How FSF Sysadmins Block Botnets with Reaction
How the FSF sysadmins block botnets with reaction
I discovered that aggressive scrapers training LLMs were using the Vo1d botnet to attack our servers. After hitting scaling limits with fail2ban and UFW, we switched to reaction, a flexible tool that works seamlessly with ipset. This allowed us to manage millions of rules efficiently, keeping GNU Savannah online while sharing our custom configurations with the community.
"Without the continued commitment of people like you, the progress we have made is in danger, and software freedom could be reduced to a mere wish instead of today's reality."
HN discussion
- Critics argue that the FSF's statement declaring their software 'gay, trans, and anticolonialist' contradicts the political neutrality of free software licenses and risks excluding contributors based on differing political views.
- Practitioners note that while tools like fail2ban and Reaction are useful, modern attacks often require blocking entire ASN ranges or data centers, with some preferring low-overhead 'ip route blackhole' entries over stateful firewall rules for TCP traffic.
- Defenders of the FSF's stance clarify that expressing preferences about who should use the software does not legally restrict rights, while others counter that such statements effectively signal a desire to avoid contributions from people with opposing politics.
- Sysadmins report that commercial bot mitigation services like Datadome and HUMAN are often too expensive or prone to false positives, forcing teams to manually ban residential proxies and specific cloud providers like Huawei or Tencent.
- Technical discussions highlight that Anubis supports a no-JavaScript 'proof of patience' challenge via meta-refresh, offering a viable alternative for sites adhering to the FSF's strict stance against JavaScript traps.