Why not simply blacklist or rate limit those bot IP’s ?

If you have real traffic and bot traffic, you still need to identify which is which. On top of that, bots very likely don’t reuse the same IPs over and over again. I assume if we knew all the IPs used only by bots ahead of time, then yeah it would be simple to blacklist them. But although it’s simple in theory, the practice of identifying what to blacklist in the first place is the part that isn’t as simple

	▲	snehesht 9 hours ago \| parent [-]
		You wouldn’t permanently block them, it’s more like a rolling window. You can use security challenges as a mechanism to identify false positives. Sure bots can get tons of proxies for cheap, doesn’t mean you can’t block them similar to how SSH Honeypots or Spamhaus SBL work albeit temporarily.

▲

Bender 5 hours ago | parent | prev | next [-]

Why not simply blacklist or rate limit those bot IP’s ?

Many bots cycle through short DHCP leases on LTE wifi devices. One would have to accept blocking all cell phones which I have done for my personal hobby crap but most businesses will not do this. Another big swath of bots come from Amazon EC2 and GoogleCloud which I will also happily block on my hobby crap but most businesses will not.

Some bots are easier to block as they do not use real web clients and are missing some TCP/IP headers making them ultra easy to block. Some also do not spoof user-agent and are easy to block. Some will attempt to access URL's not visible to real humans thus blocking themselves. Many bots can not do HTTP/2.0 so they are also trivial to block. Pretty much anything not using headless Chrome is easy to block.

▲

phyzome 10 hours ago | parent | prev | next [-]

Because punishment for breaking the robots.txt rules is a social good.

▲

arbol 9 hours ago | parent | prev | next [-]

The AI companies are using virtually unlimited "clean" residential IPs so this is not a valid strategy.

▲

DaiPlusPlus 9 hours ago | parent [-]

How? They run their scraping and training infrastructure - and models themselves - from within those “AI datacenters”[1] we hear about in the news - and not proxying through end-users’ own pipes.

[1]: in quotes, because I dislike the term, because it’s immaterial whether or not an ugly block of concrete out in the sticks is housing LLM hardware - or good ol’ fashioned colo racks.

	▲	AyyEye 8 hours ago \| parent [-]
		Residential proxy networks.

▲

nextlevelwizard 5 hours ago | parent | prev | next [-]

Point is to kill or at least hinder AI progress

▲

aduwah 10 hours ago | parent | prev | next [-]

There are way too many to do that

▲

snehesht 9 hours ago | parent [-]

True, most of the blacklists systems today aren’t realtime like Amazon WAF or Cloudflare.

We need a Crawler blacklist that can in realtime stream list deltas to centralized list and local dbs can pull changes.

Verified domains can push suspected bot ips, where this engine would run heuristics to see if there is a patters across data sources and issue a temporary block with exponential TTL.

There are many problems to solve here, but as any OSS it will evolve over time if there is enough interest in it.

Costs of running this system will be huge though and corp sponsors may not work but individual sponsors may be incentivized as it’s helps them reduce bandwidth, compute costs related to bot traffic.

	▲	pixl97 9 hours ago \| parent [-]
		In the real-time spam market the lists worked well with honest groups for a bit, but started falling apart when once good lists get taken over by actors that realize they can use their position to make more money. It's a really difficult trap to avoid.

▲

xyzal 8 hours ago | parent | prev [-]

For the lulz