Crazy amount of guests

[smallwheels]

Seems another wave or two are currently going on. I'm currently at a deflection rate of more than 80% of the requesting IPs over the last 24hours. Root cause is mainly a massive rise in requests from resident proxies within the US on the one hand and on the other a massive flood of requests from Singapore and Hongkong, which comes to a relevant degree from AS132203 (Tencent cloud computing). The ASN has been blocked already ages ago but does not bother trying.

I am once more somewhat baffled about the immense amount of resident proxies in the US - this could maybe have been expected in a developing country with low level of education and a bad economy with very low wages but in the US? Weird.

 

[chillibear]

I would guess a semi popular app that doesn't advertise that it's doing some "sharing"? I gather some of these proxies are unknowing ones, or maybe there is an exploit on a popular router that hasn't been disclosed yet?

I did think the traffic came up a bit quickly this morning. I'd been doing a major database migration on one XF site and turned everything back on after half an hour or so to find:

I mean it'd be on about 10 seconds by the time I nipped over to my browser to check everything was back up cleanly! At least not as bad as it can get. Evidently we had a few optimistic members hitting refresh during my maintenance window!

 

[smallwheels]

I would guess a semi popular app that doesn't advertise that it's doing some "sharing"? I gather some of these proxies are unknowing ones, or maybe there is an exploit on a popular router that hasn't been disclosed yet?

All of that. A lot has been disclosed, people just are not aware or don't care:

2024:

WHEN YOU BUY a TV streaming box, there are certain things you wouldn’t expect it to do. It shouldn’t secretly be laced with malware or start communicating with servers in China when it’s powered up. It definitely should not be acting as a node in an organized crime scheme making millions of dollars through fraud. However, that’s been the reality for thousands of unknowing people who own cheap Android TV devices. (...)
Human Security researchers found seven Android TV boxes and one tablet with the backdoors installed, and they’ve seen signs of 200 different models of Android devices that may be impacted, according to a report shared exclusively with WIRED. The devices are in homes, businesses, and schools across the US.

Your Cheap Android TV Streaming Box May Have a Dangerous Backdoor

New research has found that some streaming devices and dozens of Android and iOS apps are secretly being used for fraud and other cybercrime.

www.wired.com

2025:

On the surface, the Superbox media streaming devices for sale at retailers like BestBuy and Walmartmay seem like a steal: They offer unlimited access to more than 2,200 pay-per-view and streaming services like Netflix, ESPN and Hulu, all for a one-time fee of around $400. But security experts warn these TV boxes require intrusive software that forces the user’s network to relay Internet traffic for others, traffic that is often tied to cybercrime activity such as advertising fraud and account takeovers. (...)
Experts say while these Android streaming boxes generally do what they advertise — enabling buyers to stream video content that would normally require a paid subscription — the apps that enable the streaming also ensnare the user’s Internet connection in a distributed residential proxy network that uses the devices to relay traffic from others.

Is Your Android TV Streaming Box Part of a Botnet? – Krebs on Security

In-depth analysis of multiple Superbox models by researchers at Censys, as reported by Krebs, showed that once the device is online, it immediately begins communicating with:

• Chinese services, including Tencent’s QQ platform
• Residential proxy services such as Grass (getgrass[.]io), which pays users to “share unused bandwidth”

Grass’s stated model is that users install an app and opt in to sharing their connection. Superbox appears to short-circuit that consent model, enrolling users implicitly through firmware and preinstalled software.

From an owner’s perspective, that means:

• Your IP address is being used as an exit node for other peoples’ traffic.
• You never explicitly agreed to this behavior during setup.
• There is no obvious switch to disable it.

Your Android TV Box Might Be a Botnet Farm without You Knowing: A Deep Dive

A deep dive into how Android TV streaming devices can conscript your home network into botnets and residential proxy networks without your knowledge.

www.kylereddoch.me

 

[Anthony Parsons]

If its to good to be true, chances are, it isn't.

 

[ES Dev Team]

It's bad out there. On my magento site that gets attacked often now, i'm seeing a flood of residential proxies from USA cable providers.
I unfortunately have to keep 'under attack mode' on

Everyone is still blissfully running fail2ban.

The only good alternative is to design a friendlier and better captcha -_-

 

[rdn]

Has anyone tried this?

Anubis: Web AI Firewall Utility | Anubis

Weigh the soul of incoming HTTP requests to protect your website!

anubis.techaro.lol

 

[ES Dev Team]

I've heard of someone here having success with it

 

[smallwheels]

Has anyone tried this?

Anubis: Web AI Firewall Utility | Anubis

Weigh the soul of incoming HTTP requests to protect your website!

anubis.techaro.lol

Look further up in this thread.

Search results for query: Anubis

xenforo.com

@BrettC has.