmation emails for registering accounts, or legitimate email change requests.

this should be easy to block, no? just 200 out of millions

(comment deleted)
They said a million email change requests, originating from over 200 IP addresses.

The email requests already happened. So blacklisting the IP addresses wouldn't prevent the email overload.

Who would have the incentive to bring arxiv down?
- for the lulz

- revenge for rejected paper

- badly written scraping script

(comment deleted)
Could be a "proof" before selling a larger DDoS on the black market.
There is nothing in the tweet you are linking against open access.
The tweet says "arxiv is a cancer". It's obviously reasonable evidence that some people don't like arxiv. You are splitting hairs.
and the context really isn't "gatekeepers hate open access", is it.
The context is that the author of the tweet hates fast paced open research (which IMO is a net good for humanity) and makes up the strawman `"can't keep up" + "anything older than 6 months is irrelevant" in CS` quotes to justify that position.

There's timeless beauty in CS, but there's also a lot more fertile ground for research in CS, given how young the field is compared to the older sciences.

counterpoint: no she doesn't, that's weird nonsense.

and I've offered at least as much evidence as you have.

The author of that tweet clearly has an issue with the arxiv being an open repository where everyone can upload anything. There is nothing about open access in the tweet. And arxiv is not same as the concept or movement of open access. Most articles on Arxiv doesn't even have a proper license to fulfill the definition of Open Access in the BOAI declaration.

Further proof that the authors tweet is not about or against open access is that she publishes open access herself:

https://jlm.ipipan.waw.pl/index.php/JLM/article/view/292

https://nejlt.ep.liu.se/article/view/4017

https://dl.acm.org/doi/10.1145/3498366.3505816

Doesn't change the point. Also doesn't refute the point.
(comment deleted)
The original suggested "Gatekeepers who hate open access."

The example was actually a Gatekeeper who values peer review before publication.

Arxiv is open access prepublication, and doesn't remove the need for peer review to get into actual journals. If you apply for a grant and you say "I was published on Arxiv" you are not getting that grant.

Additionally, Arxiv won't kick you off their platform if you post a preprint there, and then you get published in Nature.

In other words, the reason it does not change the point is that Arxiv does not weaken the publication process for the actual journals the preprint will be submitted to. You still need peer review to get published and you are still incentivised to do just that.

You could argue 'preprints ARE publishing' but I'd need to be convinced of that point because I don't agree for the reasons stated above.

Awesome "error message" from x.com:

  y
That's it. Beautiful.

To reproduce

   curl https://x.com/username

   curl https://x.com
The second one gets a different "error message":

  x
That's it.

How to get a "z".

Someone who has just plagiarized from it and wants to hide the source.
I ran an open service for more than a decade. The world is filled with people who do things that are bad and cannot be understood.
Some men just want to watch the world burn.
I’ve hosted a few free services over the past 2 years. They are just utilities, nothing controversial, yet there are DDOS attacks ever few weeks from some Chinese IP ranges (especially Alibaba). Ended up just blocking the ASN as the JA3 fingerprints were spoofed and they were sending legitimate looking data (thus difficult to identify and block)
> We will shortly be reaching out to the abuse desk of the affected ISP for assistance.

Does anyone here have experience working with an ISP in abuse cases like this one, specially a Chinese ISP?

If it's one ISP you don't work with them, you simply add a `drop` rule for their IP range.

I think this article is misleading; there's nothing terribly "distributed" about the DoS.

Yep - customers will start getting pretty shirty if websites become unavailable only on their ISP, as their ISP fails to respond to abuse reports.
whois on the ip-address tells their range, also their asn with which you can find and block all their nets if necessary. but block via firewall, not webserver
Not from China but yes, usually they are very quick to respond, it's crucial for most ISPs to maintain a good reputation.
Well, no reply from the ISP so far.
Have you tried blocking only endpoint for the IPs in question?

Happy to help discussing mitigation techniques. Long time user of ArXiv. Email in Bio.

Sorry qmarchi -- I don't know how to get your contact information here. But it shouldn't be too hard to find mine, if you try.
Click the post username.
A million password resets is shockingly low for a DDOS, could this have been an university assignment gone wrong? I can imagine some clueless dean ordering all their engineering grads to submit research to arXiv. If they have 100-200K students, a single poorly written script to link the institution's SSO with automatically created arXiv accounts could easily overwhelm the system.
What school has 200k engineering students?
"poorly written" could easily remove the "engineering" qualifier.
They would also have to be in the same class and all running their code at the same time.
It was from about 10 accounts. Which we suspended. But it appears that they created new accounts overnight (daytime in China). arXiv is not well-equipped to play whack-a-mole.

And 10 accounts using 100 different IP addresses, would seem unlikely for an innocent project. And creating new accounts ...

Can you set a restriction so that each user cannot change the email if it has already been changed during the last hour/day? In this way you won't need to ban IPs while still allowing legitimate users to change their emails or to create new accounts.
Indira Gandhi National Open University has over 4 million students, and in China about 40% of university students are in STEM. It's certainly not impossible that this is coming from a single institution.
The question to ask yourself is: After seeing the service clearly degrade, why wouldn't you stop?

Also there may be a good reason why arXiv call it a DDoS attack - they can probably see the same emails being flipped multiple times, which would not be inline with an accidental script issue.

Does the State Dept get involved in these cases? Surely China has responsibility over this ISP.
Look, arxiv.org is awesome and I love them, but they really can't expect the ITU or abuse-reporting groups to bail them out here.

If you have some web service that sends emails, it's on you to pick a sensible rate limit for it (not 1,000,000 messages per day unless you're Fastmail) and to hierarchically bucket that ratelimit by the routable prefix (first 24 bits) of the requester's IP address. As the bucket empties, respond more and more slowly. This way the worst a DDoSer can do is mildly annoy people who happen to use the same ISP that they do -- but eventually even those people will still get through.

I'm sorry, but this is just the sort of thing everybody has to do in order to preserve a decentralized Internet. Because if we don't all do this sort of stuff, pretty soon it won't be the Internet anymore, it'll be the CloudflareNet.

Alright go ahead, downvote me to negative-billion. I can handle it.

> Alright go ahead, downvote me to negative-billion. I can handle it.

I tried, but HN seems to implement some kind of rate limiting. D'Oh

It’s an ego preservation system, it only shows downvotes to -4 :-)
I upvoted you out of spite :-)