57 comments

[ 4.1 ms ] story [ 71.5 ms ] thread
Maybe my imagination is just too accurate but this didn't tell me anything I didn't expect to hear.

> Here is a massive log file for some activity in the Data Export tar pit:

A bit of a privacy faux pas, no? Some visitors may be legitimate.

> Before it was enabled, it was getting several hundred-thousand requests each day. As soon as Anubis became active in there, it decreased to about 11 requests after 24 hours

I love experimental data like this. So much better than gut reaction that was spammed when anubis was just introduced

I'm surprised at the effectiveness of simple PoW to stop practically all activity.

I'll implement Anubis at low difficulty for all my projects and leave a decent llms.txt referenced in my sitemap and robots.txt so LLMs can still get relevant data for my site while.keeping bad bots out. I'm getting thousands of requests from China that have really increased costs, glad it seems the fix is rather easy.

This is why I see (well managed) government digital IDs as sensible moves. Apart from DDOS attacks, if bots have to “prove” who they are on each request it seems like a win-win.

I may be missing something of course

I'm getting this patern a lot on Prestashop websites, where thousand, to not say hundreds of thousand, of request are coming from bots not announcing themselves in the User-agent, and coming from different IP's

Very annoying. And you can't filter them because they look like legitimate trafic.

On a page with differents options (such as color, size, etc...) they'll try all the combinaisons, eating all the ressources.

Taking a 2024 report on bot loads on the Internet is like taking a 1950s Car & Driver article for modern vehicle stats.

That’s how fast the landscape is changing.

And remember: while the report might have been released in 2024, it takes time to conduct research and publish. A good chunk of its data was likely from 2023 and earlier.

Not sure what they are doing, but they don't seem to do it well.
Ok. So I get a page saying it’s verifying I’m not a bot with some kink of measurements per second and I don’t get through. Is that the point?
I don't know if they have issue with my ff+ubo, but it is almost a minute that anubis is blocking me. screw them.
This sounds like something a bot would say.
I’ve been sitting on this page for two minutes and it’s still not sure whether I’m a bot lol. What did I do in a past life to deserve this :(
(comment deleted)
Is Anubus being set to difficulty 8 on this page supposed to be a joke? I gave up after about 20 seconds.
The core problem isn't Proof-of-Work itself — it's difficulty calibration.

PoW for page protection (every page load) is fundamentally different from PoW for form submission (one-time action). Anubis at difficulty 8 is asking browsers to find 8 leading zero bytes — that's billions of hashes on average.

For form spam protection, a ~200ms solve time in a WebWorker is enough to make bot operations uneconomical at scale (10,000 forms = 10,000 unique computations) while being invisible to humans. That's difficulty 2-3 depending on device.

For protecting every page view like Anubis does, the cost-benefit math is different and much harder to get right, because you're taxing every visitor on every request — not just on submit.

I don't get what it is or whether it's a satire or not.

If a webstie takes so long to verify me I'll bounce. That's it.

Looks like Anubis is also blocking robots.txt which seems to defeat the point of having robots.txt in the first place.
(comment deleted)
>How can you protect your sites from these bots?

JA4 fingerprinting works decently for the residential proxies.

I cannot get past the bot check (190kH/s), is it mining crypto on my laptop?
At first glance this seems like a crypto miner.

Maybe I’m a bot, I gave up waiting before the progress bar was even 1% done.