WingNews logo WingNews
top | item 30105972

(no title)

headlessvictim2 | 4 years ago

Off-topic, but our freemium website is under attack by headless browsers.

The freemium service provides access to compute-heavy machine learning models running on GPUs.

Hackers blast 50-100 requests in the same second, which clog the servers and block legitimate users.

We reported IPs to AWS and use Cloudflare "Super Bot Fight Mode" to thwart attacks, but the hackers still break through.

We don't require accounts, but could impose account requirements if this helps.

Any suggestions?

discuss

order

austincheney|4 years ago

Browser automation will occur by executing events in the DOM or by calling properties of the page/window. It’s all JavaScript designed for user interaction executed by a bot.

The one event that cannot be automated is cursor movement/position. Put a check into your event handlers that check that the cursor is actually over the event target.

mesadb|4 years ago

You are right every testing solutions out there push UIEvents to the page rather than clicking with an actual mouse. That's why puppeteer, selenium etc are scraping tools not testing tools

darkstar999|4 years ago

That sounds like an accessibility problem.

headlessvictim2|4 years ago

This is interesting. Thanks for sharing.

Are you saying block form submission unless the cursor is over the event target?

If so:

* How to handle legitimate requests from mobile users?

* How to handle form submissions with the "return" key?

slig|4 years ago

Just block the AWS ASN on CF, it's nor worth fighting.

rob-olmos|4 years ago

+1 and GCP, and many other hosting ASNs

1vuio0pswjnm7|4 years ago

Tell freemium users what is the acceptable rate for requests per second. Publish the allowable rate on the website. Ban freemium user IPs that exceed the allowable rate. This can be done using a proxy.

headlessvictim2|4 years ago

A proxy like Cloudflare or a custom proxy that stores data?

Are there proxy examples you could point us to?

Thanks for your help.

cmeacham98|4 years ago

100 requests/second isn't that much, especially if you're fronting your website with Cloudflare. Do you have some unauthenticated endpoint(s) that eat up a ton of server CPU?

headlessvictim2|4 years ago

Thanks for the reply!

The freemium service provides access to machine learning models on GPU instances, served with FastAPI.

Each request invokes a compute-intensive ML model, but perhaps there is something wrong with the FastAPI configuration as well?

synergy20|4 years ago

what's your site? would like to play with it

forgotmyoldacc|4 years ago

Why not ReCAPTCHA?

headlessvictim2|4 years ago

Thanks for the suggestion.

It is possible, but this degrades the experience for legitimate users.

We prefer solving this without impacting/taxing normal users if possible.

rabi_molar|4 years ago

Perhaps Captcha?

headlessvictim2|4 years ago

Thanks for the suggestion.

It is possible, but this degrades the experience for legitimate users.

We prefer solving this without impacting/taxing normal users if possible.