I used to work on a site with basic caching, a big web framework, every page dynamic, and 3 frontend webservers plus a database primary and replica. Super basic infra, and a bill close to this user.
We would never have noticed 3 to 4 requests per second like this. And we weren't being that smart about it, we were rendering every page not serving from cache (we mostly cached DB results). We were also conscious of not accidentally building SEO bot traps that would cause them to go around in loops, not because of the traffic generated, but because it was bad for SEO!
This just strikes me as bad engineering on both sides. Yes Meta is the one with the big budgets and they should sort this out, but also you can't pay 10-100x for your infra and get annoyed when you have a big bill. On the web people and bots are going to make requests and you just have to design for that.
If I don’t block, 95% of my resources will be spent on feeding bots.
I had to block all “official” AI useragents and entire countries like Singapore and China. But there are so many unofficial bots which spread their work over dozes of IP addresses that it seems impossible to block on the reverse proxy level. How do you block those?
Okay, but why should you care? Resource usage for a regular website that isn't doing some heavy dynamic stuff or video streaming tends to be rather negligible. You can easily serve 100k+ requests per second on servers that costs less than $100/mo.
It really shouldn't be worth your time to do anything about the bots unless you're doing something unusual.
If the resource usage of a website is a concern, either your code is straight up broken or you're doing something rather unusual. While doing unusual things, it's normal to encounter unusual problems. However, when encountering an unusual problem it's good to stop for a moment and consider if your approach is wrong.
At some point the only good way to stop scraping becomes paywalls. You can't defeat sophisticated scrapers through any other means.
Is there more background noise than before? Yes, probably. Is it a big deal yet? Still not.
"Trust me bro, not a big deal... YET, pay up and move along, nothing to see here"
That might be true for you, but it definitely isn't true for everybody, if you don't want to stop bots, nobody is stopping you from not stopping them, but you keep arguing as if your life depends on it... Are you a bot too?
Who in his right mind would wait for some problem to become a really big deal without seeking a way to prevent it?
Feel free to "stop the bots", it just probably isn't a sensible use of your time.
>Who in his right mind would wait for some problem to become a really big deal without seeking a way to prevent it?
You're starting from the huge assumption that this will ever become a big deal.
A very important question which deserves a good answer.
> Okay, but why should you care?
Not that kind of answer - this is bad manners or worse. The counter-question "Why do you ask that" isn't an honest or meaningful answer - it's indefensible defense of allowing meaningless traffic without any defenses.
> Resource usage for a regular website that isn't doing some heavy dynamic stuff or video streaming tends to be rather negligible.
Maybe it is doing video streaming, or audio, or lots of images or very dynamic, or written in Python - the trend is to use more and more bandwidth to make the sites more attractive.
> You can easily serve 100k+ requests per second on servers that costs less than $100/mo.
Maybe $100/mo isn't a trivial amount for a site that has no video, isn't dynamic, etc - your assumptions contradict themselves and reality.
Without any maybe, the prices of RAM, bandwidth and hosting are going up while usage limits are going down - inflation. There's no reason to sacrifice $100/mo to hostile bot daemons which are sure to ask for more and more in the future.
It's absolutely clear that giving a free reign to bots will encourage more bots and more sinister behavior because the boundary between bot scraping and ddos is blurry, you're essentially arguing for allowing soft ddos which can be turned up at times just to make a site ineffective when it's needed.
Nah. Based on years of experience, the typical person asking this question is asking because they're bothered by log entries. They're not asking it because the requests are actually being somehow disruptive. The correct answer is "don't stress out about normal background noise".
>Maybe $100/mo isn't a trivial amount for a site that has no video, isn't dynamic, etc - your assumptions contradict themselves and reality.
$100/mo is a trivial amount for anything that is visited hundred thousand times in a second.
>It's absolutely clear that giving a free reign to bots will encourage more bots and more sinister behavior because the boundary between bot scraping and ddos is blurry, you're essentially arguing for allowing soft ddos which can be turned up at times just to make a site ineffective when it's needed.
Not really. The bots have a strong incentive to not be disruptive.
>Without any maybe, the prices of RAM, bandwidth and hosting are going up while usage limits are going down - inflation. There's no reason to sacrifice $100/mo to hostile bot daemons which are sure to ask for more and more in the future.
Prices of bandwidth and hosting are not going up, usage limits are not going down. This is not a real thing that's happening. Servers (and bandwidth) are in fact cheaper than ever, except perhaps for the RAM.
A very good and important question. I was thinking about some combination of proof of work and a dynamic list of offending IPs which servers would update periodically, similar to how such lists are used by ad-blockers.
It would be ideal to have some legislative protection from ddos together with technical means of disclosure and prevention, bot scraping is a from of soft ddos.
laborcontract•1w ago
Also, why do people use vercel nowadays? I’m sure there are reasons, but I moved over to railway (you can insert alternative provider here) and I no long f* around trying to fix page load time due to cold starts, I have predictable pricing, and my sites on railway are fast so much faster. Plus, if cost is a factor, railway offers serverless. It’s not as shiny as vercel, but nextjs works perfectly on it.
It astounds me that vercel has positioned themselves as a sanctuary city for normies and yet, the city is littered with landmines and booby traps.
spiderfarmer•1w ago