Brazil mass IP addresses AI scraping attack 11/02/2025

neptronix

neptronix

Administrator
Staff member
Joined
Jun 15, 2010
Messages
22,288
Location
Utah, USA
I have noticed a 4x jump in the amount of bots hitting our site and they all look like residential addresses in brazil, on dozens of internet providers.
The rest of the web have noticed too. It's the largest botnet the internet has ever seen.

1762043029920.png

Because of how extremely distributed it is, there is no such thing as being able to determine what traffic coming from Brazil isn't part of an enormous scraping network. Over 99.99% of the traffic is fraudulent.

I'm sorry if you are in Brazil. We don't have a better answer. I would recommend running a VPN service to connect to ES until things change.

Brazil will be banned from this site on 11/04/2025.
 
Last edited:
From the Krebs on Security article:

"The hacked systems that get subsumed into the botnet are mostly consumer-grade routers, security cameras, digital video recorders and other devices operating with insecure and outdated firmware, and/or factory-default settings. Aisuru’s owners are continuously scanning the Internet for these vulnerable devices and enslaving them for use in distributed denial-of-service (DDoS) attacks that can overwhelm targeted servers with crippling amounts of junk traffic."

We were warned years ago when IoT (Internet of Things) devices were just starting to become ubiquitous that if left uncontrolled/unmanaged could cause disaster. Might have been Krebs doing the warning. Or maybe Schneier? Guess their fears are coming true? Seems quite impossible to control ATM. Take one main perpertrator down and another assumes control within minutes:

"Folks were arrested and Rapper Bot control servers were seized and that’s great, but unfortunately the botnet’s attack assets were then pieced out by the remaining botnets,” he said. “The problem is, even if those infected IoT devices are rebooted and cleaned up, they will still get re-compromised by something else generally within minutes of being plugged back in.”

Will be interesting to see what effective solutions are devised. Your blocking of an entire country is klunky yes but what other reasonable alternatives are there?

PS: Recent travels throughout Brazil showed me that biking is less popular there than it was in the late 80s. Far more cars now, combined with dangerous infrastructure (to cyclists) make it an unsafe option. Uber is (relatively) cheap and well used, as is moto-taxi.

PPS: In the 80s I rode a locally made Monark brand one speed coaster brake bike there extensively. Heavy, and the front brake was a crude non-articulated "caliper" that was pulled up onto the inward surface of the (chromed steel) rim by a chromed steel rod that was bent in many directions until it finally terminated in a location and shape that vaguely resembled where a more refined brake lever would be. Imported bikes were exceedingly rare as they were prohibitively expensive (tariffs).

It survived many many trips getting me around town and riding my girlfriend to work and back. She sat side-saddle on the rear (chromed steel) rack.

EVs are just starting to make a presence there, mostly among Uber drivers that have a way to charge them. BYD and some other Chinese brands. The drivers that have them (almost all financed by another party, like a manager or patron) act like they're sitting on a goldmine and don't widely brag about it. Great cost savings where fuel is expensive. We'll see how long these EVs hold up as there are lots of cobblestone streets in historical areas and numerous abrupt speed bumps throughout residential areas.
 
What would really suck is if they got together a grip of US IoT devices. Americans really love their insecure garbage.

Yep, this is an externality of the tech world's complete lack of security, combined with the internet being an anarchy that barely works ( virtually no policing ), but increasingly no longer does. Some % of it may also be 'free vpn apps' or someone getting paid by a company to use their internet as a residential proxy.

Problem: the person making insecure devices or software pays zero price for any externalities someone else incurs as a result of using it.

I have been thinking about this non stop since last night, and have studied some best practices for AI scrapers and how they evade things. I've got a really devious idea in mind that could form a plan B, that i think nobody has detailed online yet, and could throw a really big spanner in the machinery for these operators. I'll explore that next week.

E-HP said:
Do these hackers ever attack via a VPN?
Click to expand...

I wouldn't call them hackers, but information thieves, who would like to repackage this website's content and remove the credit in the process, And they probably work for really large corporations who have very loose ethics, who don't deserve the opportunity.

In the Brazil case it's a ton of residential ISP connections who all look like home internet users scattered across dozens of various ISPs. For all intents and purposes, looks like legitimate traffic. But there is no explosion of Brazilian users if you have noticed.

Brazil historically makes up 0.5% of our traffic, btw
 
Last edited:
neptronix said:
What would really suck is if they got together a grip of US IoT devices. Americans really love their insecure garbage.
Click to expand...
Uhhh, apparently that is already happening:

"The world’s largest and most disruptive botnet is now drawing a majority of its firepower from compromised Internet-of-Things (IoT) devices hosted on U.S. Internet providers like AT&T, Comcast and Verizon, new evidence suggests. Experts say the heavy concentration of infected devices at U.S. providers is complicating efforts to limit collateral damage from the botnet’s attacks, which shattered previous records this week with a brief traffic flood that clocked in at nearly 30 trillion bits of data per second."

From:

Looks like neptronix is correct; this could be a major problem for the ES website:

"In recent months, multiple experts who track botnet and proxy activity have shared that a great deal of content scraping which ultimately benefits AI companies is now leveraging these proxy networks to further obfuscate their aggressive data-slurping activity. That’s because by routing it through residential IP addresses, content scraping firms can make their traffic far trickier to filter out."

From:
 
Brazil marked safe for now, as the bot network seems to have dropped off, either because they ran out of IP addresses, or lifted all the data they needed.

Still gonna build the powerful stuff because i am tired of being interrupted on the weekends over this sheet.
 
99t4 said:
Maybe there is even a market for it?
Click to expand...

I'm thinking about it. This next layer should really kick ass, longterm, since it's modeled on how bots have to work to evade ordinary defenses. Once they stop doing that, they fall into the ordinary defenses. No more winning for them :devilish:

Problems:
- it's simple and easily copied, if it's plastered all over the web, it would rapidly get studied, and then become worthless and lead to an 'everyone has to click a captcha' internet, since all of the possible chess moves would have been studied and known
- it requires tuning around how the application works in order to beat cloudflare, otherwise it'd just be on par with cloudflare ( which i think is going to break in the next 12 mo. ).
- this last layer requires you inject some code at the start of the app to track the necessary low level signals

I think if someone's interested, they could hire me to do an integration and leave them with all the training materials they need to have their tech person tune it on a perpetual basis. The organization would need to sign a NDA. And that's my best case of keeping the secret sauce relatively secret.

Otherwise i just don't know a feasible way to package and distribute the solution en masse. That's where cloudflare kicks my ass.
 
At least we're not dealing with this
Hey everyone,

Just wanted to share a bit of what’s been going on behind the scenes here at Wrongtools lately — partly to vent, and partly to give a little peek and info into what it can be to run a company on the internet in 2025.

Over the past couple of weeks, we’ve had (for example) 1070 failed “purchase attempts” on Feathersome Strings alone.

And, here's the thing : these aren’t the spam attempts — these are BOTS correctly filling in all the required fields, creating accounts, and making proper sample-library orders, and - when they are lucky : making successful payments with stolen or test credit cards (!!!!). kid you not.

Basically, it looks like they’re using our checkout as a testing ground to see which cards work. At least that is the only sense I can make out of this.

So we end up with a stream of fake orders that appear perfectly valid — until the chargebacks start rolling in.

We catch most of them quickly and immediately return the funds, but PayPal still charges €16 per case for “fraudulent transaction handling” (if the bank on the other end files a complain). It’s frustrating, because we’re not the ones doing anything wrong — we’re the ones trying to stop the fraud.


We’ve now installed and activated extra security measures through PayPal and our store backend, and things finally seem to be slowing down a bit. Actually stopped for a week. Fingers crossed it keeps that way....

Luckily we have invested in a solid technical infrastructure for the shop, so things can easily be cleaned up... I suspect, if we had gone for a cheaper solution, our whole database would collapse. As well as our mailinglist list.

I know many of you here run your own small companies too, so I figured you might relate.... donno....

The internet used to feel like a playground, But these days, it’s starting to feel like a minefield patrolled by bots, and AI generated content - spreading :emoji_poop: disturbance


– Kaada
Click to expand...
 
amberwolf said:
I was being facetious, since if you post how it works, it could be "easily" defeated. :lol:
Click to expand...
Or not.
I could string 9 proxies together and you'd never find my IP.
Well, maybe not at this day and age. 4-5 would be enough and have to be.
 
Checking in.

The squadron of bots has moved from Brazil to China and Singapore again.
They have a new tactic where they have some 1000's of IP addresses randomly hitting the front page to look for new posts. Then rapidly crawl that post.

That makes me think these AI scrapers eventually got a whole copy of the site and are looking for updates.
The problem is that they're wasting an enormous amount of bandwidth to do so.
The situation is halfway as bad as the mega influx in September. So reinforcing the hull needs to be done soon.

Current mood:

hate this hacker crap.jpg

I studied what the best cloudflare tunes look like ( the guy who runs bobistheoilguy.com was very helpful ) and how anubis works and found out that i can actually design something stronger, more adaptable, and more precise than both.

The design aspect of my next gen system is 80% complete and i ended up with 4 novel protection methods instead of just 2.

Shaping up to be a badass tool so far, can't wait to start on the proof of concept sometime next week once things die down at the shop & see what kinds of decisions it make.
penguin machinegun.png

More news in a few weeks!
 
amberwolf said:
At least we're not dealing with this
Click to expand...

What you're describing is a practice called 'carding'.

There are organized crime groups that buy dumps of credit cards/names/phone numbers/email addresses and go run them on a ton of various ecommerce things to see if they succeed or fail in order to test if the cards are valid or not.

n00b said:
Or not.
I could string 9 proxies together and you'd never find my IP.
Well, maybe not at this day and age. 4-5 would be enough and have to be.
Click to expand...

That reminds me that there's a couple ways to fingerprint people who are a single or multiple proxy setup. I should implement that :es:
 
So the bots have been giving us trouble. One of them likes to leave a ton of TCP/IP connections hanging and made our site unstable for some minutes over the last couple days.

I read up on the linux kernel tcp/ip settings and was able to mount a defense that seems to be working thus far. It's the first time i've had to combat such a problem.

We seem to be in the clear for the last 24h but we'll see.

Over the holiday i spent some time researching the fastest in-memory databases to power my more advanced protection system and i found two candidates which should lower the impact to +1-3ms per web hit by having PHP lean heavily on a well optimized piece of C++.

I think this system is feasible from a performance perspective now and and will get started on benchmarks and writing a prototype as soon as i have time.
 
neptronix said:
So the bots have been giving us trouble. One of them likes to leave a ton of TCP/IP connections hanging and made our site unstable for some minutes over the last couple days.

I read up on the linux kernel tcp/ip settings and was able to mount a defense that seems to be working thus far. It's the first time i've had to combat such a problem.

We seem to be in the clear for the last 24h but we'll see.

Over the holiday i spent some time researching the fastest in-memory databases to power my more advanced protection system and i found two candidates which should lower the impact to +1-3ms per web hit by having PHP lean heavily on a well optimized piece of C++.

I think this system is feasible from a performance perspective now and and will get started on benchmarks and writing a prototype as soon as i have time.
Click to expand...
I like your setup. IMO, it's the best way. Some people might use Cisco, but..
I know dudes that set up servers with hardware firewalls. A couple still have their own domains and e-mail servers and sites.
They built their servers and firewalls. Maybe that's why I gravitate to the e-bike stuff, because it's still mosfets or "chokes" as Shamwow calls them, and caps and resistors n stuff.
I got a dude I could send a controller to and would weld a VR onto any resistor on the board I wanted him to,
or extra/bigger caps or whatever. I've seen some stuff!
I'm a hack solderer and hot gluer. :LOL:
Me has limitations. I kinda know how it works, but the fine stuff, cannot do.
I do know people that can, though.
 
Last edited:
Cisco is constantly getting hacked.. i won't touch it.. you will only see me using open source routers.

With AI scrapers using very sophisticated means ( they walk right through cloudflare lately ), every system is going to need something akin to what i'm describing - a software defined defense mechanism that utilizes information from inside the application. A traditional hardware/software firewall cannot do this and falls behind on intelligence due to that.

If you are greeted with 'click the box to continue' on a website.. that means the website operator cannot figure out things and gave up..

We will continue our rogue path because it's the only path that actually works..
bash scripts is all you need.jpg
 
Speaking of that..

Looks like the tcp/ip stack tuning worked.. before this.. i was seeing spikes up to 1000+ connections and the site would cutout..
It looks like stock linux has a really bad tune for a higher traffic site such as ours.

1764622685847.png

Another win for:

trying stuff and seeing what happens.jpg
 
ZeroEm said:
We have a young cat 3yrs old now. He's watching me type right now. Mother name him 4 paws, changed it to monkey. Likes to get on the highest shelves or where all the nick knacks are and knock them off.
Click to expand...

I'm pretty sure this is how curio cabinets got invented.
 
You must log in or register to reply here.
Back
Top