[stuffoverflow]

Archive.today's attack on https://gyrovague.com is still on-going btw. It started just over two months ago. Some IPs get through normally but for example finnish residential IPs get stuck on endless captchas. The JS snippet that starts spamming gyrovague appears after solving the first captcha.

[winkelmann]

I'm not a web developer, but I've picked up some bits of knowledge here and there, mostly from troubleshooting issues I encounter while using websites.

I know there are a number of headers used to control cross-site access to websites, and the linked blog post shows archive.today's denial-of-service script sending random queries to the site's search function. Shouldn't there be a way to prevent those from running when they're requested from within a third-party site?

[sheept]

You can't completely prevent the browser from sending the request—after all, it needs to figure out whether to block the website from reading the response.

However, browsers will first send a preflight request for non-simple requests before sending the actual request. If the DDOS were effective because the search operation was expensive, then the blog could put search behind a non-simple request, or require a valid CSRF token before performing the search.

[bawolff]

> I know there are a number of headers used to control cross-site access to websites

Mostly these headers are designed around preventing reading content. Sending content generally does not require anything.

(As a kind of random tidbit, this is why csrf tokens are a thing, you can't prevent sending so websites test to see if you were able to read the token in a previous request)

This is partially historical. The rough rule is if it was possible to make the request without javascript then it doesn't need any special headers (preflight)

[dawnerd]

I get the endless captcha with a Southern California ip. Something emus either very broken or malicious.

[throwingcookies]

Why is archive today attacking that website?

[nailer]

The linked blog contains a story about who funds archive today and they presumably don’t like being exposed.

[throwingcookies]

Thanks. I am so confused by this social drama, I feel like I am getting too old for this.

[ryandrake]

It’s truly weird and unhinged the extent to which two rando Internet People are willing to grief each other.

[throwingcookies]

Parasocialweb 2.0 I suppose.

[steveharing1]

You mean just to keep their secrets hidden they hurt others?

[choo-t]

Like most companies or state ?

As an individual, keeping their identity private is the only way to prevent oppression.

[VERIRoot]

well that exposing is hurting more than 2 for sure

[zahlman]

To be clear, if I have JavaScript blocked for archive.today (which is my default with NoScript; and really there is no site functionality that really needs JS on the user's end), then I don't participate in the DDOS, right?

[Anonyneko]

I've been getting the endless captcha on my Finnish residential IPs, but I've also been getting that (or outright timeouts) when using VPNs, so I cannot use the site altogether. I wish there were alternatives.

[riedel]

While you article is insightful. Can the blog author please redact the actual names and nicks from your orginal blog post (including the exact places where to find the information). As this was discussed below. While I think you had good intentions, but it might be good to also reflect on the rights of that person not be identified.

Edit: I misread the comment initially as from someone with more insight. However, I guess it is obvious that anyone can see the JavaScript and participates involuntarily in the DoS.