I have an obnoxious problem with crawlers eating bandwidth on my personal web site—not just the fact that crawlers consume so much bandwidth, but rather a behaviour that is absolutely next-level.
-
I have an obnoxious problem with crawlers eating bandwidth on my personal web site—not just the fact that crawlers consume so much bandwidth, but rather a behaviour that is absolutely next-level. And I think it's something that precludes the use of caching, but there are probably many of you with more knowledge than I have and who may know what can be done
🧵
️ -
I have an obnoxious problem with crawlers eating bandwidth on my personal web site—not just the fact that crawlers consume so much bandwidth, but rather a behaviour that is absolutely next-level. And I think it's something that precludes the use of caching, but there are probably many of you with more knowledge than I have and who may know what can be done
🧵
️@jsstaedtler I can't remember - are you self-hosting or using a paid host?
-
I have an obnoxious problem with crawlers eating bandwidth on my personal web site—not just the fact that crawlers consume so much bandwidth, but rather a behaviour that is absolutely next-level. And I think it's something that precludes the use of caching, but there are probably many of you with more knowledge than I have and who may know what can be done
🧵
️My site uses PHP to produce HTML output—no flat HTML files. There is an image gallery, and the images have tags.
It's here if you actually want to see it: https://bigraccoon.ca/gallery
When you filter on a tag, it adds a parameter to the URL, e.g. "domain[dot]com?tag=2026". That loads the gallery, but only displays images tagged with "2026".
You can filter further on more tags, e.g. "?tag=2026%2CPencil" ("%2C" is a URL-encoded comma), which would show images from 2026 drawn in pencil.
🧵2/?
-
I have an obnoxious problem with crawlers eating bandwidth on my personal web site—not just the fact that crawlers consume so much bandwidth, but rather a behaviour that is absolutely next-level. And I think it's something that precludes the use of caching, but there are probably many of you with more knowledge than I have and who may know what can be done
🧵
️The exact thing has happened to me recently with the tags. I now require users to log in to filter by multiple tags and I've blocked the subnets of the bots
If I wanted to allow guest users to search by multiple tags, I'd probably try the following options - (1) changing it to a POST request (2) requiring JavaScript (3) using Anubis (4) looking into ip masked rate limiting, so a rate limit for like multiple ip addresses in the same block
I wrote a blog post about my situation here https://blog.rubenwardy.com/2026/04/16/contentdb-ddos/
-
My site uses PHP to produce HTML output—no flat HTML files. There is an image gallery, and the images have tags.
It's here if you actually want to see it: https://bigraccoon.ca/gallery
When you filter on a tag, it adds a parameter to the URL, e.g. "domain[dot]com?tag=2026". That loads the gallery, but only displays images tagged with "2026".
You can filter further on more tags, e.g. "?tag=2026%2CPencil" ("%2C" is a URL-encoded comma), which would show images from 2026 drawn in pencil.
🧵2/?
This method of selecting tags allows for invalid combos, like "?tag=2026%2C2025". That selects images that were drawn both in 2026 *and* 2025... which obviously can't exist! The resulting page will tell you that 0 images were found.
A human would generally make sense of the available options, and *not* select two different years simultaneously. I could even code the page so that if one year is already selected, you can't select another one.
🧵3/?
-
This method of selecting tags allows for invalid combos, like "?tag=2026%2C2025". That selects images that were drawn both in 2026 *and* 2025... which obviously can't exist! The resulting page will tell you that 0 images were found.
A human would generally make sense of the available options, and *not* select two different years simultaneously. I could even code the page so that if one year is already selected, you can't select another one.
🧵3/?
But you can't stop anyone from entering a URL with any combination of tag names. You must decide what page they will see when they do so, and in my case, it's a gallery page with 0 images.
Now: enter the web crawler bot. It finds my site. It grabs all of the links on the front page, then starts loading each one. Then it grabs all of the links on *those* pages, and starts loading all of *them*. Presumably it will stop once all links have been viewed.
🧵4/?
-
I have an obnoxious problem with crawlers eating bandwidth on my personal web site—not just the fact that crawlers consume so much bandwidth, but rather a behaviour that is absolutely next-level. And I think it's something that precludes the use of caching, but there are probably many of you with more knowledge than I have and who may know what can be done
🧵
️@jsstaedtler I've been using Iocaine, which is specifically intended to mess with AI bots, but it can also help with "normal" bots too
https://iocaine.madhouse-project.org/
of course that still eats up some of your server's power. I work for a web hosting company and frequently we'll just make a list of "bad bots" in an .htaccess file to block them. The server still has to reply to their requests but doesn't have to serve them any real data -
But you can't stop anyone from entering a URL with any combination of tag names. You must decide what page they will see when they do so, and in my case, it's a gallery page with 0 images.
Now: enter the web crawler bot. It finds my site. It grabs all of the links on the front page, then starts loading each one. Then it grabs all of the links on *those* pages, and starts loading all of *them*. Presumably it will stop once all links have been viewed.
🧵4/?
So it loads my gallery page, and sees the list of tags: maybe 50 different links, all of which load the gallery page with a new filter applied. So it loads one, like "?tag=2026".
On the resulting page, there are still 50-odd tag links available. So it loads another one, and the URL now includes "?tag=2026%2C2025". Which is nonsense, but the page still loads.
Well, there are 0 images to show on that page, but still more tags to open! So next the bot opens "?tag=2026%2C2025%2C2024"...
🧵5/?
-
So it loads my gallery page, and sees the list of tags: maybe 50 different links, all of which load the gallery page with a new filter applied. So it loads one, like "?tag=2026".
On the resulting page, there are still 50-odd tag links available. So it loads another one, and the URL now includes "?tag=2026%2C2025". Which is nonsense, but the page still loads.
Well, there are 0 images to show on that page, but still more tags to open! So next the bot opens "?tag=2026%2C2025%2C2024"...
🧵5/?
@jsstaedtler an easy way to catch this is that these scrapers generally don't send Referer headers, so you can kill these by checking that a valid Referer header is present in tag search. This will have false positives for humans that try to be too smart though.
-
The exact thing has happened to me recently with the tags. I now require users to log in to filter by multiple tags and I've blocked the subnets of the bots
If I wanted to allow guest users to search by multiple tags, I'd probably try the following options - (1) changing it to a POST request (2) requiring JavaScript (3) using Anubis (4) looking into ip masked rate limiting, so a rate limit for like multiple ip addresses in the same block
I wrote a blog post about my situation here https://blog.rubenwardy.com/2026/04/16/contentdb-ddos/
For your particular case, you should return a 404 if the URL contains both 2025 and 2026. This would stop them getting into invalid combinations. You can make it so the UI never links to these combinations by *replacing* rather than appending years if one already exists
-
So it loads my gallery page, and sees the list of tags: maybe 50 different links, all of which load the gallery page with a new filter applied. So it loads one, like "?tag=2026".
On the resulting page, there are still 50-odd tag links available. So it loads another one, and the URL now includes "?tag=2026%2C2025". Which is nonsense, but the page still loads.
Well, there are 0 images to show on that page, but still more tags to open! So next the bot opens "?tag=2026%2C2025%2C2024"...
🧵5/?
How many permutations of tags are there? A butttonne, and the bot will diligently check out ALL OF THEM. Thousands and thousands of page loads! And even though all of them have 0 images to display, there will still be a tag list to choose from, and it will always visually update to indicate which tags are currently selected. So the page can't just be saved in a static HTML file, and the bot isn't going to load anything from it's own cache.
🧵6/?
-
@jsstaedtler an easy way to catch this is that these scrapers generally don't send Referer headers, so you can kill these by checking that a valid Referer header is present in tag search. This will have false positives for humans that try to be too smart though.
@jsstaedtler (talking from experience with my self-hosted gitweb for this, BTW)
-
@jsstaedtler an easy way to catch this is that these scrapers generally don't send Referer headers, so you can kill these by checking that a valid Referer header is present in tag search. This will have false positives for humans that try to be too smart though.
@oblomov @jsstaedtler the referer header only exists for tracking, so many privacy-conscious people configure their browsers not to send it
the referer header should not exist in the first place -
How many permutations of tags are there? A butttonne, and the bot will diligently check out ALL OF THEM. Thousands and thousands of page loads! And even though all of them have 0 images to display, there will still be a tag list to choose from, and it will always visually update to indicate which tags are currently selected. So the page can't just be saved in a static HTML file, and the bot isn't going to load anything from it's own cache.
🧵6/?
I'm not fundamentally opposed to web crawlers, I would actually love it if my work is more discoverable. But this is such an obnoxious situation that I'm forced to accomodate or protect against.
I'm starting to think I need to test for mutually exclusive tags, and if two or more are selected, the resulting page will have no links at all except one to go back. That will deny the bots any more links to dive into.
But maybe there are better options? I'd wager this is not a novel issue...
🧵7/7
-
I'm not fundamentally opposed to web crawlers, I would actually love it if my work is more discoverable. But this is such an obnoxious situation that I'm forced to accomodate or protect against.
I'm starting to think I need to test for mutually exclusive tags, and if two or more are selected, the resulting page will have no links at all except one to go back. That will deny the bots any more links to dive into.
But maybe there are better options? I'd wager this is not a novel issue...
🧵7/7
@jsstaedtler a dumb solution would be to tell robots to not index the page (robots meta tag) if there is any tag queries, which i assume you can do via PHP.
edit: or if you want individual tags indexed, at least reject robots for queries of more than one tag?
-
@jsstaedtler a dumb solution would be to tell robots to not index the page (robots meta tag) if there is any tag queries, which i assume you can do via PHP.
edit: or if you want individual tags indexed, at least reject robots for queries of more than one tag?
Many crawlers ignore this in my experience, especially the AI ones
-
@jsstaedtler I can't remember - are you self-hosting or using a paid host?
@vga256 I'm sharing a paid host with a friend. Thanks to relatively low combined popularity, we can get away with a cheap plan, but I really don't want random bots to ruin that
-
For your particular case, you should return a 404 if the URL contains both 2025 and 2026. This would stop them getting into invalid combinations. You can make it so the UI never links to these combinations by *replacing* rather than appending years if one already exists
To block the abusive subnets, I used this tool to look up the IP ranges from example IP addresses. You can see all the IP ranges for a particular host: https://www.whatismyip.com/asn/AS150436/
I then blocked using ipset/iptables but other options exist depending on your setup
-
Many crawlers ignore this in my experience, especially the AI ones
@rubenwardy @jsstaedtler it would at least help with the legitimate ones!
-
@rubenwardy @jsstaedtler it would at least help with the legitimate ones!
Ah yes, worth doing as it also improves your SEO by not having thousands of similar pages
