[geuis]

Yeah I know. That is a legit critique. What's been happening is your essential black swan event. I've been running the service for 12 years and have never had this problem. There are hundreds of websites and independent users that have never abused the api like this until March. I have always been able to absorb the traffic impact.

This is different. Someone wasn't thinking and randomly added the domain to a lazy piece of code somewhere that got deployed to millions of devices pretty much over night. The only way I've been able to keep jsonip active is by incorporating Cloudflare. But they don't actually solve the problem. As a corporation, they treat ipv4 addresses like 3rd class citizens.

Anyway yeah I've been evaluating changing the TOS, requiring registered signins, etc. But NONE of those fixes a 300% level of traffic that's been hitting the service for months now. I can change the verbiage all I want. But it does absolutely nothing to stop the a-hole dev from China or wherever that rolled out an update to hundreds of thousands of millions of devices with simply emailing me if that's ok.

I've literally, and successfully, run the service for free to the public because no one has done this before.

And to the nginx people. No, returning 444 doesn't seem to fix the problem. I've tried. It doesn't work.

[bierjunge]

Unethical tip: start returning the content of this article [0] to these devices. The Chinese government will "fix" the devs for you or simply block all traffic to your site.

[0] https://en.wikipedia.org/wiki/1989_Tiananmen_Square_protests...

[moffkalast]

What a big brain move, that might actually work. Unless of course the devices are being sold abroad.

[pabs3]

Or geolocate Chinese IPs to Taiwan.

[wiseowise]

How’s that unethical?

Love it.

[bierjunge]

Unethical because it can get the devs into legal trouble and the Chinese government is known to be aggressive in their choice of "solutions".

[ransackdev]

> rolled out an update to hundreds of thousands of millions of devices with simply emailing me if that's ok.

If it's malware, they don't care if it's ok, they are malware authors. Contact your hosting provider which 100% has the ability to offload traffic from malware and ddos. They are responsible for the network and will not want malicious traffic anywhere on it, esp if it's tying up bandwidth for paying customers or premium bandwidth. If it was a large amount of bandwidth they would have contacted you long before you contacted them. I'd still reach out, they will move on it quick if it's an issue, and at the least can examine the traffic to determine if it's bad or not.

Cloudflare won't do much good here no? The requests still have to proxy back to your origin servers to spit back the ip. You can't utilize any caching on cloudflare due to the unique ip of each client. Their ddos prevention might not help because these are clients each with their own unique ip address, which is probably a cellular provider's ip space and not bad traffic. If it's the volume of clients hitting you, and not the volume of requests they make, it wouldn't trip cloudflare, or they'd be blocking major cellular address space across their entire network (which is a large portion of the internet these days)

[nitrammm]

Explicitly telling some junior software developer in China that he can call an API for free an unlimited number of times, then afterwards calling it abuse and him and a-hole dev is definitively a bit of an a-hole thing to do in my view.

[Dudeman112]

There's always an individual with autism-level consideration for what one says, isn't there?

No, effectively DDOS-ing a service just because it says it's free and unlimited is a dick move

People like those are a big reason for why we can't have nice things

[hnfong]

I scanned through the comments and I don't think anyone raised the possibility that the developer might not be aware how many devices their code would be running on.

It's quite possible that a random just contracted to write software for some embedded system, with no context how many thousands or millions of devices it would run on. So they looked up OP's site, sees "supports unlimited requests and is free", shrugs and just writes implements the code.

Or, the dev might be told the system only had a couple thousand users, then somebody else copied the code and deployed it on a million devices.

You don't know the story, and I think the moral here is not to blame a faceless Android dev from China, but to implement quotas and controls and avoid falsely boast on your website that your service has unlimited scalability.

[nitrammm]

To me it just screams naivety to put up a free service, advertise it as unlimited and then calling people asshole when they make too many requests.

Personally I would never rely on a service like this since it's 100% obvious it would be sudpectible to junior developers misunderstanding what is reasonable usage.

If you're putting up an API assuming all consumers will consume it in some limited and reasonable way, then you need to rethink things a bit.

[ricardobayes]

Can you imagine a fast food restaurant franchise CEO to complain how annoying it is that people ask for copious amounts of free ketchup? If you don't have a policy or anti-abuse measures, don't complain that "people are using too much" of the free stuff. That's ridiculous and detached from real life.

[crote]

That one random guy asking for ten or twenty packets of ketchup every once in a while isn't the problem. Sure, it's weird, but he does put it all on his fries and he does eat it all, so that's just part of offering free ketchup.

However, would you still call it "detached from real life" if suddenly the manager from McDonalds starts showing up daily, filling a 100-gallon drum with ketchup because it is "free"? In law there is such a concept as a "reasonable person", which exists precisely to avoid people abusing loopholes like this.

[corobo]

> There's always an individual with autism-level consideration for what one says, isn't there?

What does this sentence even mean lmao

Autism-level consideration for what one says or not, if you say something is unlimited I'm going to take your word for it. If it's limited, tell me the limits. If it's free to a point, tell me the point. If I need to bust out the CC, tell me I need to bust out the CC.

Don't say your thing is free and unlimited if you can't handle unlimited traffic for free..

Hacker News would be on the complete opposite end of the anger scale if this was an ISP telling their users they can't actually use the "unlimited" they promised, haha

[Dudeman112]

>What does this sentence even mean lmao

>if you say something is unlimited I'm going to take your word for it

The sentence refers to people like you. It doesn't make you incredibly clever to consider those sentences literally, like small children or those with under-developed empathy and theory of mind often do

It just makes you an inconsiderate numpty

>Hacker News would be on the complete opposite

Yes, there are lots of people on the tech scene that just don't get ideas like "don't abuse it", or "considering the consequences for other people"

[corobo]

> Yes, there are lots of people on the tech scene that just don't get ideas like "don't abuse it", or "considering the consequences for other people"

It's not abuse if you say it's free and unlimited and someone uses it freely and unlimitedly! This is why sites have acceptable use policies and terms of service. This is why most sites don't say their tool is free and unlimited.

It is what those words mean. It is literal. If I read an acceptable use policy and then went on to use it in a way that is not allowed that would be silly.

> The sentence refers to people like you

> It just makes you an inconsiderate numpty

Speaking of "like small children or those with under-developed empathy and theory of mind", I'm not sure these were needed. Can we just discuss things? I promise my mind is open whether you insult it or not, I'm just not convinced by the argument at this point :)

I hope you got a nice slither of dopamine out of namecalling though in any case, haha

[Dudeman112]

>It is what those words mean. It is literal.

>I'm not sure these were needed

The original wording I was gonna use before deciding to be more considerate was "small children and autists"

If you can think of another short descriptor for "people who obtusely take things literally and are unable or refuse to account for other people's state of mind", I'm happy to use those instead

>I hope you got a nice slither of dopamine out of namecalling though in any case

In fact, it was far more than a sliver!

Upon further reflection, I think I got a lot of repressed anger for never having smacked people who can't behave unless they are explicitly told to do so, who actually need the "within reason" clause everywhere, and who are happy to play with technicalities when it comes to justifying their behaviour

[nitrammm]

> Yes, there are lots of people on the tech scene that just don't get ideas like "don't abuse it", or "considering the consequences for other people"

Got to love the cleverness with the people who design services with the assumption that there are no such people and then goes on to hackernews and cries when a kid in China breaks their site. Lol.

Insanely incompetent.

[tentacleuno]

In the context of an ISP, what is abuse in terms of network usage? For instance, I'm sure with console + PC gaming etc. a lot of gamers use around 400GB a month on average. Systems evolve, and it's the ISPs' job to keep up with demand.

[ransackdev]

Think of your average engineer doing mobile development. "Here, hit this url to get the device ip". They write the code, it makes 1 request. The average backend engineer isn't performance focused, why would the average mobile engineer be thinking about a distributed denial of service against some third party api? Most mobile engineers have to be guided to not slam their own backend servers, and do not approach problems in their sphere with the mindset to prevent this type of issue. Not knocking mobile devs, it's just literally not something they have to care about most of the time, and imo only the ones who go out of their way to have a solid understanding of the backend systems would even understand what's in play here

Besides that, odds are that this is malware of some sort hitting this service to get the infected device's public ip to phone it home for use in a command and control situation, and if so, they don't care that they are slamming this service.

Mobile devs who care about this type of thing will not need to make any sort of outbound connection anywhere to get the device ip address, it's right on the device already. These what's my ip sites are used by script kiddies and malicious software running on anything

"There's always an individual with autism-level consideration for what one says, isn't there?" isn't needed and I'd advise you to be more professional, or at least more human.

[endominus]

Relevant SMBC (especially to the sibling comments, holy shit): https://www.smbc-comics.com/?id=2095

[wiseowise]

It says that you can call it unlimited number of times, not millions of devices that you’re selling.

[KomoD]

Last I checked unlimited is more than millions

[junon]

This mindset is why we need "do not use while sleeping" warning labels on toasters and hair dryers.

[nitrammm]

This would be very valid comment if toasters had manuals telling that they are perfectly safe to use while sleeping.

If you lie in your marketing material then you may put yourself in a mess. Big surprise.

[KomoD]

No, advertising unlimited and then complaining when someone truly does use unlimited is not a problem with my mindset, it's a problem with the person who runs the service, if you don't want people to truly use unlimited, don't advertise unlimited.

[wiseowise]

Sure, you specifically can use it million times, or even more (given your span of life).

If your audience is millions of users it’s millions * millions, not cool.

[nitrammm]

So if someone doesn't undeestand this assumption, then they are an asshole?

That's pretty crazy viewpoint.

[wiseowise]

> So if someone doesn't undeestand this assumption, then they are an asshole?

Yes.

> That's pretty crazy viewpoint.

Companies that make millions of devices while abusing free APIs without giving anything back are assholes. Hmm, let me think?

No, it’s not.

[nitrammm]

It says:

> Supports unlimited requests and is free.

Typically "unlimited" is more than a million.

[wiseowise]

Water in a lake is also technically free (depending on local laws), do I have to make it clear that inviting millions to take a cup out of it is not a good idea?

[nitrammm]

This is the internet? If there are a million people around the lake fond of tea then of course you need to tell them that they can't consume all the water. Offering a free service and being upset when people use it is just naive.

[maccard]

> The only way I've been able to keep jsonip active is by incorporating Cloudflare. But they don't actually solve the problem. As a corporation, they treat ipv4 addresses like 3rd class citizens.

Don't get me wrong, you're doing the world a service with your service, but why should cloudflare have to handle your problem for free? If you want to resolve your problem, it sounds like it's in your hands - block traffic, or us something like cloudflare/waf. It's not fair that you have to eat the cost, but it's not fair that someone else does either.

[geuis]

Oh, I never expected Cloudflare to handle the problem for free. I would happily have at least a pro level account with them if they treated ipv4 traffic properly. But they don't expose a request's actual v4 address to the backend. The WAF works amazingly well, but it otherwise breaks a critical part of the service.

[CPLX]

Do you have a way to donate?