We all migrate to smaller websites try not to post outside drawing attention just to hide from the “Ai” crawlers. The internet seems dead except for the few pockets we each know existed away from the clankers
Is this hopeposting ?
The last reduct of mankind against the machines? Let’s call it Sion
I have a testing website. I have never gave the address to absolutely anyone, ever. It’s not linked with anything. It’s just a silly html site living in a domain.
It’s still being ping and probed to death by bad actors. No necessarily AI scrappers. But it’s dozens or hundreds of http petitions a day for random places all over the world.
There’s no black forest. It’s all light up and under constant attack, every tree is already on fire.
It it had a DNS its obviously lit up like a Christmas tree. If its ipv4 its on shodan. The only way to hide is to have no DNS and an ipv6.
crt.sh and certificate transparency
That’s because it’s numerically possible to sweep through the entire IPv4 address range fairly trivially, especially if you do it in parallel with some kind of botnet, proverbially jiggling the digital door handles of every server in the world to see if any of them happen to be unlocked.
One wonders if switching to purely IPv6 will forestall this somewhat, as the number space is multiple orders of magnitude larger. That’s only security through obscurity, though, and it’s certain the bots will still find you eventually. Plus, if you have a doman name the attackers already know where you are — they can just look up your DNS record, which is what DNS records are for.
Servers which are meant to be secure usually are configured to not react to pings and do not give out failure responses to unauthenticated requests. This should be viable for a authenticated only walled garden type website op is suggesting, no?
I like seeing them try and then thinking “begone thot! There is no entry for you”
In fact, I might make a honeypot that issues exactly that
But an IP can have multiple websites and even not return anything on plain IP access. How do crawlers find out about domains and unlinked subdomains? Do they even?
@kossa @dual_sport_dork If you’re using HTTPS, which is by and large the norm nowadays, then every domain is going to be trivially discoverable via certificate transparency logs: https://social.cryptography.dog/@ansuz/115592837662781553
thinking about this, wouldn’t the best way to hide a modern websie be something along getting a wildcard domain cert (can be done with LE with DNS challenge), cnaming the wildcard to the root domain and then hosting the website on a random subdomain string ? am I missing something
Do you know how they find it? Is it just random input of address over and over?
If it’s https it’s discoverable by hostname.
https://0xffsec.com/handbook/information-gathering/subdomain-enumeration/#certificate-transparency
Certificate Transparency (CT) is an Internet security standard and open-source framework for monitoring and auditing digital certificates. It creates a system of public logs to record all certificates issued by publicly trusted CAs, allowing efficient identification of mistakenly or maliciously issued certificates.
Almost certainly. There are only 4,294,967,296 possible IPv4 addresses, i.e. 4.3ish billion, which sounds like a lot but in computer terms really isn’t. You can scan them in parallel, and if you’re an advanced script kiddie you could even exclude ranges that you know belong to unexciting organizations like Google and Microsoft, which are probably not worth spending your time messing with.
If you had a botnet of 8,000 or so devices and employed a probably unrealistically generous timeout of 15 seconds, i.e. four attempts per minute per device, you could scan the entire IPv4 range in just a hair over 93 days and that’s before excluding any known pointless address blocks. If you only spent a second on each ping you could do it in about six days.
For the sake of argument, cybercriminals are already operating botnets with upwards of 100,000 compromised machines doing their bidding. That bidding could well be (and probably is) probing random web servers for vulnerabilities. The largest confirmed botnet was the 911 S5 which contained about 19 million devices.
That’s amazing and scary at the same time. Thanks for putting it into perspective!
I don’t know exactly how they do it, but probing every ipv4 address isn’t that hard
But there can be multiple websites behind one IP address?! They would not show when onhy accessing the IP. Tenhey would need to know about the domains somehow.
Fabulous insight. I think that would make me very happy. Bring back the forests! Burn down the Nazi trees!
That’s not just a fabulous insight, it’s a powerful revelation!
shhh they’ll hear you!
FUCK WE’RE TOO LATE, YOU ACTIVATED THE BOTS! YOU DOOMED US!
Cyberpunk as a literary genre, and the Cyberpunk TTRPG in specific, are incredibly prophetic. In the Cyberpunk TTRPG (which predates the WWW), “the net” is eventually condemned (as in boarded up) because of AI and ia replaced by silo’d networks (think extended intranets).
Back in the days of dial up and bbs this was a problem but you would still get robots trying to connect to modems by dialing every phone number possible.
War dialing! Those were the days. I lived in a city where war dialing was illegal, but that didn’t stop me… maybe that’s just an admission of stupidity though. Definitely had some cool stuff come from it though.
Disconnection is the only solution, walled gardens, paid or by invite, that prevent all the shit corporate America fills the commons with.
Balkan clearnet. I2p free for all darknet. Neither one pleasant.
And don’t forget freenet!
Ah a fellow spacetime enjoyer
Space time?
Someone else had this idea before me? Like they say no new ideas haha
Isn’t that what TOR-based .onion sites are for?
peaks out from behind tree
