question for admin/mods: wondering reason for increased forum website traffic?

[gadget42]

question for admin/mods: wondering reason for increased forum website traffic?

iirc, up until quite recently the most online ever was about 1k less?

did we get a mention somewhere recently?

or is it just increased ai/bot/llm/lvm/etc activities?

[gadget42]

just noticed that a few hours after i posted the above commentary on the increased traffic from ai/bot/llm/lvm/etc, the ai/bot/llm/lvm/etc traffic doubled. ai/bot/llm/lvm/etc is ruining the open web for everyone everywhere.

[Paul_123]

It’s bots.  There is not an easy way to remove them from the online count

[gadget42]

imho i think it is better that forum members/visitors ARE able to see the bot traffic

i would not want it hidden at/on any website, in fact it should be actively called out by all the websites under siege.

[Paul_123]

Most of them are well behaved, honoring rate settings.   I’ve not seen it really affect the load of the server.

[gadget42]

https://tech.slashdot.org/story/25/08/31/1820249/are-ai-web-crawlers-destroying-websites-in-their-hunt-for-training-data

[gadget42]

wowza!

Most Online Ever: 16857 (December 09, 2025, 12:37:20 PM)

anyone know the _what/why_ regarding this recent rather large spike in MOE traffic?
(might be ai/bot/llm/lvm/etc using residential based proxies which would massively increase the "individual" entity traffic based on originating ip addresses)
(re: residential proxies, see for example _randomly_referenced_ oxylabs.io and www[.]webshare.io)

[gadget42]

after reading a recent commentary that included information about aisuru botnet here:

https://blog.cloudflare.com/ddos-threat-report-2025-q3/#aisuru-breaking-records-with-ultrasophisticated-hyper-volumetric-ddos-attacks

more searching resulted in a couple pieces from krebs:

https://krebsonsecurity.com/2025/10/ddos-botnet-aisuru-blankets-us-isps-in-record-ddos/

https://krebsonsecurity.com/2025/10/aisuru-botnet-shifts-from-ddos-to-residential-proxies/

snippet tidbit(mostly because an earlier post referenced oxylabs.io and www[.]webshare.io):

Today, Spur says it is tracking an unprecedented spike in available proxies across all providers, including;

LUMINATI_PROXY    11,856,421
NETNUT_PROXY    10,982,458
ABCPROXY_PROXY    9,294,419
OXYLABS_PROXY     6,754,790
IPIDEA_PROXY     3,209,313
EARNFM_PROXY    2,659,913
NODEMAVEN_PROXY    2,627,851
INFATICA_PROXY    2,335,194
IPROYAL_PROXY    2,032,027
YILU_PROXY    1,549,155

[gadget42]

naturally the bots are still out of control:

https://forum.tinycorelinux.net/index.php/topic,28089.0.html

[gadget42]

 Most Online Today: 31582. Most Online Ever: 31582 (Today at 10:43:55 AM)

[Paul_123]

Yup.  They all nailed the server at the same time about 11:40 EDT.

It’s why a lot of servers are putting cloudflare in front of them.

[Vic]

It is probably my fault. I check TC a few times a week.

Sorry

Vic

[Rich]

Hi Paul_123
There were about 16000 users around 11:40. They really managed
to slow the site down. When I returned later on I saw the number
had peaked to over 31000.

[CNK]

It's why a lot of servers are putting cloudflare in front of them.

It's not clear if that means you're considering doing the same, but I'll just make the point that when most sites do that (or start using any other service that requires Javascript to try and verify humanity) I stop visiting.

I know it's a tough problem to solve (my own website was getting crippled by millions of bot hits a day a while ago), and other common solutions like blocking IPs from certain countries may cut off other users, but I'm just sharing my point of view.

[Paul_123]

Hits from today by useragent   only the top 20

Code: [Select]

156472 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
  43616 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36
  11518 Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
   9614 Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot) Chrome/119.0.6045.214 Safari/537.36
   4645 Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.7680.177 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
   3814 Mozilla/5.0 (X11; Linux i686; rv:109.0) Gecko/20100101 Firefox/115.0
   2841 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36
   2662 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
   2157 Mozilla/5.0 (X11; Linux x86_64; rv:149.0) Gecko/20100101 Firefox/149.0
   1728 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149.0) Gecko/20100101 Firefox/149.0
   1683 Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36
   1605 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36; ClaudeBot/1.0; +claudebot@anthropic.com)
   1543 Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko); compatible; ChatGPT-User/1.0; +https://openai.com/bot
   1446 Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
   1255 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15 (Applebot/0.1; +http://www.apple.com/go/applebot)
   1079 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36
    927 Terra Cotta 0.1 https://www.github.com/ceramicTeam/CeramicTerracotta
    788 Wget
    759 Mozilla/5.0 (compatible; Thinkbot/0.5.8; +In_the_test_phase,_if_the_Thinkbot_brings_you_trouble,_please_block_its_IP_address._Thank_you.)
    755 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 newsai/1.0 Safari/537.36

The first user agent was the offender.  they launched almost 60 requests per second for about 20 minutes)   Here is the real problem.  This attack came from 104,000 different ip addresses.