Crazy amount of guests

Seems another wave or two are currently going on. I'm currently at a deflection rate of more than 80% of the requesting IPs over the last 24hours. Root cause is mainly a massive rise in requests from resident proxies within the US on the one hand and on the other a massive flood of requests from Singapore and Hongkong, which comes to a relevant degree from AS132203 (Tencent cloud computing). The ASN has been blocked already ages ago but does not bother trying.

I am once more somewhat baffled about the immense amount of resident proxies in the US - this could maybe have been expected in a developing country with low level of education and a bad economy with very low wages but in the US? Weird.
 
I would guess a semi popular app that doesn't advertise that it's doing some "sharing"? I gather some of these proxies are unknowing ones, or maybe there is an exploit on a popular router that hasn't been disclosed yet?

I did think the traffic came up a bit quickly this morning. I'd been doing a major database migration on one XF site and turned everything back on after half an hour or so to find:
Screenshot 2026-03-04 at 09.32.23.webp
I mean it'd be on about 10 seconds by the time I nipped over to my browser to check everything was back up cleanly! :) At least not as bad as it can get. Evidently we had a few optimistic members hitting refresh during my maintenance window!
 
chillibear said:
I would guess a semi popular app that doesn't advertise that it's doing some "sharing"? I gather some of these proxies are unknowing ones, or maybe there is an exploit on a popular router that hasn't been disclosed yet?
Click to expand...
All of that. A lot has been disclosed, people just are not aware or don't care:

2024:

WHEN YOU BUY a TV streaming box, there are certain things you wouldn’t expect it to do. It shouldn’t secretly be laced with malware or start communicating with servers in China when it’s powered up. It definitely should not be acting as a node in an organized crime scheme making millions of dollars through fraud. However, that’s been the reality for thousands of unknowing people who own cheap Android TV devices. (...)
Human Security researchers found seven Android TV boxes and one tablet with the backdoors installed, and they’ve seen signs of 200 different models of Android devices that may be impacted, according to a report shared exclusively with WIRED. The devices are in homes, businesses, and schools across the US.
Click to expand...

www.wired.com

Your Cheap Android TV Streaming Box May Have a Dangerous Backdoor

New research has found that some streaming devices and dozens of Android and iOS apps are secretly being used for fraud and other cybercrime.
www.wired.com www.wired.com

2025:

On the surface, the Superbox media streaming devices for sale at retailers like BestBuy and Walmartmay seem like a steal: They offer unlimited access to more than 2,200 pay-per-view and streaming services like Netflix, ESPN and Hulu, all for a one-time fee of around $400. But security experts warn these TV boxes require intrusive software that forces the user’s network to relay Internet traffic for others, traffic that is often tied to cybercrime activity such as advertising fraud and account takeovers. (...)
Experts say while these Android streaming boxes generally do what they advertise — enabling buyers to stream video content that would normally require a paid subscription — the apps that enable the streaming also ensnare the user’s Internet connection in a distributed residential proxy network that uses the devices to relay traffic from others.
Click to expand...


In-depth analysis of multiple Superbox models by researchers at Censys, as reported by Krebs, showed that once the device is online, it immediately begins communicating with:
  • Chinese services, including Tencent’s QQ platform
  • Residential proxy services such as Grass (getgrass[.]io), which pays users to “share unused bandwidth”
Grass’s stated model is that users install an app and opt in to sharing their connection. Superbox appears to short-circuit that consent model, enrolling users implicitly through firmware and preinstalled software.

From an owner’s perspective, that means:
  • Your IP address is being used as an exit node for other peoples’ traffic.
  • You never explicitly agreed to this behavior during setup.
  • There is no obvious switch to disable it.
Click to expand...

www.kylereddoch.me

Your Android TV Box Might Be a Botnet Farm without You Knowing: A Deep Dive

A deep dive into how Android TV streaming devices can conscript your home network into botnets and residential proxy networks without your knowledge.
www.kylereddoch.me www.kylereddoch.me
 
It's bad out there. On my magento site that gets attacked often now, i'm seeing a flood of residential proxies from USA cable providers.
I unfortunately have to keep 'under attack mode' on :cry:

Everyone is still blissfully running fail2ban.

The only good alternative is to design a friendlier and better captcha -_-
 
My site was flooded today as well. I've been very vigilant blocking ASN and IP addresses with Cloudflare, yet this morning, we had over 36,000 currently active users on the forums. Ridiculous.
 
I've turned another direction, I tuned my server and sites to the finest degree, and I just had a million unique's in 24hrs and none of it made a blip on the server as a result. I have tried fighting it, I'm finding it easier to take a different approach, tuning to the finest degree and then it just doesn't matter what hits the site. I have CF set to high, so they stop any nasty stuff, but otherwise, this approach works too. (the spike is daily server backup)

Screenshot 2026-03-06 084316.webp
 
Luckily, load is not an issue with my forum as it is only tiny and so are the number of bot requests in comparison to your's. A couple of thousand per day. Basically we seem to be at the opposite ends of the scale regarding forum size and number of requests in total. So for me it ist more about protecting the content from scraping. With the rise of AI this has also become a matter of privacy of the users: Many users tell fragmented bits about themselves in forums and with AI it is easy to aggregate those, even cross platform, and this way to build profiles as well as to identify the real people behind nick names easily. See i.e. this study:

Large-scale online deanonymization with LLMs​

We show that large language models can be used to perform at-scale deanonymization. With full Internet access, our agent can re-identify Hacker News users and Anthropic Interviewer participants at high precision, given pseudonymous online profiles and conversations alone, matching what would take hours for a dedicated human investigator. We then design attacks for the closed-world setting. Given two databases of pseudonymous individuals, each containing unstructured text written by or about that individual, we implement a scalable attack pipeline that uses LLMs to: (1) extract identity-relevant features, (2) search for candidate matches via semantic embeddings, and (3) reason over top candidates to verify matches and reduce false positives. Compared to classical deanonymization work (e.g., on the Netflix prize) that required structured data, our approach works directly on raw user content across arbitrary platforms. We construct three datasets with known ground-truth data to evaluate our attacks. The first links Hacker News to LinkedIn profiles, using cross-platform references that appear in the profiles. Our second dataset matches users across Reddit movie discussion communities; and the third splits a single user's Reddit history in time to create two pseudonymous profiles to be matched. In each setting, LLM-based methods substantially outperform classical baselines, achieving up to 68% recall at 90% precision compared to near 0% for the best non-LLM method. Our results show that the practical obscurity protecting pseudonymous users online no longer holds and that threat models for online privacy need to be reconsidered.
Click to expand...

Large-scale online deanonymization with LLMs

We show that large language models can be used to perform at-scale deanonymization. With full Internet access, our agent can re-identify Hacker News users and Anthropic Interviewer participants at high precision, given pseudonymous online profiles and conversations alone, matching what would...
arxiv.org arxiv.org

(full paper available also at this link)

So upon all the other measures I've finally limited guest access to my forums - something I wanted to avoid until now for SEO Reasons. Now guests only see the first post of a thread, in some subforms they do only see the topic but not the thread content and some forums and areas are invisible to guests (the latter has been like that for years already). I have that in place since early February and the effect was - expectedly - a massive rise in registrations as well as a massive rise in daily registered visitors. Until now I do not (yet) see a crash in SEO / Google Ranking / Indexing. This will however be probably the consequence to some degree.

I've not seen a rise in attempted (let alone successful) bot registrations, rather the opposite: Through the massive blocking of bad IPs, VPNs, countries and ASNs via the IP Threat Monitor add on the spaminator add on, that catches bot registrations very successfully, sits idle most of the time - just two attempts caught last months (were up to then it was typically a couple of hundreds per month at least). The registrations that come through seem all genuine, so generally everything seems fine.

The one issue I still have is to identify residential proxies from Central Europe and block them early successfully as, this being the location of my users, I cannot block the ASNs of normal ISPs, let alone whole countries. No idea yet how to do that, especially as the resident proxies typically only do a single request each before rotating and blocking an IP makes no sense anyway as tomorrow a genuine user may have that IP. Currently I lack ideas how to deal with that topic.

But overall I am pretty pleased with my current setup. For a bigger forum this would however not be sufficient and would probably have massive load issues. For a forum with a world wide audience my current strategy of massive blocking would obviously not work as well.
 
You must log in or register to reply here.

Similar threads

O
  • Question Question
XF 2.2 Huge amount of guests
Replies
6
Views
146
infinitysnapz
infinitysnapz
Wildcat Media
Unusually high number of guests (4x to 5x normal)
Replies
8
Views
194
Tumpe
Tumpe
FoP
And explosion of 3,064 "guests" !!
Replies
11
Views
244
FoP
FoP
vFranky
  • Question Question
XF 2.1 Lots of Guests from a far away IP subnets
Replies
0
Views
285
vFranky
vFranky
anon666
  • Question Question
XF 2.0 Can you multiply by x the total number of guests you display in some areas of the board?
Replies
0
Views
654
anon666
anon666
Back
Top Bottom