At the moment, that's what Cloudflare is doing. They're just not obvious enough, leading to people on forums (and here) asking "why do I constantly need to fill out captchas to enter websites".
You gotta draw the line in the sand somewhere, VPNs are already morally dubious, but if you ban the most shady of VPNs, residential proxies, then you can at least guarantee service providers the right to deny service to proxy users, while allowing proxy users to use the proxy everwhere they are welcome in.
Cloudflare scrubs Aisuru botnet from top domains list - https://news.ycombinator.com/item?id=45857836 - Nov 2025 (34 comments)
Aisuru botnet shifts from DDoS to residential proxies - https://news.ycombinator.com/item?id=45741357 - Oct 2025 (59 comments)
DDoS Botnet Aisuru Blankets US ISPs in Record DDoS - https://news.ycombinator.com/item?id=45574393 - Oct 2025 (142 comments)
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request
Reason: Error reading from remote serverUntil then... There's gonna be a bigger wave.
Only way is to secure your IoT devices/routers/cameras/etc.
Literally the same as economic sanctions. The internet is a network of peers “trading” bits and bytes after all.
North Korea doesn't care if you limit their internet they already allow people to go outside their own.
Just not enough economic or political incentive to pay for it.
For a few reasons (political, economical) there’s little will to enact them, these attacks are so few and far between and you can pay your way out of them in most cases, so the incentives aren’t there for ISPs (whom are a commodity judged primarily on price and bandwidth)
You detect the behaviour downstream and send a signal to the ISP that there is traffic that needs to he rate limited.
One mechanism for this is called RTBH (Remote Triggered BlackHole) which relies on community tagged prefixes of addresses exceeding rate limited to be blackholed from forwarding traffic further in to the internet.
There’s also things like flowspec but a lot of things rely on proper trust between ASNs.
I'd say a putative UN NetWatch would suffer from the same issues of funding and corruption and politics, but still we might have something better than this wild west lawlessness.
Careful what you wish for. Before you know it you can't have an IP without your ID.
But who will suppress attempts to go beyond the blackwall then?
Some sort of international clearing house for ISPs to help identify and sequester compromised customers might be nice, too; but that doesn't need law enforcement powers; and maybe it already exists?
Law enforcement takes time. The perpetrators of these attacks aren't hanging out in the open with their full names shielded only by the hope that their country won't extradite for political favor.
By the time the perpetrators are identified and a case is built, getting them charged isn't bottlenecked on the lack of an international agency. Any international law enforcement agency would be beholden to each country's own political wills and ideals, meaning any "teeth" they had would be no more effective than what we currenly have for extraditing people or cooperating with foreign police organizations.
but these bad actors are not possible to track down in the first place since internet is unfortunately decentralized and things as simple as transactions submitted to bitcoin or etherium blockchain can be used as c&c
This is scary. Everyone lauds open source projects like OpenWRT but... who is watching their servers?
I imagine you can't run an army of security people on donations and a shoestring budget. Does OpenWRT use digital signing to mitigate this?
Didn't they have a vulnerability in their firmware download tool like a minute ago?
The difference between OpenWRT and Linux distros is the amount of testing and visibility. OpenWRT is loaded on to residential devices and forgotten about, it doesn't have professional sysadmins babysitting it 24/7.
Remember the xz backdoor was only discovered because some autist at Microsoft noticed a microsecond difference in performance testing.
Is it "scary" to think about OpenWRT potentially getting hacked? If you get scared by theoretical possibilities in software, sure. Is it relevant? Not exactly. Are companies' official servers more secure than an open-source project's servers? In this case, apparently not.
Plenty of stories of fairly major projects having evil commits snuck in that remain for months.
> run an army of security people
Do you think these private companies do this? They don't. They pay as little as humanly possible to cover their ass.
Botnets comprised of compromised routers is common and commercial/consumer routers are a far juicer target than openwrt.
The build infrastructure is, of course, a juicy target: infect the artifact after building but before signing, and pwn millions of boxes before this is detected.
This is why bit-perfect reproducible builds are so important. OpenWRT in particular have that: https://openwrt.org/docs/guide-developer/security#reproducib...
There is a big (opportunity) cost to this kind of thing, How is this worthwhile for anyone? I assume that its's not just a competitor. Is it really worth <insert evil country>'s time to temporarily upset one of of three big cloud providers? Is there a ransom behind the scenes?
It would really help to understand why attack one endpoint with "the largest DDoS attack ever observed in the cloud". If it was important, it would be redundant in its CDN. Who paid for this attack and what did they gain?
Thankfully, it was almost always targetted at our www servers, which were not important for our service. Very occasionally, we'd get hit on the machines that we actually ran our service on, but between the consistent DDoS on www, and our own self-inflicted DDoS from defects in the client code we wrote for our users, our service was well prepared... if the DDoS went over line rate for the server, our hosting provider would null route it [1], but otherwise, we could manage line rate of udp reflection or tcp syn floods and what have you. From what I could tell, most attackers didn't retarget to our other servers when one got null routed.
[1] They did try a DDoS scrubbing service, but having our servers behind the scrubber was way worse than just null routing. Maybe the scrubbing could have been tuned, but as it was, it was better for us to just have the attacked servers lose connectivity to the public network.
ChrisArchitect•1h ago
dang•1h ago
shoddydoordesk•35m ago
The Microsoft article reads like a corporate press release. The original link contained additional pertinent information and research which is good for discussion.