> Before it was enabled, it was getting several hundred-thousand requests each day. As soon as Anubis became active in there, it decreased to about 11 requests after 24 hours
I love experimental data like this. So much better than gut reaction that was spammed when anubis was just introduced
I'm surprised at the effectiveness of simple PoW to stop practically all activity.
I'll implement Anubis at low difficulty for all my projects and leave a decent llms.txt referenced in my sitemap and robots.txt so LLMs can still get relevant data for my site while.keeping bad bots out. I'm getting thousands of requests from China that have really increased costs, glad it seems the fix is rather easy.
This is why I see (well managed) government digital IDs as sensible moves. Apart from DDOS attacks, if bots have to “prove” who they are on each request it seems like a win-win.
I'm getting this patern a lot on Prestashop websites, where thousand, to not say hundreds of thousand, of request are coming from bots not announcing themselves in the User-agent, and coming from different IP's
Very annoying. And you can't filter them because they look like legitimate trafic.
On a page with differents options (such as color, size, etc...) they'll try all the combinaisons, eating all the ressources.
Taking a 2024 report on bot loads on the Internet is like taking a 1950s Car & Driver article for modern vehicle stats.
That’s how fast the landscape is changing.
And remember: while the report might have been released in 2024, it takes time to conduct research and publish. A good chunk of its data was likely from 2023 and earlier.
The core problem isn't Proof-of-Work itself — it's difficulty calibration.
PoW for page protection (every page load) is fundamentally different
from PoW for form submission (one-time action). Anubis at difficulty 8
is asking browsers to find 8 leading zero bytes — that's billions of
hashes on average.
For form spam protection, a ~200ms solve time in a WebWorker is enough
to make bot operations uneconomical at scale (10,000 forms = 10,000
unique computations) while being invisible to humans. That's difficulty
2-3 depending on device.
For protecting every page view like Anubis does, the cost-benefit math
is different and much harder to get right, because you're taxing every
visitor on every request — not just on submit.
57 comments
[ 4.1 ms ] story [ 71.5 ms ] thread> Here is a massive log file for some activity in the Data Export tar pit:
A bit of a privacy faux pas, no? Some visitors may be legitimate.
I love experimental data like this. So much better than gut reaction that was spammed when anubis was just introduced
I'll implement Anubis at low difficulty for all my projects and leave a decent llms.txt referenced in my sitemap and robots.txt so LLMs can still get relevant data for my site while.keeping bad bots out. I'm getting thousands of requests from China that have really increased costs, glad it seems the fix is rather easy.
https://web.archive.org/web/20260329052632/https://gladeart....
I may be missing something of course
Very annoying. And you can't filter them because they look like legitimate trafic.
On a page with differents options (such as color, size, etc...) they'll try all the combinaisons, eating all the ressources.
That’s how fast the landscape is changing.
And remember: while the report might have been released in 2024, it takes time to conduct research and publish. A good chunk of its data was likely from 2023 and earlier.
PoW for page protection (every page load) is fundamentally different from PoW for form submission (one-time action). Anubis at difficulty 8 is asking browsers to find 8 leading zero bytes — that's billions of hashes on average.
For form spam protection, a ~200ms solve time in a WebWorker is enough to make bot operations uneconomical at scale (10,000 forms = 10,000 unique computations) while being invisible to humans. That's difficulty 2-3 depending on device.
For protecting every page view like Anubis does, the cost-benefit math is different and much harder to get right, because you're taxing every visitor on every request — not just on submit.
If a webstie takes so long to verify me I'll bounce. That's it.
JA4 fingerprinting works decently for the residential proxies.
Maybe I’m a bot, I gave up waiting before the progress bar was even 1% done.