Weird message to include in AGPLv3 licensed software (which explicitly allows people to use software however they like, regardless of their beliefs or feelings).
grep -m1 -E ^Tot /proc/net/fib_triestat ;ip route | grep -Fc blackhole
Total size: 56735 kB
426951
Those 426951 blackhole routes include data-centers, VPS providers, botnets, AI datacenters that ignore robots.txt, search engines, abused CDN's, known bad residential nodes and much more. I still see a few residential proxy bots that do a halfway decent job of pretending to be real people at times but the feds are playing whack-a-mole with them. The bots self report to my silly blog so I can block them elsewhere on systems I might care a little bit about. Happy to share them if anyone is remotely interested.I also use a couple generalized rules in nftables raw table that keeps a lot of beyond poorly written bots away including hping3 tcp floods and masscan. My rules to port 443 are stateless. One must not taunt the state table.
My experience is that modern web scraping had no obvious pattern, since it is proxied through many IPs. The last time a server was failing to handle the pressure, we decided to temporarily ban IPs from some Asian regions. How does the FSF decide to ban an IP?
Why do they use iptables + ipset instead of nftables? Is there a technical reason or is it just legacy? AFAIK, Nftables is more performant, and IMO simpler. And it has native sets, see https://wiki.nftables.org/wiki-nftables/index.php/Sets
Firewalld had a similar issue up until recently as well.
https://www.gnu.org/philosophy/javascript-trap.html
Users can't consent to running a page's javascript the way they can consent to running a program they've intentionally downloaded, so it's effectively "non-free" regardless of license.
I identify features (which can be expressed as firewall rules) from log data; I write totals to a temporary store (Redis). I have periodic tasks which scan the temp store for patterns which exceed thresholds. When that occurs, fail2ban creates the appropriate rules. This occurs in depth and in concentric rings.
Et tu?
It's no more of a botnet than ProtonVPN for example. Apps intentionally added the Popa SDK to their apps as a monetization method. This allows apps without ads and tracking to be financially viable. I would expect FSF to support apps being able to move off of monetization schemes that depend on tracking people so it is disappointing for them to put such alternative monetization technologies in a negative light.
I get they're DDoS; but take the mask off, and arn't they just the AI monied interests that fund the FSF? and a lot of them are just active inference, eg, the user is trying to ask about something and the AI monied interests setup a web scraper to go and get that data.
Just seems like no one wants to call out the hand that feeds them in a human centipede that's best described as the torment nexus.
I'm most concerned about blocking innocent users, currently I use Cloudflare to block known bad ASNs using a list I found on GitHub.
This is something we've been forced to do at work, a LOT. Some weeks it's Huawei Cloud, Tencent, and Alibaba. Other weeks it's all China Telecom. We're using Anubis where possible, but a lot of it is just whack-a-mole with residential proxies. I looked at Datadome and HUMAN, but they would be hundreds of thousands a year at our traffic scale, and I suspect may also have false positives. We abandoned CrowdSec for that reason as well.
I'd love to find a decent k8s native solution to this problem.
Won't, they call it malware: https://www.fsf.org/blogs/sysadmin/our-small-team-vs-million...
The only IP's that come and go are the Tor 30 day blocklist and a couple FireHOL attackers from a repo though I will sometimes leave the last entries live until reboot. I do not really need to block tor but I use this silly blog as a testing ground. Tor and some known abusers come from a git repo I refresh periodically.
The data-centers, VPS providers, CDNs, known botnets are perma-banned. For my hobby nodes I personally find this acceptable. I would not do this in a professionally managed data-center. There are better methods for those cases especially for B2B corporate arrangements. Regardless of what daemons I run I never have external dependencies that need to be accessed from my node or from the client with exception of stratum-1 time servers.
I do have to periodically update the CIDR blocks for given ASN's. I have not automated this but I probably should some day. It's not hard to automate, I am just excessively "efficient". I was told to stop calling myself lazy, but I am.
Methods 2, 3 and 5 are the ones I talk about here. [1]
[1] - https://nochan.net/b/Internet-Crap/20260606-How-To-Block-Som...
What I can see is a fairly clear indication that they do not want contributions from people whose politics differ from theirs. I would also question whether government funding of a project with political policies about who can participate is appropriate. The political stance is also rooted in a particular culture so is unwelcoming to people from other cultures.
Of course people can political views and preferences, but they presumably have some aim in mind when making that statement in the README. What is that aim?
Can you elaborate on who these interests are precisely?
https://anubis.techaro.lol/docs/admin/configuration/challeng...
I guess for the meta refresh challenge it's less "proof of work" and more "proof of patience".
The only real solution to bots is making users log in. And even then you have to fight registration bots.
This is the same FSF that in the past has refused contributions from people whose politics include "I would like this software to run on my windows/apple/other proprietary platform". They're extremely political.
Because you can have preferences while not restricting legal rights.
Do you have a blog post about your automated fail2ban rule generation?
I pay for some software services. The services I pay for have a billing page (or a donation page) and I pay via the banking system
I rigorously block every ad, every tracker, every thing that does "monetization"
The evil period of trying sneaky ways to generate money is, I am optimistic, coming to an end.
If you want my money, ask me. If you must have my money, demand it. If you are sneaking around "monetization" I will do everything I can to stop you.
The GPL variants are the antithesis of politically neutral.
That's why I eventually let those go usually after a kernel update and the git repo for FireHOL gets updated often. The kernels get updated often. I only perma-ban the data-centers which is fine for my silly blog and probably for some peoples hobby sites. People can chose which methods to apply, how to apply them or which ones to skip entirely.
Excellent username btw. Those SNL Celebrity Jeopardy episodes are unforgettable. [1]
The existence of an app brings users value, else they wouldn't use it.
You got a genuinely free, to you, app.
and I doubt these apps are really Free versions - do they support user modifications and access to the code? If they did support the four freedoms maybe the fsf would have something positive to say to balance it out?
"If the point is to promote Free Software, we do ourselves a disservice by making our Free Software work better on a proprietary system than a Free system. Let's include this support when it works on the Free platforms as well."
FSF is political, but only about Free Software. Their goal is to promote it, and I think RMS has shown very clear thinking in this regard. I don't love the decision/outcome (someone did work to make something better and it was rejected), but I get it in service of the larger goal.
To flip the pschology, you could imagine a world where Emacs did way more awesome stuff on Windows and Mac, and the ensuing HN discussion where the obvious snipe appears a dozen times: "lol they keep talking about free software but their own products work better on windows lol".
— Published on Jul 09, 2026 11:29 AM
I have written about the FSF facing DDoS attacks several times, including on doing our part to clean up the internet and on Uptime Kuma, as well as "Defending Savannah from DDoS attacks". But I realized recently that I left out an important tool that we use extensively. Today I will talk about reaction. With the rise of aggressive scrapers building datasets to train LLMs, we needed to invest a lot of resources into thwarting the attackers. During this journey, we had several growing pains.
We noticed patterns in the scrapers that were abnormal, which gave us material for writing regular expressions. Searching for the regular expression then gave us a large lists of IP addresses. Looking up the origin of those IP addresses revealed that some of the crawlers were using botnets of residential IP addresses to scrape faster and avoid detection.
We looked for what kinds of botnets might be generating the kind of traffic that we were seeing, and one that we suspected was called the "Vo1d" botnet, comprised of smart TVs running some sort of compromised app. Recently, more information has come out about the Vo1d/Popa botnet. Security researchers at Qurium, a digital forensics investigation organization, intentionally ran a node and published the data. We got confirmation that at least some of the botnet traffic hitting GNU Savannah was originating through the Vo1d/Popa botnet.
We placed our regular expressions in fail2ban, and found that we were hitting the maximum rules that could be added to UFW firewall rules on our systems which showed degradation around 65,000 rules. fail2ban is a program that can read the stream of log files and perform actions when certain conditions are met. The actions are typically banning an address with a firewall like UFW, which blocks or allows connections to and from a server. We learned about ipset and configured fail2ban to add IP addresses that it found to IP sets. Using ipset, we kept building larger IP sets and did not find instability with as large as five million rules.
We used fail2ban with ipset for a while but ran into limits of its architecture with Python and SQLite. We rolled our own solutions as a quick patch several times with BASH, awk, Perl, etc. to find the address matching the pattern and add the rule to ipset without an additional intermediary database. The custom scripts worked for a moment, but it became difficult to manage when we had to run several little scripts as more patterns appeared. Not all of the patterns should be banned on first appearance either so we needed a solution like fail2ban. We looked for fail2ban alternatives written recently. We found several, but many of them were written as one-off showcases rather than well-maintained solutions that would last. We eventually found a promising project on Framasoft's forge Framagit called reaction written by ppom.
It took us a bit of time to understand how to configure reaction. Unlike fail2ban, reaction does not come with a working configuration and you must build your own configuration with what is relevant to your needs from example documentation. There was not an example for using ipset so we had to build one. Overall, this approach is very good because we now have a configuration that has everything we need and very little that we do not need.
After we ran into scaling issues with our initial implementation, we developed a much faster implementation where the reaction shutdown process would export the IP sets to disk and the reaction startup process would restore the IP sets. This allowed us to have nearly instantaneous restarts of the service to apply new rules. We published both of our configurations upstream to reaction's wiki so that everyone can benefit from it. reaction's getting started documentation now leads to the method that we proposed.
This work is not possible without your support. Because of free software supporters just like you, we can continue to find new patterns, block crawlers and mitigate DDoS attacks, and share our improvements with everyone. We know not everyone is in a position to give, but if you can, support our efforts by joining the FSF as an associate member. An associate membership is a great show of support we can rely on. The FSF does not compromise when it comes to defending your freedom. Without the continued commitment of people like you, the progress we have made is in danger, and software freedom could be reduced to a mere wish instead of today's reality. Please help us continue to protect software freedom and increase its global support. Every membership this summer will help us towards our goal of 175 new members. Associate members will also be able to enjoy all the member benefits which include merchandise discounts, a 16GB bootable membership card, and use of our associate member videoconferencing server.
Many sysadmins know about fail2ban, but not enough people know about reaction. I am very grateful to ppom for the help they have provided and for the tremendous project they have released to the world with reaction. We have implemented other defenses as well, but reaction is doing the majority of the automated work keeping our sites online.