HN has been under a botnet attack for several days. We had to lower the threshold for certain types of blocking in order to keep the site up. Unfortunately that leads to false positives, meaning some IP addresses of legit users get blocked. (It's not easy to distinguish between a legit user who is e.g. opening a bunch of tabs at once, from a distributed botnet sending a handful of requests from a massive number of IPs.)
I'm sorry! I know it's a pain and we're trying hard to avoid it. But it has nothing to do with any individual user. How would we even know who's accessing HN unless they tell us?
This sort of automatic block clears itself in 3 days, and in the meantime anyone in this situation can unban their IP as described at https://news.ycombinator.com/newsfaq.html. (You have to do that from a different IP address, of course.)
People are, of course, also welcome to email hn@ycombinator.com to get this kind of thing fixed. It's easy to take care of in specific cases and we're happy to help anyone.
Edit: I just cleared all those IP blocks from any time before 24 hours ago, so hopefully that will help.
I'd been informed of this after being caught up in the block myself yesterday, as noted in another Fediverse thread that's looking for cases of abuse in HN's moderation:
I frequently browse HN unauthenticated, both from a tablet I'm desperately trying to keep from becoming a timesuck itself (somewhat unsuccessfully), and when doing quick checks and searched on HN (something I do a lot) from a private/incognito browser session.
It's also useful to verify issues, such as I had with a submission of mine yesterday which was itself autokilled based on the domain. I'd posted an archive of the original URL from a now-dead site, using the archived version which includes the comments (Internet Archive's Wayback Machine does not, for some reason): <https://news.ycombinator.com/item?id=37732186>
Dang quickly undid the kill, but I couldn't actually validate it myself given the botnet mitigations.
(And the post has done much better than I'd expected.)
I'd forgotten the self-service IP unbanning option, though putting that outside HN's protected IP space (or at least in a different one) might be helpful.
Bots and spam are an impossibly hard problem to crack. Google had to change the digital landscape of email in order to fight spam, and even then, the job is never finished.
The worst part though is knowing that legitimate users will get caught as collateral damage.
> How would we even know who's accessing HN unless they tell us?
My browser sends a cookie telling HN it's me. More advanced tooling would let you allow-list aged accounts with > 1000 karma in, while blocking a different subset. Of course, once that becomes known, then the attacking botnet will just use aged accounts with > 1000, so it's a game of cat a mouse.
What this really speaks to though is that HN has now garnered the attention of a sufficiently motivated attacker that more advanced technology is required to block them. Fighting it yourself takes away from time spent on moderation, among other things. Maybe it's one attacker and they'll get bored after their attempts prove fruitless, but maybe they won't. Either way, this is why Cloudflare's bot shield and others like it are so popular. A recaptcha in order to submit a comment wouldn't be the worst thing, though I'm sure there will be many loud shouty voices against it, but that's the unfortunately the nature of running any popular site on the Internet these days.
Thank you for mentioning this! I tend to open a lot of tabs all at once and then read them one at a time. I got hit with the 403s suddenly the other day (when setting up a new laptop, terrible timing) and it flabbergasted me for about 45 minutes. When I got to the office it all worked just fine, so I never had closure.
Martin writes on Mastodon: “So apparently dang and the HN crowd are so upset I wrote some messages for HN visitors to our website, that they now banned my home IP address ”
I think HN has more than earned the benefit of the doubt here. I've been visiting this forum well over 10 years and have never noted heavy handed moderation[1]. When I've looked at banned users there is always a clear track record of abuse/violation of rules/spamminess. HN breaks sometimes but there's a big difference between intentional and unintentional DoS
I dunno, I block people on Mastodon who are angry and a lot of them are angry at white cishet men and it takes just one post about how somebody is angry at that sort of person, is angry because they aren't comfortable in their own skin, or sees fascists everywhere (Keir Starmer!) the way John Birch Society members see communists everywhere (Eisenhower!) for me to block.
I block keywords like t3s too, not because I have a problem with the people fundamentally but because their angry toots are bad for my mental health and get in the way of enjoying all the really positive or at least neutral people.
dang|2 years ago
I'm sorry! I know it's a pain and we're trying hard to avoid it. But it has nothing to do with any individual user. How would we even know who's accessing HN unless they tell us?
This sort of automatic block clears itself in 3 days, and in the meantime anyone in this situation can unban their IP as described at https://news.ycombinator.com/newsfaq.html. (You have to do that from a different IP address, of course.)
People are, of course, also welcome to email hn@ycombinator.com to get this kind of thing fixed. It's easy to take care of in specific cases and we're happy to help anyone.
Edit: I just cleared all those IP blocks from any time before 24 hours ago, so hopefully that will help.
dredmorbius|2 years ago
<https://toot.cat/@dredmorbius/111161109931108606>
I frequently browse HN unauthenticated, both from a tablet I'm desperately trying to keep from becoming a timesuck itself (somewhat unsuccessfully), and when doing quick checks and searched on HN (something I do a lot) from a private/incognito browser session.
It's also useful to verify issues, such as I had with a submission of mine yesterday which was itself autokilled based on the domain. I'd posted an archive of the original URL from a now-dead site, using the archived version which includes the comments (Internet Archive's Wayback Machine does not, for some reason): <https://news.ycombinator.com/item?id=37732186>
Dang quickly undid the kill, but I couldn't actually validate it myself given the botnet mitigations.
(And the post has done much better than I'd expected.)
I'd forgotten the self-service IP unbanning option, though putting that outside HN's protected IP space (or at least in a different one) might be helpful.
fragmede|2 years ago
The worst part though is knowing that legitimate users will get caught as collateral damage.
> How would we even know who's accessing HN unless they tell us?
My browser sends a cookie telling HN it's me. More advanced tooling would let you allow-list aged accounts with > 1000 karma in, while blocking a different subset. Of course, once that becomes known, then the attacking botnet will just use aged accounts with > 1000, so it's a game of cat a mouse.
What this really speaks to though is that HN has now garnered the attention of a sufficiently motivated attacker that more advanced technology is required to block them. Fighting it yourself takes away from time spent on moderation, among other things. Maybe it's one attacker and they'll get bored after their attempts prove fruitless, but maybe they won't. Either way, this is why Cloudflare's bot shield and others like it are so popular. A recaptcha in order to submit a comment wouldn't be the worst thing, though I'm sure there will be many loud shouty voices against it, but that's the unfortunately the nature of running any popular site on the Internet these days.
freedomben|2 years ago
unknown|2 years ago
[deleted]
glyph|2 years ago
pinwheeling|2 years ago
travisporter|2 years ago
unknown|2 years ago
[deleted]
unknown|2 years ago
[deleted]
Vosporos|2 years ago
freedomben|2 years ago
[1] I don't like the shadow banning though
dang|2 years ago
unknown|2 years ago
[deleted]
softskunk|2 years ago
[deleted]
inemesitaffia|2 years ago
unknown|2 years ago
[deleted]
water9|2 years ago
[deleted]
PaulHoule|2 years ago
I block keywords like t3s too, not because I have a problem with the people fundamentally but because their angry toots are bad for my mental health and get in the way of enjoying all the really positive or at least neutral people.