| ▲ | Cloudflare flags archive.today as "C&C/Botnet"; no longer resolves via 1.1.1.2(radar.cloudflare.com) |
| 173 points by winkelmann 7 hours ago | 75 comments |
| |
|
| ▲ | winkelmann 7 hours ago | parent | next [-] |
| "archive.today is currently categorized as: * CIPA Filter * Reference * Command and Control & Botnet * DNS Tunneling" Ditto for their other domains like archive.is and archive.ph Example DoH request: $ curl -s "https://1.1.1.2/dns-query?name=archive.is&type=A" -H "accept: application/dns-json" {"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"archive.is","type":1}],"Answer":[{"name":"archive.is","type":1,"TTL":60,"data":"0.0.0.0"}],"Comment":["EDE(16): Censored"]} --- Relevant HN discussions: https://news.ycombinator.com/item?id=46843805 "Archive.today is directing a DDoS attack against my blog" https://news.ycombinator.com/item?id=47092006 "Wikipedia deprecates Archive.today, starts removing archive links" https://news.ycombinator.com/item?id=46624740 "Ask HN: Weird archive.today behavior?" - Post about the script used to execute the denial-of-service attack Wikipedia page on deprecating and replacing archive.today links: https://en.wikipedia.org/wiki/Wikipedia:Archive.today_guidan... |
| |
| ▲ | breppp 3 hours ago | parent [-] | | While I fully support this instance, I wonder what else Cloudflare has set to "Censored", apart for the obvious CSAM | | |
| ▲ | Kwpolska an hour ago | parent [-] | | 1.1.1.2 is their malware-blocking DNS, and 1.1.1.3 is their parental-controls DNS. If you want an unfiltered DNS, use 1.1.1.1 - which resolves archive.today just fine, although archive.today itself refuses to work on Cloudlfare DNS. | | |
| ▲ | sgbeal 25 minutes ago | parent | next [-] | | > 1.1.1.2 is their malware-blocking DNS, and 1.1.1.3 is their parental-controls DNS. ... TIL, thank you. Time to go tweak my pi-hole server... | | |
| ▲ | arvid-lind 18 minutes ago | parent [-] | | I'm just curious, given all the other options that respect your privacy and don't put data collection at the center of their business model, why do you use Cloudflare on your pi-hole? |
| |
| ▲ | surgical_fire 3 minutes ago | parent | prev | next [-] | | I have no idea why anyone would use Cloudflare DNS, much less trust their more filtered versions. | |
| ▲ | Hamuko 19 minutes ago | parent | prev [-] | | The "censored" part of archive.today seems unrelated to the filtering itself. 1.1.1.3 flags Pornhub.com as "EDE(17): Filtered" but archive.today is "EDE(16): Censored". Supposedly it should be an external party that's requiring Cloudflare not to publish the DNS record. https://www.rfc-editor.org/rfc/rfc8914.html#name-extended-dn... |
|
|
|
|
| ▲ | rollulus 3 hours ago | parent | prev | next [-] |
| I think there are two angles to look at this. Yes, there’s the attack on the weblog. But there’s also pressure on archive.today, e.g. an FBI investigation [1] and some entity using fictitious CSAM allegations [2]. [1]: https://arstechnica.com/tech-policy/2025/11/fbi-subpoena-tri...
[2]: https://adguard-dns.io/en/blog/archive-today-adguard-dns-blo... |
| |
| ▲ | JasonADrury 2 hours ago | parent | next [-] | | Jani Patokallio who runs gyrovague.com published a blog post attempting to dox the owner of archive.today. Jani justifies his doxing as follows "I found it curious that we know so little about this widely-used service, so I dug into it" [1] Archive.today on the other hand is a charitable archival project offered to the public for free. The operator of Archive.today risks significant legal liability, but still offers this service for free. [1]: https://gyrovague.com/2026/02/01/archive-today-is-directing-... It's weird to see people getting fixated on the DDoS, which is obviously far less nasty than actually attempting to dox someone. The only credible reason for Jani to publish something like this is if he desires to cause physical harm to the operator of archive.today Or are we just looking at an unhinged fan stalking their favorite online celebrity? People were critical of the Banksy piece, but this is much nastier. At least Banksy is a huge business, archive.today does not even make money. | | |
| ▲ | gyrovague-com 18 minutes ago | parent | next [-] | | Jani here. What you describe as "doxxing" consisted of a) a whois lookup for archive.is and b) linking to a StackExchange post from 2020 called "Who owns archive.today" [1]. There is literally no new information about the site's owner in the post, all names have been dug up before and are clearly aliases, and the post states as much. [1] https://webapps.stackexchange.com/questions/145817/who-owns-... | |
| ▲ | dgxyz 35 minutes ago | parent | prev | next [-] | | I'm wondering if Jani is possibly going to walk into the wrong party here and get burned. I did some public archival stuff about a decade ago and it was state sponsored and for the intelligence community. I'm not suggesting this is but it'll be very much of interest to competing intelligence services as it's an information control point. None of those are the sort of people you start pissing off by sticking your dick in it. FBI is likely just one of the actors here. | |
| ▲ | rdevilla 2 hours ago | parent | prev [-] | | Perhaps Mr. Patokallio would like the same scrutiny applied to his own life now - it's only fair, and we have the technology. | | |
| ▲ | rcakebread 25 minutes ago | parent [-] | | Read the archive.today blog, whoever is running archive.today already made many posts about Patokallio and his family members. |
|
| |
| ▲ | Hamuko an hour ago | parent | prev [-] | | So the two angles are that archive.today is doing something illegal and also being investigated by American law enforcement? |
|
|
| ▲ | stuffoverflow 5 hours ago | parent | prev | next [-] |
| Archive.today's attack on https://gyrovague.com is still on-going btw. It started just over two months ago. Some IPs get through normally but for example finnish residential IPs get stuck on endless captchas. The JS snippet that starts spamming gyrovague appears after solving the first captcha. |
| |
| ▲ | winkelmann 4 hours ago | parent | next [-] | | I'm not a web developer, but I've picked up some bits of knowledge here and there, mostly from troubleshooting issues I encounter while using websites. I know there are a number of headers used to control cross-site access to websites, and the linked blog post shows archive.today's denial-of-service script sending random queries to the site's search function. Shouldn't there be a way to prevent those from running when they're requested from within a third-party site? | | |
| ▲ | sheept 3 hours ago | parent | next [-] | | You can't completely prevent the browser from sending the request—after all, it needs to figure out whether to block the website from reading the response. However, browsers will first send a preflight request for non-simple requests before sending the actual request. If the DDOS were effective because the search operation was expensive, then the blog could put search behind a non-simple request, or require a valid CSRF token before performing the search. | |
| ▲ | bawolff 3 hours ago | parent | prev [-] | | > I know there are a number of headers used to control cross-site access to websites Mostly these headers are designed around preventing reading content. Sending content generally does not require anything. (As a kind of random tidbit, this is why csrf tokens are a thing, you can't prevent sending so websites test to see if you were able to read the token in a previous request) This is partially historical. The rough rule is if it was possible to make the request without javascript then it doesn't need any special headers (preflight) |
| |
| ▲ | throwingcookies 4 hours ago | parent | prev [-] | | Why is archive today attacking that website? | | |
| ▲ | nailer 4 hours ago | parent [-] | | The linked blog contains a story about who funds archive today and they presumably don’t like being exposed. | | |
| ▲ | JasonADrury 2 hours ago | parent | next [-] | | The crucial context here is that archive.today provides a useful public service for free. Jani Patokallio runs gyrovague.net in order to harass people who provide useful public services. It's not surprising that the owner of archive.today does not like being exposed, archiving is a risky business. | | |
| ▲ | drum55 2 hours ago | parent [-] | | Should providing a public service absolve all sins? | | |
| ▲ | JasonADrury 2 hours ago | parent | next [-] | | So far, the only sin archive.today has been accused of is retaliating against a guy attempting to dox them. That's a pretty small sin in my book. To be written off as wildly unsuccessful but entirely justified self defense. DDoSing gyrovague.com is silly, not evil. The content on gyrovague.com which targets archive.today is evil, plain and simple. | | |
| ▲ | miken123 an hour ago | parent [-] | | > So far, the only sin archive.today has been accused of is retaliating against a guy attempting to dox them. I think you're missing that circumventing paywalls is unlawful in most parts of the world. | | |
| ▲ | animuchan an hour ago | parent | next [-] | | Respectfully, it's not, in most parts of the world. | |
| ▲ | choo-t an hour ago | parent | prev | next [-] | | > I think you're missing that circumventing paywalls is unlawful in most parts of the world. And a necessity if you want to archive the content correctly, also necessary if you want the archives to be publicly available. | |
| ▲ | Hamuko an hour ago | parent | prev [-] | | Not really sure if circumventing paywalls is that unlawful across the world, but basically copying and pasting an entire web page is just clear and simple copyright violation. |
|
| |
| ▲ | vachina 2 hours ago | parent | prev | next [-] | | I know it's petty. But don't act surprised when you find your garbage strewn all over your lawn next morning after you flipped off your neighbor the fourth time. | |
| ▲ | kuschkufan 2 hours ago | parent | prev [-] | | Look at "i-pay-for-all-online-articles-always" over here. |
|
| |
| ▲ | steveharing1 an hour ago | parent | prev | next [-] | | You mean just to keep their secrets hidden they hurt others? | | |
| ▲ | choo-t an hour ago | parent [-] | | Like most companies or state ? As an individual, keeping their identity private is the only way to prevent oppression. |
| |
| ▲ | throwingcookies 4 hours ago | parent | prev | next [-] | | Thanks. I am so confused by this social drama, I feel like I am getting too old for this. | | |
| ▲ | ryandrake 3 hours ago | parent [-] | | It’s truly weird and unhinged the extent to which two rando Internet People are willing to grief each other. | | |
| |
| ▲ | VERIRoot 3 hours ago | parent | prev [-] | | well that exposing is hurting more than 2 for sure |
|
|
|
|
| ▲ | _moof 5 hours ago | parent | prev | next [-] |
| Good. You don't get to use my computer for a DDoS. I don't care why the DDoS was happening. I wasn't asked, and that's a serious breach of trust. |
| |
| ▲ | longislandguido 3 hours ago | parent [-] | | Breach of trust by a site whose unstated primary purpose is bypassing paywalls and ripping off content? 20 years ago during the P2P heyday this was assumed to come with the territory. Play with fire and you could get burned. If you walk into a seedy brothel in the developing world, your first thought should be "I might get drugged and robbed here" and not what you're going to type in the Yelp review later about their lack of ethics. | | |
| ▲ | bawolff 2 hours ago | parent | next [-] | | Well if we are going to use this analogy, 20 years ago virus scanners also flagged malicious stuff from p2p as a virus, and people still thought putting malicious content on p2p was a shitty thing for someone to do (even if it was somewhat expected). Nobody was shedding any tears 20 years ago for the virus makers who had their viruses flagged by virus scanners. | |
| ▲ | kay_o 3 hours ago | parent | prev | next [-] | | Given they are retroactively tampering with past archives it's not exactly trustworhy in the first place | | |
| ▲ | JasonADrury 2 hours ago | parent | next [-] | | Are they tampering with the actual content, or the stuff (login ui, etc) which they have always been open about tampering with? | |
| ▲ | vachina 2 hours ago | parent | prev [-] | | Proof? | | |
| |
| ▲ | Nuzzerino 3 hours ago | parent | prev [-] | | I always thought that mainstream media sites with paywalls were pretty far down there in the tier list of websites though. Not sure if this analogy lands unless irony was the goal. |
|
|
|
| ▲ | f-serif 2 hours ago | parent | prev | next [-] |
| A bit context if you are confused why Public DNS server blocking websites. 1.1.1.2 is Malware blocking DNS server similar to AdBlock DNS server. It is not 1.1.1.1 and 1.0.0.1 Here is the DDoS context
https://gyrovague.com |
|
| ▲ | razingeden 6 hours ago | parent | prev | next [-] |
| Cloudflare dns has gone back and forth on whether it wants to resolve them since 2019. It’s taken that away and restored it again (intentionally? mistake?) at least four times. The c&c/botnet designation would seem to be new though. |
| |
| ▲ | winkelmann 5 hours ago | parent | next [-] | | As far as I am aware, all previous issues with archive.today and Cloudflare were on account of archive.today taking measures to stop Cloudflare's DNS from correctly resolving their domains, not the other way around. The current situation is due to Cloudflare flagging archive.today's domains for malicious activity, Cloudflare actually still resolves the domains on their normal 1.1.1.1 DNS, but 1.1.1.2 ("No Malware") now refuses. Exactly why they decided to flag their domains now, over a month after the denial-of-service accusations came out, is unclear, maybe someone here has more information. | | |
| ▲ | Hamuko 4 hours ago | parent [-] | | Sounds a bit like when "Finland geoblocked archive.today". In all actuality, there was no geoblocking of the site in Finland by any authorities or ISPs, but rather it was the website owner blocking all Finnish IPs after some undisclosed dispute with Finnish border agents. When something bad happens, people seem a bit too willing to give archive.today the benefit of the doubt. |
| |
| ▲ | akerl_ 5 hours ago | parent | prev | next [-] | | Have they? The thing I remember previously was archive.is, and it wasn’t a block, archive.is was serving intentionally wrong responses to queries from cloudflare’s resolvers. This is notably not a change to how 1.1.1.1 works, it’s specifically their filtered resolution product. https://news.ycombinator.com/item?id=19828702 | |
| ▲ | altairprime 6 hours ago | parent | prev | next [-] | | Intentionally, I believe? archive.today iirc has explicitly blocking Cloudflare from resolving them at various times over the years due to Cloudflare DNS withholding requesting-user PII (ip address) in DNS lookups. Looking forward to when Google Safe Browsing adds their domains as unsafe, as that ripples to Chrome and Firefox users. | |
| ▲ | vachina 2 hours ago | parent | prev [-] | | > Cloudflare dns has gone back and forth. Just tells me they are an unreliable resolver. Instead of being a neutral web infra, they actively participate in political agendas and censor things they "think" is wrong. |
|
|
| ▲ | PeterStuer 3 hours ago | parent | prev | next [-] |
| Otoh, without archive.today a substantial % of HN posts would be unreadable for nearly all of the audience. |
| |
| ▲ | henearkr 2 hours ago | parent [-] | | I doubt it. You may have mixed it up with archive.org. | | |
| ▲ | JasonADrury 2 hours ago | parent [-] | | I suggest you double-check that. Archive.today/archive.is is the one which bypasses paywalls and makes unreadable content readable, not archive.org | | |
| ▲ | henearkr an hour ago | parent [-] | | Ah! You may well be right. Thanks. That's bad then, to depend on that for paywall bypass... I hope very much that the situation evolves into a more satisfactory one. |
|
|
|
|
| ▲ | charcircuit 5 hours ago | parent | prev | next [-] |
| When the heat dies down, hopefully this flag gets removed. |
| |
| ▲ | dydgbxx 5 hours ago | parent | next [-] | | Why? It’s accurate and if the owner has chosen to do this for months now, why should we ever trust they won’t again? Nobody should ever use that site and every optional filter should block them. | | |
| ▲ | winkelmann 4 hours ago | parent | next [-] | | There's probably a worthwhile discussion to be had about what it takes for a site in this situation to be removed from blocklists. An apology? Surrender to authorities? Halting the malicious activity for a certain period of time? Regardless, another user reports the attack is still ongoing[1], so this isn't a discussion that's going to happen about archive.today anytime soon. [1] https://news.ycombinator.com/item?id=47474777 | | |
| ▲ | ryandrake 4 hours ago | parent [-] | | I suppose “evidence that the site’s leadership has permanently changed” would convince me. Whoever decided to put in the code that causes visitors to DDOS someone should never be running a web site again. |
| |
| ▲ | leonidasv 3 hours ago | parent | prev | next [-] | | Also, they were caught tampering saved webpages as well, so the website cannot be trusted to fulfill it's main purpose anymore: https://arstechnica.com/tech-policy/2026/02/wikipedia-bans-a... | |
| ▲ | charcircuit 4 hours ago | parent | prev | next [-] | | >Why? Because once the problematic content is removed it should no longer be blocked. >It's accurate It is neither a C&C server for a botnet, nor any other server related to a botnet. I would not call it accurate. >Nobody should ever use that site It has a good reputation for archiving sites, has stead the test of time, and doesn't censor pages like archive.org does allowing you to actually see the history of news articles instead of them being deleted like archive.org does on occasion. | | |
| ▲ | 3eb7988a1663 4 hours ago | parent | next [-] | | The site started doctoring archived versions as part of the petty feud. That is, what was supposed to be a historical record, suddenly had content manipulated so as to feed into this fight[0]. There is no redemption. You want to be an archive, you keep it sacrosanct. Put an obvious hosting-site banner overlay if you must, but manipulating the archive is a red-line that was crossed. ...On 20 February 2026, English Wikipedia banned links to archive.today, citing the DDoS attack and evidence that archived content was tampered with to insert Patokallio's name.[19] The decision was made despite concerns over maintaining content verifiability[19] while removing and replacing the second-largest archiving service used across the Wikimedia Foundation's projects.[20] The Wikimedia Foundation had stated its readiness to take action regardless of the community verdict.[19][20]
[0] https://en.wikipedia.org/wiki/Archive.today | | |
| ▲ | boredhedgehog 2 hours ago | parent | next [-] | | That line of argument is rather misleading, as some kind of content manipulation is inherent to the service an archive that violates paywalls has to provide. It needs to conceal the accounts it uses to access these websites, and their names and traces are often on the pages it's archiving. Did AT go beyond that and manipulate any relevant part? That's rather difficult to say now. AT is obviously tampering with evidence, but so is Wikipedia; their admins have heavily redacted their archived Talk pages out of fear one of these pseudonyms might be an actual person, so even what exactly WP accuses AT of is not exactly clear. | |
| ▲ | charcircuit 2 hours ago | parent | prev [-] | | While I disagree with that action I still trust the site as a reliable source. Redemption is possible. Maybe not for Wikipedia, but I don't care about that site and consider it rotten. |
| |
| ▲ | InsideOutSanta 4 hours ago | parent | prev | next [-] | | It's not just problematic content, it's criminal behavior. And the site has a bad reputation for archival, given that the owner altered the content of archived articles. | | |
| ▲ | JasonADrury 2 hours ago | parent | next [-] | | >It's not just problematic content, it's criminal behavior. How is that supposed to be a big deal when the one of core services archive.today provides is obviously illegal anyway? | |
| ▲ | charcircuit 2 hours ago | parent | prev [-] | | The site commits copyright infringement by showing you content it doesn't have the rights for. This is not the kind of site to go on about morals for. >the site has a bad reputation Not compared to archive.org. archive.is has a much better track record. |
| |
| ▲ | gbear605 4 hours ago | parent | prev [-] | | It is in fact a botnet - they’ve been hijacking user browsers to act as a botnet to DDoS. | | |
| ▲ | charcircuit 3 hours ago | parent [-] | | Are Hacker News users part of a botnet since they link to sites that when people click they go down due to all of the traffic? Am I part of a botnet if I have HN open as it means HN can execute javascript? I think it's stretching the definition. |
|
| |
| ▲ | quotemstr 4 hours ago | parent | prev [-] | | Because it's not the place of a DNS resolver to police the internet. | | |
| ▲ | qzzi 4 hours ago | parent | next [-] | | 1.1.1.1 is simply a free DNS, 1.1.1.2 blocks malware, and 1.1.1.3 blocks both malware and adult content. It's a service that does exactly what it's supposed to do. | |
| ▲ | ryandrake 4 hours ago | parent | prev | next [-] | | If I specifically choose a DNS server that promises to not resolve sites that will use my computer in a botnet, then it is that DNS resolver’s place to do that. | |
| ▲ | dqh 4 hours ago | parent | prev | next [-] | | This particular revolver is an opt-in service for users that want Cloudflare to block anything that Cloudflare designates as malware. | |
| ▲ | bawolff 2 hours ago | parent | prev [-] | | Literally what the product is here. |
|
| |
| ▲ | bawolff 2 hours ago | parent | prev [-] | | Unlikely unless their behaviour changes. They arent being flagged because of the attention. |
|
|
| ▲ | andor 3 hours ago | parent | prev [-] |
| Bulletproof hosting service not happy that someone is running their C&C infrastructure elsewhere |
