The FSF Faces Active 'Ongoing and Increasing' DDoS Attacks (fsf.org) 23
The Free Software Foundation's services face "ongoing (and increasing) distributed denial of service (DDoS) attacks," senior systems administrator Ian Kelling wrote Wednesday. But "Even though we are under active attack, gnu.org, ftp.gnu.org, and savannah.gnu.org are up with normal response times at the moment, and have been for the majority of this week, largely thanks to hard work from the Savannah hackers Bob, Corwin, and Luke who've helped us, your sysadmins."
"We've shielded these sites for almost a full year of intense attacks now, and we'll keep on fighting these attacks for as long as they continue." Our infrastructure has been under attack since August 2024. Large Language Model (LLM) web crawlers have been a significant source of the attacks, and as for the rest, we don't expect to ever know what kind of entity is targeting our sites or why.
- In the fall Bulletin, we wrote about the August attack on gnu.org. That attack continues, but we have mitigated it. Judging from the pattern and scope, the goal was likely to take the site down and it was not an LLM crawler. We do not know who or what is behind the attack, but since then, we have had more attacks with even higher severity.
- To begin with, GNU Savannah, the FSF's collaborative software development system, was hit by a massive botnet controlling about five million IPs starting in January. As of this writing, the attack is still ongoing, but the botnet's current iteration is mitigated. The goal is likely to build an LLM training dataset. We do not know who or what is behind this.
- Furthermore, gnu.org and ftp.gnu.org were targets in a new DDoS attack starting on May 27, 2025. Its goal seems to be to take the site down. It is currently mitigated. It has had several iterations, and each has caused some hours of downtime while we figured out how to defend ourselves against it. Here again, the goal was likely to take our sites down and we do not know who or what is behind this.
- In addition, directory.fsf.org, the server behind the Free Software Directory, has been under attack since June 18. This likely is an LLM scraper designed to specifically target Media Wiki sites with a botnet. This attack is very active and now partially mitigated...
Even though we are under active attack, gnu.org, ftp.gnu.org, and savannah.gnu.org are up with normal response times at the moment, and have been for the majority of this week, largely thanks to hard work from the Savannah hackers Bob, Corwin, and Luke who've helped us, your sysadmins. We've shielded these sites for almost a full year of intense attacks now, and we'll keep on fighting these attacks for as long as they continue.
The full-time FSF tech staff is just two systems administrators, "and we currently lack the funds to hire more tech staff any time soon," Kelling points out. Kelling titled his post "our small team vs millions of bots," suggesting that supporters purchase FSF memberships "to improve our staffing situation... Can you join us in our crucial work to guard user freedom and defy dystopia?"
Kelling also points out they're also facing "run-of-the-mill standard crawlers, SEO crawlers, crawlers pretending to be normal users, crawlers pretending to be other crawlers, uptime systems, vulnerability scanners, carrier-grade network address translation, VPNs, and normal browsers hitting our sites..."
"Some of the abuse is not unique to us, and it seems that the health of the web has some serious problems right now."
"We've shielded these sites for almost a full year of intense attacks now, and we'll keep on fighting these attacks for as long as they continue." Our infrastructure has been under attack since August 2024. Large Language Model (LLM) web crawlers have been a significant source of the attacks, and as for the rest, we don't expect to ever know what kind of entity is targeting our sites or why.
- In the fall Bulletin, we wrote about the August attack on gnu.org. That attack continues, but we have mitigated it. Judging from the pattern and scope, the goal was likely to take the site down and it was not an LLM crawler. We do not know who or what is behind the attack, but since then, we have had more attacks with even higher severity.
- To begin with, GNU Savannah, the FSF's collaborative software development system, was hit by a massive botnet controlling about five million IPs starting in January. As of this writing, the attack is still ongoing, but the botnet's current iteration is mitigated. The goal is likely to build an LLM training dataset. We do not know who or what is behind this.
- Furthermore, gnu.org and ftp.gnu.org were targets in a new DDoS attack starting on May 27, 2025. Its goal seems to be to take the site down. It is currently mitigated. It has had several iterations, and each has caused some hours of downtime while we figured out how to defend ourselves against it. Here again, the goal was likely to take our sites down and we do not know who or what is behind this.
- In addition, directory.fsf.org, the server behind the Free Software Directory, has been under attack since June 18. This likely is an LLM scraper designed to specifically target Media Wiki sites with a botnet. This attack is very active and now partially mitigated...
Even though we are under active attack, gnu.org, ftp.gnu.org, and savannah.gnu.org are up with normal response times at the moment, and have been for the majority of this week, largely thanks to hard work from the Savannah hackers Bob, Corwin, and Luke who've helped us, your sysadmins. We've shielded these sites for almost a full year of intense attacks now, and we'll keep on fighting these attacks for as long as they continue.
The full-time FSF tech staff is just two systems administrators, "and we currently lack the funds to hire more tech staff any time soon," Kelling points out. Kelling titled his post "our small team vs millions of bots," suggesting that supporters purchase FSF memberships "to improve our staffing situation... Can you join us in our crucial work to guard user freedom and defy dystopia?"
Kelling also points out they're also facing "run-of-the-mill standard crawlers, SEO crawlers, crawlers pretending to be normal users, crawlers pretending to be other crawlers, uptime systems, vulnerability scanners, carrier-grade network address translation, VPNs, and normal browsers hitting our sites..."
"Some of the abuse is not unique to us, and it seems that the health of the web has some serious problems right now."
How about using what other sites use (Score:2)
Re:How about using what other sites use (Score:5, Insightful)
Crowdflare, CAPTCHAs, ... ?
Proprietary software running proprietary services. Much of the good stuff we have today exists only because people involved in the FSF refused to use proprietary software. We see from the recent changes to the AOSP how completely dangerous the decision to rely on proprietary drivers and blobs has been. Let's be grateful for the method in the madness.
Re: (Score:1)
Sure, cede more power to one company covering half of the Internet.
Re: (Score:3, Interesting)
Whenever I get a Cloudflare challenge, I go to another site. I get treated like a criminal in my real life, I don't need to be treated like one in my online life.
Re: How about using what other sites use (Score:1)
I agree, it seems pretty silly to try and handle this yourselves. Nothing against the two folks trying to defend but it seems me like a losing battle.
do not understand (Score:5, Interesting)
they could deploy anubis -- which is free software! -- and put an immediate stop to 99% of the problematic crawlers, but they've decided it violates their principles because it does computations the user doesn't want and is therefore malware.
I guess TLS negotiation is also malware?
even more reason to not donate to them if they're going to burn it on running two sysadmins ragged when a free software solution already exists.
Re:do not understand (Score:5, Informative)
The Free Software Foundation's position (from the linked-to article)...
"Anubis makes the website send out a free JavaScript program that acts like malware. A website using Anubis will respond to a request for a webpage with a free JavaScript program and not the page that was requested. If you run the JavaScript program sent through Anubis, it will do some useless computations on random numbers and keep one CPU entirely busy. It could take less than a second or over a minute. When it is done, it sends the computation results back to the website. The website will verify that the useless computation was done by looking at the results and only then give access to the originally requested page.
"At the FSF, we do not support this scheme because it conflicts with the principles of software freedom. The Anubis JavaScript program's calculations are the same kind of calculations done by crypto-currency mining programs. A program which does calculations that a user does not want done is a form of malware. Proprietary software is often malware, and people often run it not because they want to, but because they have been pressured into it. If we made our website use Anubis, we would be pressuring users into running malware. Even though it is free software, it is part of a scheme that is far too similar to proprietary software to be acceptable. We want users to control their own computing and to have autonomy, independence, and freedom. With your support, we can continue to put these principles into practice."
Re:do not understand (Score:4, Insightful)
Not to mention the ecological implications of this. Every time an Anubis challenge is responded to, some energy is wasted and some extra CO2 gets pushed into the atmosphere, and this is completely unneeded.
Re: (Score:1)
No. The result of the TLS negociation is a shared key which is used to encode the data transfered.
In the case of anubis (if I understand correctly), the only purpose of the calculation is to waste cycles on the user's computer, making it onerous for crawlers and bots to download a whole website. If that's right, it does smell like crypto shit (crypto as in crypto bros / bitcoin / doge / etc, not as in differential cryptography), and I can perfectly understand their ra
Hmm (Score:2)
This likely is an LLM scraper designed to specifically target Media Wiki sites with a botnet.
What does that even mean?
LLMs doing crawling? That might be ill-behaved, bot not an "attack".
Or does it mean LLM-written attack software?
Or "attack software that somehow utilizes some LLM"?
Re: (Score:2)
Re:Hmm (Score:4, Interesting)
>" LLMs doing crawling? That might be ill-behaved, bot not an "attack".
Some of us will think of it as an attack when the bots ignore robots.txt (or honor changes very slowly), masquerade intentionally as something they are not, and use tons of different addresses hitting the same site, especially when it is continuous. I discovered this, myself, on a small internet-connected club server later last year. The mediawiki site was becoming unresponsive and throwing errors. On investigation, we were having dozens of http requests per second, from Amazon and Bytedance. Every one of them was coming from a different IP address. Only our main page was allowed in robots.txt, so SOMETHING would end up on search sites, but the bots didn't care. I changed it to ignore everything on the site, instead of just the main page, but that apparently isn't checked very often. It took me hours of manually banning over a thousand IP addresses before the server could reasonably respond to web requests again.
Example hit:
47.128.50.93 - - [22/Sep/2024:15:03:05 -0400] "GET /mediawiki/index.php?days=30&from=20240920012115&title=Special%3ARecentChanges HTTP/1.1" 200 10111 "-" "Mozilla/5.0 (Linux; Android 5.0) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; Bytespider; spider-feedback@bytedance.com)"
Eventually, the overwhelming majority of the "robots" (web scrapers) did honor robots.txt disallowing everything, some just did so very lazily and took days of attempted hammering us before stopping. I still haven't removed the IP blocks nor put robots.txt back to allowing just the main page.
Re: (Score:1, Flamebait)
"Some of us will think of it as an attack when the bots ignore robots.txt (or honor changes very slowly), masquerade intentionally as something they are not, and use tons of different addresses hitting the same site, especially when it is continuous."
And what are the qualifications of this "us" you speak of? Why should anyone care what "us" thinks? More importantly, does "us" think that ignoring robots.txt is a DDoS attack? That's the subject of the article.
"...and use tons of different addresses hitting
Re: (Score:2)
And unfortunately, thanks to the games like this we ended up with things like the "Verifying that you are a human" interstitial pages from cloud flare, which I am guessing use something like described for Anubis. I hate it and my CPU hates it (spiking to 100% for up to a minute to perform the calculation). You know who doesn't hate it? The bots. They simply act like any browser that has no JavaScript and ignore it.
Oh, and my Noscript (different device) breaks those pages every single time, meaning that I mo
Re: (Score:2)
LLMs doing crawling? That might be ill-behaved, bot not an "attack".
Sufficiently-reckless or wanton behavior Is a Denial of Service attack; even if an actor's formal intention is just greed or impatience.
Most likely what they are doing that qualifies it as an attack, Or at the very least as a deliberate theft of service is:
All the stuff that would cause the FSF to describe the attack as a Distributed DoS and not just a DoS. Sometimes a standard DoS can be accidental, but a distributed attack require
Re: (Score:1)
"LLM crawlers are understandable these days, but who on earth is actively trying to take the FSF down?"
Sociopaths and teenagers. Same kinds of people that would claim that humans have a natural immunity to COVID in order to support Donald Trump.
"A bunch of heathen VIM users trying to stop people from accessing EMACS? What the heck?"
Well if your career in IT is threatened by a loss of Emacs, at least you can fall back on your dev career or your professional photography business.
"Who would even notice or car
that's what you get for expelling the hackers (Score:2)
Might not be botnets (Score:1)
Could just be now that every mouth-breather that can wield a spreadsheet has Claude hooked up to a slew of MCP servers, that some of those queries are getting to FSF.
FSF likely have a very good (unluckily) SEO optimisation that leads these MCP queries back to them