Comment by marginalia_nu

Comment by marginalia_nu 18 hours ago

43 replies

View on Hacker News

To be fair, if my search engine is anything to go on, about 0.5-1% of the requests I get are from human sources. The rest are from bots, and not like people who haven't found I have an API, but bots that are attempting to poison Google or Bing's query suggestions (even though I'm not backed by either). From what I've heard from other people running search engines, it looks the same everywhere.

I don't know what Google's ratio of human to botspam is, but given how much of a payday it would be if anyone were to succeed, I can imagine they're serving their fair number of automated requests.

Requiring a headless browser to automate the traffic makes the abuse significantly more expensive.

shiomiru 17 hours ago

If it's such a common issue, I would've thought Google already ignored searches from clients that do not enable JavaScript when computing results?

Besides, you already got auto-blocked when using it in a slightly unusual way. Google hasn't worked on Tor since forever, and recently I also got blocked a few times just for using it through my text browser that uses libcurl for its network stack. So I imagine a botnet using curl wouldn't last very long either.

My guess is it had more to do with squeezing out more profit from that supposed 0.1% of users.

Reply View 7 replies
  • supriyo-biswas 17 hours ago

    Given that curl-impersonate[1] exists and that a major player in this space is also looking for experience with this library, I'm pretty sure forcing the execution of JS using DOM stuff would be a much more effective deterrent to prevent scraping.

    [1] https://github.com/lwthiker/curl-impersonate

    Reply View 0 replies
  • 1vuio0pswjnm7 3 hours ago

    I have been web searching using Google from the command line, with no Javascript, for decades. Until last week I never sent a User Agent HTTP header either. After this change I'm still searching from the command line, no Javascript. Thus "requiring Javascript" is not a correct phrase to describe this change. The requirement is a User Agent HTTP header with an approved value. The only difference in searching for me as of the last few days is that I now send a User Agent HTTP header, with an "approved" string.

    Javascript does not stop bots. At least it does not stop Googlebot.

    IMO, the change is to funnel more people (cf. bots) into seeing AI-generated search results. The "AI" garbage requires Javascript. That is why the spokesperson suggests "degraded" search results for people who are not using Javascript. For me, the results are improved by avoiding the AI garbage, not degraded.

    Reply View 0 replies
  • jsnell 17 hours ago

    "Why didn't they do it earlier?" is a fallacious argument.

    If we accepted it, there would basically only be a single point in time where a change like this could be legitimately made. If the change is made before there is a large enough problem, you'll argue the change was unnecessary. If it's made after, you'll argue the change should have been made sooner.

    "They've already done something else" isn't quite as logically fallacious, but shows that you don't experience dealing with adversarial application domains.

    Adversarial problems, which scraping is, are dynamic and iterative games. The attacker and defender are stuck in an endless loop of game and counterplay, unless one side gives up. There's no point in defending against attacks that aren't happening -- it's not just useless, but probably harmful, because every defense has some cost in friction to legitimate users.

    > My guess is it had more to do with squeezing out more profit from that supposed 0.1% of users.

    Yes, that kind of thing is very easy to just assert. But just think about it for like two seconds. How much more revenue are you going to make per user? None. Users without JS are still shown ads. JS is not necessary for ad targeting either.

    It seems just as plausible that this is losing them some revenue, because some proprortion of the people using the site without JS will stop using it rather than enable JS.

    Reply View 4 replies
    • mike_hearn 10 hours ago

      It can't lose them revenue. Serving queries is expensive, getting rid of bots yields immediate and direct savings measured in $$$

      Reply View 1 reply
      • jsnell 9 hours ago

        I was using the word "revenue" very deliberately. Savings don't increase revenue.

        The GP's argument was that this was about "squeezing out more profit from that supposed 0.1% of users". That can't be an argument about resource savings. The resource savings come from not serving bots, not from blocking legitimate users who happen to have disabled JS.

        Reply View 0 replies
    • shiomiru 15 hours ago

      > "Why didn't they do it earlier?" is a fallacious argument.

      I never said that, but admittedly I could have worded my argument better: "In my opinion, shadow banning non-JS clients from result computation would be similarly (if not more) effective at preventing SEO bots from poisoning results, and I would be surprised if they hadn't already done that."

      Naturally, this doesn't fix the problem of having to spend resources on serving unsuccessful SEO bots that the existing blocking mechanisms (which I think are based on IP-address rate limiting and the UA's HTTPS fingerprint) failed to filter out.

      > Yes, that kind of thing is very easy to just assert. But just think about it for like two seconds. How much more revenue are you going to make per user? None. Users without JS are still shown ads. JS is not necessary for ad targeting either.

      Is JS necessary for ads? No. Does JS make it easier to control what the user is seeing? Sure it does.

      If you've been following the developments on YouTube concerning ad-blockers, you should understand my suspicion that Search is going in a similar direction. Of course, it's all speculation; maybe they really just want to make sure we all get to experience the JS-based enhancements they have been working on :)

      Reply View 1 reply
      • marginalia_nu 12 hours ago

        > Is JS necessary for ads? No.

        JS is somewhat necessary for ads, they're not in anyway needed for displaying them, but instrumental in verifying that they are actually being displayed to human beings. Ad fraud is an enormous business.

        Reply View 0 replies
supriyo-biswas 18 hours ago

I run a semi-popular website hosting user-generated content, although it's not a search engine; the attacks on it have surprised me, and I've eventually had to put in the same kinds of restrictions on it.

I was initially very hesitant to restrict any kind of traffic, relying on ratelimiting IPs on critical endpoints that needed low friction, and captchas on the higher friction with higher intents, such as signup and password reset pages.

Other than that, I was very liberal with most traffic, making sure that Tor was unblocked, and even ending up migrating off Cloudflare's free tier to a paid CDN due to inexplicable errors that users were facing over Tor that were ultimately related to how they blocked some specific requests over Tor with 403, even though the MVPs on their community forums would never acknowledge such a thing.

Unfortunately, given that Tor is a free rotating proxy, my website got attacked on one of these critical, compute heavy endpoints through multiple exit nodes totaling ~20,000 RPS. I've reluctantly had to block Tor, and a few other paid proxy services discovered through my own research since then.

Another time, a set of human spammers distributed all over the world started sending out a large volume of spam towards my website; with something like 1,000,000 spam messages every day (I still feel this was an attack coordinated by a "competitor" of some sort, especially given a small percentage of messages entitled "I want to get paid for posting" or along those lines).

There was no meaningful differentiator between the spammers and legitimate users, they were using real Gmail accounts to sign up, analysis of their behaviours showed they were real users as opposed to simple or even browser-based automation, and the spammers were based out of the same residential IPs as legitimate users.

I, again, had to reluctantly introduce a spam filter on some common keywords, and although some legitimate users do get trapped from time to time, this was the only way I could get a handle on that problem.

I'm appalled by some of the discussions here. Was I "enshittifying" my website out of unbridled "greed"? I don't think so. But every time I come here, I find these accusations, which makes me think that as a website with technical users, we can definitely do better.

Reply View 16 replies
  • _factor 17 hours ago

    The problem is accountability. Imagine starting a trade show business in the physical world as an example.

    One day you start getting a bunch of people come in to mess with the place. You can identify them and their organization, then promptly remove them. If they continue, there are legal ramifications.

    On the web, these people can be robots that look just like real people until you spend a while studying their behavior. Worse if they’re real people being paid for sabotage.

    In the real world, you arrest them and find the source. Online they can remain anonymous and protected. What recourse do we have beyond splitting the web into a “verified ID” web, and a pseudonymous analog? We can’t keep treating potential computer engagement the same as human forever. As AI agents inevitably get cheaper and harder to detect, what choice will we have?

    Reply View 1 reply
    • supriyo-biswas 17 hours ago

      To be honest, I don't like initiatives towards a "verified web" either, and am very scared of the effects on anonymity that stuff like Apple's PAT, Chrome's now deprecated WEI or Cloudflare's similar efforts to that end are aimed at.

      Not to say that these would just cement the position of Google and Microsoft and block off the rest of us from building alternatives to their products.

      I feel that the current state of things are fine; I was eventually able to restrict most abuse in an acceptable way with few false positives. However, what I wished for was that more people would understand these tradeoffs instead of jumping to uncharitable interpretations not backed by real world experience as a conclusion.

      Reply View 0 replies
  • marginalia_nu 18 hours ago

    > I'm appalled by some of the discussions here. Was I "enshittifying" my website out of unbridled "greed"? I don't think so. But every time I come here, I find these accusations, which makes me think that as a website with technical users, we can definitely do better.

    It's if nothing else very evident most people fundamentally don't understand what an adversarial shit show running a public web service is.

    Reply View 0 replies
  • dageshi 17 hours ago

    There's a certain relatively tiny audience that has congregated on HN for whom hating ads is a kind of religion and google is the great satan.

    Threads like this are where they come to affirm their beliefs with fellow adherents.

    Comments like yours, those that imply there might be some valid reason for a move like this (even with degrees of separation) are simply heretical. I think these people cling to an internet circa 2002ish and the solution to all problems with the modern internet is to make the internet go back to 2002.

    Reply View 7 replies
    • _factor 17 hours ago

      The problem isn’t the necessary fluff that must be added, it’s how easy it becomes to keep on adding it after the necessity subsides.

      Google was a more honorable company when the ads were on the right hand side only instead of tricking you in the main results. This is the enshitification people talk about. Decision with no reason other than pure profit at user expense. They were horrendously profitable when they made this dark pattern switch.

      Profits today can’t be distinguished accurately between users who know it’s an ad and those who were tricked into thinking it was organic.

      Not all enshitification is equal.

      Reply View 0 replies
    • JohnMakin 16 hours ago

      [flagged]

      Reply View 4 replies
      • dageshi 16 hours ago

        Shilling for what?

        I simply observed how these threads always go. The faithful turn up to proudly proclaim how much they don't use google, how they cripple their browsing experience so they may remain pure, to experience the internet as it was intended before the original sin (ads) corrupted it.

        Reply View 0 replies
  • altfredd 15 hours ago

    20000 RPS is very little — a web app / database running on an ordinary desktop computer can process up to 10000 RPS on a bare-metal configuration after some basic optimization. If that is half of your total average load, a single co-located server should be enough to eat entire "attack" without flinching. If you have "competitors" and I assume, that this is some kind of commercial product (including running profitable advertising-based business), you should probably have multiple geographically distributed servers and some kind of BGP-based DDoS protection.

    Regarding Tor nodes — there is nothing wrong with locking them out, especially if your website isn't geo-blocked by any governments and there are no privacy concerns related to accessing it.

    If, like Google, you lock out EVERYONE, even your logged in users, whose identities and payment details you have already confirmed, then... yes you are "enshittifying" or have ulterior motives.

    > they were using real Gmail accounts to sign up

    Using Gmail should be a red flag on its own. Google accounts can be purchased by millions, and immediately get resold after being blocked by target website. Same for phones. Only your own accounts / captchas / site rep can be treated as basis of trust. Confirmation e-mail is a mere formality to have some way of contacting your human users. By the time Reddit was created it was already useless as security measure.

    Reply View 4 replies
    • marginalia_nu 15 hours ago

      RPS is a bad measure. 20k RPS is a little if you're serving static files, a raspberry pi could probably do that. It's a lot if you're mutating a large database table with each request, which depending on the service, isn't unheard of.

      Reply View 0 replies
    • oefrha 15 hours ago

      This comment is so out of touch I’m almost speechless.

      > > critical, compute heavy endpoints through multiple exit nodes totaling ~20,000 RPS

      > 20000 RPS is very little

      If I had to guess you’ve never hosted non-static websites so you can’t imagine what’s a compute heavy endpoint.

      > Using Gmail should be a red flag on its own.

      Yes, ban users signing up with Gmail then.

      And this is not an isolated case, discussions on DDoS, CAPTCHAs, etc. here always have these out of touch people coming out of the woodwork. Baffling.

      Reply View 2 replies
      • altfredd 14 hours ago

        > you can’t imagine what’s a compute heavy endpoint

        Indeed, I can't. Because "compute heavy" isn't a meaningful description. Is it written in C++? Are results persisted anywhere? Is it behind a queue? What is the caching strategy?

        Given that original post mentions free Cloudflare tier, there is a good chance, that "compute" might mean something like "ordinary Python application, making several hundreds database requests". This is also a kind of high-load, but not the worst one by far.

        Reply View 1 reply
        • supriyo-biswas 14 hours ago

          I won't be exactly saying what it is to maintain my privacy, but the compute heavy part of it is not your run out of the mill web traffic but rather performs some heavy processing of input files, this part is written in Go.

          This function of the website is different from the user-generated content part of the website where the traffic resembles those of regular dynamic websites with database reads and writes.

          Reply View 0 replies
palmfacehn 18 hours ago

My impression is that there's less effort for them to go directly to headless browsers. There are several foot guns in using a raw HTML parsing lib and dispatching HTTP requests. People don't care about resource usage, spammers even less and many of them lack the skills.

Reply View 12 replies
  • marginalia_nu 18 hours ago

    Most black hat spammers use botnets, especially against bigger targets which have enough traffic to build statistics to fingerprint clients and map out bad ASNs and so on, and most botnets are low powered. You're not running chrome on a smart fridge or an enterprise router.

    Reply View 3 replies
    • gnfargbl 17 hours ago

      True, but the bad actor's code doesn't typically run directly on the infected device. Typically the infected router or camera is just acting as a proxy.

      Reply View 1 reply
      • mike_hearn 16 hours ago

        There are ways to detect that and it will still require a lot of CPU and ram behind the proxies.

        Reply View 0 replies
    • desdenova 16 hours ago

      Chrome is probably the worst browser possible to run for these things, so it's not the basis for comparison.

      We have many smaller browsers, that run javascript, that work on low powered devices as well.

      Starting from webkit and stripping down the rendering parts just to execute JavaScript and process the DOM, the RAM usage would be significantly lower.

      Reply View 0 replies
  • supriyo-biswas 18 hours ago

    A major player in this space is apparently looking for people experienced in scraping without using browser automation. My guess is that not running a browser results in using far fewer resources, thus reducing their costs heavily.

    Running a headless browser also means that any differences in the headless environment vs. a "headed" one can be discovered, as well as any of your Javascript executing within the page, which significantly makes it difficult to scale your operation.

    Reply View 6 replies
    • marginalia_nu 17 hours ago

      My experience is that headless browsers use about 100x more RAM, and at least 10x more bandwidth and 10x more processing power, and page loads take about 10x as long time to finish (vs curl). Though these numbers may be a bit low, there are instances you need to add another zero to one or more of them.

      There's also considerably more jank with headless browsers, since you typically want to re-use instances to avoid incurring the cost of spawning a new browser for each retrieval.

      Reply View 4 replies
      • lozenge 17 hours ago

        Is it possible to pause a VM just after the browser has started up? Then map it as copy-on-write memory and spin up many VMs from that "image".

        Reply View 2 replies
      • palmfacehn 17 hours ago

        On the other hand you need to be able to do basics like match the headers, sometimes request irrelevant resources, handle malformed documents, catch changing form parameters, and other gotchas. Many would just copy the request from the browser console.

        Reply View 0 replies
    • fweimer 17 hours ago

      The change rate for Chromium is also so high that it's hard to spot the addition of code targeting whatever you are doing on the client side.

      Reply View 0 replies
  • victorbjorklund 17 hours ago

    so much more expensive and slow vs just scraping the html. It is not hard to scrape raw html if the target is well-defined (like google).

    Reply View 0 replies
marcus0x62 17 hours ago

I run a not-very-popular site -- at least 50% of the traffic is bots. I can only imagine how bad it would be if the site was a forum or search engine.

Reply View 0 replies
kragen 14 hours ago

Maybe you could require hashcash, so that people who wanted to do automated searches could do it at an expense comparable to the expense of a human doing a search manually. Or a cryptocurrency micropayment, though tooling around that is currently poor.

Reply View 2 replies
  • supriyo-biswas 13 hours ago

    The only issue with a hash cash is there’s no way to know whether the user’s browser is the one who computed said proof of work, or has delegated it to a different system and is simply relaying its results. At scale, you’d end up with a large botnet that receives proof of work tokens to solve for the scraping network to use.

    Reply View 1 reply
    • kragen 10 hours ago

      I don't see that as a problem; it still imposes the botnet rental cost on the spammer or whoever.

      Reply View 0 replies
ForHackernews 15 hours ago

> bots that are attempting to poison Google or Bing's query suggestions

This seems like yet another example of Google and friends inviting the problem they're objecting to.

Reply View 0 replies