I’m trying to understand the bot problem in the internet and finding more ways to defend myself. One thing that I can’t seem to understand is why most bots, scrapers and crawlers seem to have residential IPs.

  • Is it that ISPs are being paid by tech-bros to assign them these IPs?
  • Is it that residential devices have been hacked /contain malware that does this?
  • Is it trivial for companies to assign themselves residential IPs?
  • Paid volunteers are doing this for AI companies?

Or is there is some other reason for this?

Obviously this is a problem because one can rotate / cycle through residential IPs and if I aggressively block each offender in my logs permanently, then the next person assigned this IP who may be a legitimate user will be unable to access my site.

  • sylver_dragon@lemmy.worldEnglish
    9·
    4 hours ago

    All of the above.

    Is it that ISPs are being paid by tech-bros to assign them these IPs?

    Bullet Proof Hosting is a thing. Some ISPs basically advertise to criminals about their ability to evade take down orders and unwillingness to work with law enforcement. So, some infrastructure ends up on these devices. However, the IP ranges from these services often get discovered and are added to public reputation and block lists.

    Along side this, cloud providers are pretty bad about policing their networks. On my own home server, I have blocked much of the Digital Ocean IP space, as it’s home to a lot of scanners, bots and other malicious traffic.

    Is it that residential devices have been hacked /contain malware that does this?

    This happens, a lot. The Mirai Botnet thrived on compromised home routers. People are pretty bad at updating their devices and many SOHO routers ship with some pretty bad vulnerabilities. It’s only a matter of time until someone finds an unpatched or misconfigured router and adds it to a botnet. People also get phished or install trojans all the time, adding to botnets. Darknet Diaries just had a fantastic episode on the Bayrob malware, part of which was turning infected machines into a custom botnet.

    Is it trivial for companies to assign themselves residential IPs?

    Some ISPs just look the other way when they get reports of malicious activity on their network. Also, attackers can force a DHCP refresh and just get a new IP when the old one seems blocked. Getting one in the first place is often as simple as signing up for service and/or compromising someone’s home PC and using it as a relay.

    Paid volunteers are doing this for AI companies?

    This probably happens. Afterall, we’ve already seen a company selling an AI product which was just workers in India.

    Obviously this is a problem because one can rotate / cycle through residential IPs and if I aggressively block each offender in my logs permanently, then the next person assigned this IP who may be a legitimate user will be unable to access my site.

    Look into Fail2Ban. This program monitors your logs and will ban IPs automatically based on criteria you set. This can include specific HTTP requests in your web logs. The ban can be permanent or can be time limited. For example, I have a container running in a cloud provider which I use to proxy requests through my ISP’s CGNAT setup. There is an NGinx reverse proxy running there and I have fail2ban watching the access log. If certain request strings are seen, the sending IP gets dumped in a permanent jail. I also have it scanning the sshd logs and banning IPs which fail to login 3 times within a short period.

    It’s far from a silver bullet, but it’s something which should be running on any web facing system. Attackers will always be rattling the door knobs. There is no reason to let them keep rattling away.

    • irmadlad@lemmy.worldEnglish
      3·
      3 hours ago

      I have blocked much of the Digital Ocean IP space

      Over the years, I have blocked the entire probably Digital Ocean spectrum, a ton of Linode, clients.your-server.de, a long string of them. It used to make me paranoid I was setting up something wrong. I’d fire up a brand new, untouched server, and boom! Here they’d come. Then I thought, maybe it was a few Docker containers pushing analytics to a collector. Upon blocking them tho, nothing seemed to malfunction. So instead of trying mitigate each and every offending IP, I switched to a deny all until something complains posture, and block by ip ranges. I can still see them trying to gain access, but as long as I can keep them out on the edge, everything is golden.

      Some ISPs basically advertise to criminals about their ability to evade take down orders and unwillingness to work with law enforcement.

      There are Russian ISPs that advertise VPS services and such by the hour. I’m sure there are other ISPs in other countries that do the same. Nothing good could be coming out of that. When you consider that the internet gobbles through 14,000,000+/- petabytes per 24 hours, and 40%+/- is bot traffic, the picture gets a bit clearer, because that’s a shit load of bots, and they are sophisticated bots at that.