[supriyo-biswas]

I faced a recent distributed attack averaging 20,000 RPS[1] around the same time which makes me think that there might be a bot. I wonder if there’s a network of website operators similar to NANOG or the RIPE NCC mailing lists where I could compare my own experience with those of other operators.

[1] https://news.ycombinator.com/item?id=36561930

[hartator]

Why not CAPTCHA protect these pages instead of blocking tor? Same attack can go through regular web.

[supriyo-biswas]

I already have per-IP ratelimiting, and I'm against using captchas have bad UX (including the much-hailed Turnstile).

I'll probably migrate to some proof-of-work based schemes and some algorithms to detect anomalous requests, but it would require some engineering work on my part (for a free website FWIW), and the quickest way to mitigate it would be to block Tor.

[hedora]

IP blocking blocks most of the people on our local ISP. They are small, and use CGNAT, so one owned windows machine across town breaks sites like yours for everyone, and the root cause is extremely difficult to debug for end users.

As much as I deeply, deeply dislike captchas, ip blocking is far worse.

[sweetjuly]

IP blocks also just don't work on IPv6. Unless you're prepared to block entire by ASN, an adversary can cheaply just buy up a lot of address space and churn through them. It gets even messier when dealing with real ISP networks because some hand out /40s for residential customers whereas others give just a /56.

[nerdbert]

I'm sure you can buy a table that says what size subnet to block for various ipv6 ranges.

[RobotToaster]

>I'll probably migrate to some proof-of-work based schemes and some algorithms to detect anomalous requests, but it would require some engineering work on my part

Have you tried mcaptcha? https://github.com/mCaptcha/mCaptcha

[lionkor]

If there isn't, lets make one. We could self host it, lock it down to invite-only.