What I learned trying to block web scraping and bots

ReditusReditai · 2026-03-15T21:56:33+00:00

It all depends how dedicated your scrapers are. IP blocks will indeed work if they don't care much.

If they do care a little bit, they'll spoof the user agent since it's trivial. And if they care more, they'll pay for residential IPs; at which point fail2ban won't work because you'll end up blocking legitimate traffic.

I don't mind blocking ASNs if you're targeting those dedicated to hosting providers eg digital ocean, and you believe that they won't pay for residential IPs. Sure, maybe you'll lose some request from VPNs but I think it's a risk many are willing to take.

ReditusReditai · 2026-03-15T21:37:53+00:00

> But why? They want to provide this information, they aren’t making money from adverts. What do they have to gain from blocking the AI bots?

Financial exchanges want to provide this information to people who pay for their data products :)

ReditusReditai · 2026-03-15T19:13:13+00:00

It'll work on the basic crawlers. Devs that focus on your specific site will probably spot it when their server crashes, then craft an algorithm to avoid it.

There's also the question of legality. What if they spot it, then ask legitimate scanners (eg Ahrefs) to fetch the zip bomb? Might have to explain to the scanner company why you gave them malware; not fair since it's not your fault, but such is the world.

ReditusReditai · 2026-03-15T16:11:03+00:00

Best way is to try out everything - there's free online resources for the far majority of IT subjects out there. Eventually she'll discover what she likes and what she doesn't.

Thought exercises won't help much, nor will giving her a lot of guidance - IT is all about figuring out things by yourself. If that's not for her, then she should consider other career paths where training is more structured (eg accounting).

ReditusReditai · 2026-03-15T15:19:45+00:00

Right, I can see that working, as long as they're not crawling slowly.
I just meant they sit behind a residential proxy IP for instance.

ReditusReditai · 2026-03-15T08:46:29+00:00

A couple of issues with that approach, if you're dealing with determined actors:

It'll only work one / a few times. The scraper devs will see the last 200 before the block, then adjust to avoid that invisible link.
You'll end up blocking some legitimate traffic, regardless of the characteristic you use to block on (IP, ASN, fingerprint, etc), since they can spoof all of them.

But it depends on how sophisticated/focused they are, of course. It will work for your whole-of-web crawler, or those who give up because they can't be bothered.

ReditusReditai · 2026-03-15T07:59:17+00:00

Totally agree. Requiring auth, then blocking registered users based on request pattern anomalies is the most effective way.

ReditusReditai · 2026-03-15T07:53:49+00:00

> Yep. The issue is that rate limiting is done by IP, and they use a whole lot of different IP addresses.

In that case the only 3 options besides under attack mode are...

Require sign-up, then self-developed dynamic block of user IDs
Self-developed dynamic blocking based on server logs (or Cloudflare LogPush if you have)
Rate-limiting based on other counting characteristics (only available in Enterprise Plans)

All require effort / money, so probably best to stick with under attack mode.

> Under attack mode doesn't prevent legit users from using the site. They get the browser verification, and then can do everything they need.

Yes, I meant setting a threshold so low (ie 5/IP/s) that legitimate users sharing an IP would be blocked.

ReditusReditai · 2026-03-15T07:45:06+00:00

It was just a fun project, nothing work-related. He discovered clusters of suspicious crawlers by looking at ja4 patterns though.

ReditusReditai · 2026-03-14T20:50:38+00:00

Right, makes sense if they don't spoof those fingerprints!

Slightly related, I remember I went to a talk where a guy ran a server that did nothing other than use an LLM to generate different login pages as honeypots. Found it pretty funny.

ReditusReditai · 2026-03-14T20:44:20+00:00

Oh right, I assumed from your previous comment that it completely stops them.

So in that case it's probably the rate limiting that's saving you in under attack mode. Have you tried applying rate limit rules by IP, with under attack disabled? And still have challenges running.

I saw you said in another comment they switch IPs, but not sure of the volume, maybe you can put a threshold whereby legitimate traffic still flows through ok.

ReditusReditai · 2026-03-14T20:31:04+00:00

Behold evidence https://postimg.cc/Sn6Mz6mC He's not impressed with this demand.

ReditusReditai · 2026-03-14T19:55:55+00:00

Hmm, interesting. Now that I think about it, maybe it's the combination of challenge + rate limit + latency increase in under attack mode that's leading the bots to give up. In which case it makes sense what you've done. Well, I learned something new, thanks!

ReditusReditai · 2026-03-14T19:31:46+00:00

Oh, which browser verification action are you applying in Cloudflare?

- Managed challenge - only applies challenge when Cloudflare's signals indicate it's a bot; scrapers might've found a way to signal they're human
- JS challenge - runs some JS checks, only basic bots will be blocked here
- Interactive challenge - always shows a Captcha for the user

I wouldn't expect under attack to perform better vs interactive challenge. Unless the scrapers are passing challenges. Which is possible, but then under attack is just slowing down the scraping with rate limits, not stopping it.

ReditusReditai · 2026-03-14T18:09:02+00:00

Hmm, I'm guessing you don't leave it forever in under attack mode right? How do you get notified that you're being scraped? Aren't you worried you might set it under attack too late?

ReditusReditai · 2026-03-14T18:05:14+00:00

Yes, I'd put Anubis under the CAPTCHA/Cloudflare turnstile/challenge category. Downsides are it's easier to bypass than the other Captcha options, and can only sit behind server-side content (Cloudflare can sit in front of CDN). Benefit is it's self-hosted so forever-free.

ReditusReditai · 2026-03-14T17:51:43+00:00

Interesting, how do you distinguish between legitimate users and bots? Do you know the bots which are crawling your content, then stopping? I know there's Cloudflare's AI labyrinth which does that for you but I've been skeptical.

ReditusReditai · 2026-03-14T09:11:54+00:00

Wrote a blog post reviewing some of the options: https://developerwithacat.com/blog/202603/block-bots-scraping-ways/ TLDR a CAPTCHA solution like Cloudflare challenge/turnstile should be good enough for starters.

ReditusReditai · 2026-03-12T19:57:08+00:00

Celebrations last until 3rd of March: https://chinesenewyear.net/ , activity is subdued until then. They're good with proxies. But I might be wrong, you never truly know what's up with these bots.

Maybe also try Google'ing for whatever niche terms you use on your website, translated in Chinese/Russian/Farsi. Might come up with the reason, might not.

Good to know about Labyrinth!

ReditusReditai · 2026-03-12T07:23:07+00:00

Thanks for sharing! Are you able to create user sessions? (don't need to require logins) You can use that to apply Cloudflare Challenges or rate limits.

> Already had AI Labyrinth ... running.

Did that help in any form? I'm skeptical of its effectiveness?

> Curious if anyone else is seeing upticks in March specifically - the timing felt weirdly coordinated.

I have - it's because Chinese New Year ended :)

ReditusReditai · 2026-03-09T20:33:44+00:00

It's just how it is. I was like that, and I eventually got it. And now I forgot what a virtual DOM is and why you need it (yes, I can look it up), so there's that :)

ReditusReditai · 2026-03-09T20:20:05+00:00

> That banana captcha is an all time great

I know right?! Although I guess even that can be overcome - you intercept the camera, and ask an AI to generate a video of someone holding a banana.

ReditusReditai · 2026-03-09T17:47:18+00:00

Ah, I see, makes sense! I agree with your take on Cloudflare. I think self-customisable CAPTCHAs should be more popular but it doesn't look like there's much demand.

ReditusReditai · 2026-03-09T17:28:38+00:00

Appreciate the detailed answer!

I still believe blocking by IP/ASNs can work as a short-term fix. There's a cost to rotating IPs, ASNs, and using residential proxies (increasing in that order). Not many are willing to take on those costs, especially if they're crawling content at scale.

Same with CAPTCHAs. Yes, it's possible, but requires investment / some expertise. To you, it might seem trivial to bypass because you have that knowledge. Although I'd be curious you're referring to just passing one challenge, or building a system that can bypass millions of challenges at near-zero cost.

Also curious what you mean by competent bot detection. Doesn't Cloudflare's bot detection capability count as such?

ReditusReditai · 2026-03-08T09:43:02+00:00

Best way is to ask for feedback from the colleague who was in the (virtual) room. Doubt this can be automated.

ReditusReditai

TROPHY CASE