Breaking the Bottleneck of Massive Rule Sets
The Free Software Foundation (FSF) has successfully mitigated aggressive web scraping and large-scale DDoS attacks on its GNU Savannah infrastructure. By abandoning traditional, Python-based security tools in favor of a custom-configured implementation of the reaction firewall automation tool, the foundation has bypassed the architectural limitations that previously crippled its servers.
The organization’s previous reliance on fail2ban and UFW proved unable to handle the 65,000+ firewall rules required to block sophisticated residential botnets. As the blocklist grew, system performance plummeted, forcing the FSF to move toward a more scalable integration with the Linux kernel’s ipset framework.
From Patchwork Scripts to Scalable Defense
Before adopting reaction, the FSF attempted to manage the load through a series of custom BASH, awk, and Perl scripts. These “quick patches” were designed to interface directly with ipset but ultimately proved too difficult to maintain against an increasing volume of unique attack patterns. Because fail2ban relies on SQLite and Python to monitor log files for scrapers—including those used for LLM training—it created a persistent bottleneck that the FSF could no longer tolerate.
Optimizing for High-Traffic Stability
To achieve a sustainable defense, the FSF turned to reaction, a tool hosted on the Framagit forge. Unlike off-the-shelf security suites, reaction requires a custom configuration, allowing the FSF to build a lean environment that discards redundant features.
The FSF focused on two critical optimizations. First, they implemented a streamlined configuration file containing only essential rules. Second, they developed a mechanism for persistent IP sets: the reaction shutdown process now exports IP sets to the disk, which the startup process restores. This ensures near-instantaneous service restarts without downtime. These configurations are now published on the project’s upstream wiki for other administrators.
Tracking the Vo1d Botnet
Forensic analysis, supported by data from the digital forensics organization Qurium, revealed that much of the aggressive scraping originated from residential IP proxy networks. The investigation linked a portion of the traffic targeting GNU Savannah to the “Vo1d” (or “Popa”) botnet, a collection of compromised smart TVs running malicious applications.

By identifying these specific traffic patterns, the FSF created regular expressions capable of flagging and blocking botnet requests before they impact server stability.
Comparative Performance Metrics
The shift represents a move from the pre-packaged nature of fail2ban to a high-performance, ipset-integrated model. While fail2ban is suitable for small to mid-sized servers, its high maintenance requirements for large rule sets made it a liability for the FSF’s infrastructure.
| Feature | Fail2ban | Reaction |
|---|---|---|
| Configuration | Pre-packaged | Custom-built |
| Performance | Limited by Python/SQLite | High (via ipset integration) |
| Maintenance | High for large rule sets | Low for large rule sets |
| Best Use Case | Small to mid-sized servers | High-traffic, large-scale blocking |
The FSF maintains that these automated tools are essential for keeping their sites online amid rising automated threats. The project is now a critical component of the foundation’s broader effort to ensure their infrastructure remains accessible to the community.