1.3 million IPs hit LWN in two hours
LWN.net is absorbing a 1.3-million-IP Layer 7 scraper flood. Why per-IP defenses fail, what web telemetry shows, and what shifts the cost back to the client.
LWN.net is absorbing a distributed HTTP request flood. Roughly 1.3 million unique source IP addresses inside a two-hour window, by the site’s own count, and still climbing. No CVE. No memory-corruption primitive. No shell. This is a Layer 7 resource-exhaustion event delivered through an IP pool large enough to make every per-source control irrelevant.
The unique-IP count is not a load figure. It is an evasion figure. The standard application-layer abuse control is a rate limit keyed on source address: X requests per IP per interval, block on breach. That control assumes a small set of sources generating disproportionate volume. A distributed proxy network inverts the assumption. Each node issues a handful of requests. Aggregate volume is enormous. No single address crosses a threshold. The rate limiter sees 1.3 million well-behaved clients, not one attacker.
This is not a volumetric flood. There is no SYN flood, no UDP reflection, no bandwidth exhaustion at Layer 3 or 4. Every connection completes a full TCP and TLS handshake. Every request is a well-formed, valid HTTP GET. Scrubbing infrastructure tuned for volumetric DDoS passes this traffic cleanly, because by every packet-level measure it is legitimate. In MITRE terms this maps to T1499.002, service exhaustion flood, executed at the application layer rather than T1498 network denial of service. The distinction is operational. The mitigation lives at Layer 7, at the reverse proxy or CDN edge, not in a transit-level scrubbing center.
The pool composition is the point. These addresses resolve to consumer ISPs across hundreds of ASNs and dozens of countries. They come from proxyware bundled into free apps, SDKs embedded in mobile software, and consumer devices whose bandwidth is resold. From the origin’s perspective the traffic is indistinguishable from real subscribers on real broadband lines, because that is physically what it is. ASN blocking does not help; the ASNs are Comcast, Jio, and Deutsche Telekom, the same networks the legitimate readers sit behind. Geo-fencing does not help; the exit nodes are everywhere, including the countries the audience lives in.
The targeting shows intent to consume compute, not just fetch text. High-cost endpoints get hit hardest: dynamically rendered article pages, deep /Articles/ links, search queries, and on the git-forge pattern that has hit adjacent sites, blame views, diff ranges, and archive tarball generation. These paths miss the cache. Some carry cache-busting query parameters that force a unique key on every request. The economics are lopsided. A request costs the client almost nothing. The response costs the origin a database hit and a render. Multiply a cheap request by 1.3 million distinct origins and the backend saturates.
LWN’s structure amplifies the cost. The archive runs deep. Original content dates to 1998, and every article is a linked, crawlable node in a dense graph. A crawler following every link reaches old, low-traffic pages that no cache holds warm, because no human requests them. Each of those is a guaranteed cache miss and a guaranteed origin render. The paywall changes little. The subscriber gate sits in front of some article bodies, but the link graph itself is public and vast, and traversing it is what generates the load.
The framing around this event is that it is a coordinated effort to silence a security-intelligence source. The observable signature does not confirm motive. What it matches is the LLM training-corpus harvesting pattern that has degraded GNOME’s GitLab, KDE, SourceHut, Fedora’s Pagure, Read the Docs, and the kernel’s own git infrastructure over the past eighteen months. GNOME and others deployed Anubis, the proof-of-work interstitial written by Xe Iaso, specifically to survive it. Cloudflare has published that automated AI-crawler traffic is now a material and rising fraction of all requests it fronts. The declared crawlers - GPTBot, ClaudeBot, Meta-ExternalAgent, Bytespider - are the honest half. They send identifiable user-agents and mostly respect robots.txt. The 1.3-million-IP swarm is the other half. It hides behind residential exits, forges or rotates its user-agent, and ignores robots.txt entirely. Whether LWN is being singled out as a security source or is simply a dense, high-value text archive caught in indiscriminate corpus scraping, the packets do not say. The effect on availability is identical either way. Overstating deliberate intent adds nothing operational.
This does not surface in EDR. There is no process tree, no Sysmon Event ID 1, no LSASS access. It lives entirely in web-tier telemetry: reverse-proxy and origin access logs, WAF event streams, CDN analytics. The signatures are statistical. Unique-source cardinality per time bucket spikes by orders of magnitude while requests-per-source stays near one. Response codes are overwhelmingly 200, not 404 - the clients are pulling real content, not probing, which separates this from T1595 active scanning. User-agent distribution either collapses onto a narrow set of forged browser strings or scatters across implausibly many. The strongest tell survives IP and UA rotation: the TLS client hello. JA3 and JA4 fingerprints cluster tightly because the underlying HTTP library is uniform across the swarm, even when every other attribute is randomised. Second-order behavior is the other tell. A real browser that loads an article also pulls the linked CSS, JavaScript, and images. A scraper pulls the HTML and stops. Sessions that fetch documents and never fetch a single linked asset, with no referer chain, are the flood.
Per-IP WAF rules do not fire; no address earns a block. IP-keyed rate limits do not fire for the same reason. Geo rules and ASN denylists catch datacenter proxies and miss the residential mass. What shifts the economics is a challenge that costs the client per request. Proof-of-work interstitials - Anubis and equivalents - force each client to compute a hashcash-style token before content is served, which is trivial for one reader and expensive across 1.3 million forced computations. JavaScript challenges filter clients that do not run a real engine. TLS-fingerprint blocking on clustered JA4 hashes drops the uniform-library traffic. Behavioral rules that require asset co-fetch before serving deep content raise the cost of looking human.
None of it is a fix, because there is no bug. Proof-of-work raises attacker cost but taxes low-power and no-JavaScript legitimate clients, and it degrades accessibility for the readers who need it most. Fingerprint blocking is an active arms race. curl-impersonate and uTLS already reproduce browser TLS stacks well enough to defeat naive JA3 matching, and swarm operators will migrate to them once static fingerprints start getting blocked. ASN and geo controls will always trade false positives against real subscribers. The residual exposure is structural: an unauthenticated public archive answering expensive requests to anonymous clients is exploitable for resource exhaustion by anyone who can rent enough residential exits, and that market is cheap and liquid.
The technical reality is that this class of event has no patch boundary. It is not CVE-2024-anything. It is an economic asymmetry between the cost of a request and the cost of a response, exploited at a scale that defeats identity-based filtering. Defense means moving cost back onto the client at the edge, per request, and accepting the collateral that comes with it. For operators seeing the same cardinality signature, the response path is incident coordination with the upstream CDN or transit provider and preservation of the access logs - ASN spread, JA4 clusters, path distribution - not a rule tweak on a single box. Availability of independent technical-security reporting is not a convenience. For the people who triage kernel CVEs off sources like this, it is part of the information supply chain, and under regimes that treat availability as a security property, degrading it is a security event in its own right. The swarm does not need a vulnerability. It only needs the archive to keep answering.
Keep Reading
systems driftSeizing the domains left the machine untouched
The FBI seizure of NetNut and the Popa botnet infrastructure exposes a structural fault in delegated trust: systems that resolve a reference but never revalidate what it points to.
systems failure analysisThe browser runs whatever the host returns
A browser tab holding 2 GB is not a malfunction; it is a trust model that resolves references and never revalidates the referent behind the name.
systems failure analysisThe rubric graded an empty chair
Brown's AI cheating scandal is not a student failure. It is an assessment system that resolves trust by reference and never revalidates the reality behind it.
Stay in the loop
New writing delivered when it's ready. No schedule, no spam.