Defending Against DDoS and LLM Scrapers with Reaction

by Anika Shah - Technology
0 comments

Breaking the Bottleneck of Massive Rule Sets

The Free Software Foundation (FSF) has successfully mitigated aggressive web scraping and large-scale DDoS attacks on its GNU Savannah infrastructure. By abandoning traditional, Python-based security tools in favor of a custom-configured implementation of the reaction firewall automation tool, the foundation has bypassed the architectural limitations that previously crippled its servers.

The organization’s previous reliance on fail2ban and UFW proved unable to handle the 65,000+ firewall rules required to block sophisticated residential botnets. As the blocklist grew, system performance plummeted, forcing the FSF to move toward a more scalable integration with the Linux kernel’s ipset framework.

From Patchwork Scripts to Scalable Defense

Before adopting reaction, the FSF attempted to manage the load through a series of custom BASH, awk, and Perl scripts. These “quick patches” were designed to interface directly with ipset but ultimately proved too difficult to maintain against an increasing volume of unique attack patterns. Because fail2ban relies on SQLite and Python to monitor log files for scrapers—including those used for LLM training—it created a persistent bottleneck that the FSF could no longer tolerate.

Optimizing for High-Traffic Stability

To achieve a sustainable defense, the FSF turned to reaction, a tool hosted on the Framagit forge. Unlike off-the-shelf security suites, reaction requires a custom configuration, allowing the FSF to build a lean environment that discards redundant features.

Free Software Foundation Ditches The Office

The FSF focused on two critical optimizations. First, they implemented a streamlined configuration file containing only essential rules. Second, they developed a mechanism for persistent IP sets: the reaction shutdown process now exports IP sets to the disk, which the startup process restores. This ensures near-instantaneous service restarts without downtime. These configurations are now published on the project’s upstream wiki for other administrators.

Tracking the Vo1d Botnet

Forensic analysis, supported by data from the digital forensics organization Qurium, revealed that much of the aggressive scraping originated from residential IP proxy networks. The investigation linked a portion of the traffic targeting GNU Savannah to the “Vo1d” (or “Popa”) botnet, a collection of compromised smart TVs running malicious applications.

Tracking the Vo1d Botnet

By identifying these specific traffic patterns, the FSF created regular expressions capable of flagging and blocking botnet requests before they impact server stability.

Comparative Performance Metrics

The shift represents a move from the pre-packaged nature of fail2ban to a high-performance, ipset-integrated model. While fail2ban is suitable for small to mid-sized servers, its high maintenance requirements for large rule sets made it a liability for the FSF’s infrastructure.

Feature Fail2ban Reaction
Configuration Pre-packaged Custom-built
Performance Limited by Python/SQLite High (via ipset integration)
Maintenance High for large rule sets Low for large rule sets
Best Use Case Small to mid-sized servers High-traffic, large-scale blocking

The FSF maintains that these automated tools are essential for keeping their sites online amid rising automated threats. The project is now a critical component of the foundation’s broader effort to ensure their infrastructure remains accessible to the community.

Related Posts

Leave a Comment