But they're still stealing all of your data and bandwidth...

Poisoning the well seems to be the only effective way to tell them to fark off !

Except they're not getting the data, because the headless bots that do the scraping can't perform the proof of work in a timely manner (due to using minimal resources, to get as many bots in a hosted instance as possible, I assume), and so never get to reach the page. Regular users using browsers get a cookie set after the first instance, and then they're left alone for however long you configure it to leave them alone for.

We've implemented on quite a few sites now (mostly higher education - so higher reading age, valuable to LLMs, but can't be put on Cloudflare because we don't own the domain and can't justify several thousand pounds a month on the mystery "enterprise" subscription to get that tickbox in CF) in a white label manner (available if you sponsor the author - which we do) and it's been horrifically eye opening.

These sites are not hosted on small systems (in many cases, dedicated hosts with decent CPU/RAM/NVME storage, tuned to suit) but when you're getting 800 requests a second for a full stack index search that has to be run through a perl compiler, that's gonna bring pretty much anything down.

And as the sites normally run around the ten hits per second range, performance tuning for the bots benefit would be....a bit pointless.

800 Anubis requests a second though? Very light, the server barely notices those. Load goes from 40 to under 0.4

On most sites we use it on, >99.99% of traffic that didn't come from their own network or Jisc JANET (which gets an exception obviously) was blocked. Out of hundreds of thousands of requests a day, only a few hundred got through. With no complaints from the typically very observant clients of access problems.

After a week of this, the bots moved on. They've come back since and gone away, and come back, but the site barely notices now.

I don't think people realise the scale of this problem - this level of abuse, which is absolutely a Distributed Denial of Service attack in all but name, genuinely should be criminal.

Steven R

Thank you for the informative explanation.

No worries - Anubis has kinda come out of nowhere if you aren't involved in fairly content/text heavy archive-type sites (your Githubs, your documentation systems, your library sites etc) so it all sounds a bit 'too good to be true' - and it's not perfect, but by gum this is one of those cases where you don't want to let perfect get in the way of plenty good enough (for now).

I fully expect there to be an arms race, but I'm struggling to see how the mass-scale AI crawlers, using hundreds of threads per instance, can possibly get past just having to burn huge amounts of resources to do the math to get access to 'my' (well, my clients, but you know...) resources.

I'm quite sure that a few fly-by-night 'AI crawler provider' services will be looking at their AWS bill, the lack of data they've got, and shitting themselves. The ones stupid enough to not be running them off hijacked set top boxes and IoT devices - one suspicion is that someone's bought out one of those suppliers, and is using them to run the traffic. The amount of traffic we've seen coming from domestic ISPs internationally (Brazil, Romania, China etc) would certainly back that up.

Some more background from a decent wee hosting company back from when this started to be A Fucking Problem:

https://www.mythic-beasts.com/blog/2025/04/01/abusive-ai-web-crawlers-get-off-my-lawn/

Steven R

"Except they're not getting the data, because the headless bots that do the scraping can't perform the proof of work in a timely manner (due to using minimal resources, [...] Regular users using browsers get a cookie set after the first instance, and then they're left alone for however long you configure it to leave them alone for."

Which means this will work for as long as it takes for the author of the bots to add a cross-thread cookie jar to their bot. Or in other words, about five minutes after they notice this. Some of the largest bots are run by a place that has lots of programmer-hours to put into their bots and lots of cash to burn on training, meaning they can either defeat this or absorb the cost, whichever they find cheaper.

In the meantime, this will break any user that doesn't run JS by default, it will cause lots of perceived lag in accessing your site, it will be annoying for anyone that doesn't at least keep cookies temporarily, and when the arms race starts, it will make the experience much worse for anyone with low-power hardware like mobile phones because the only way this will work when being actively resisted is by increasing the work that needs to be done.

genuinely should be criminal.

And perhaps we shouldn't just bring back hanging, but add nuking as well, as many times as it takes.

I hate it when these cunts make me a not nice person.

In the the novel Liege-Killer , one of the characters, a synthetic person, is essentially hypnotized into answering an endless series of questions, a trap made possible by his synthetic nature. Perhaps the next step of this countermeasure is to create a problem which a regular human (or non-AI browser) will easily bypass but which an AI will hang up on. What that looks like in particular, I don't know, but I'm sure brighter minds than mine can figure it out.

Many, many, years ago, and long before it became unwatchably 'woke', there was an episode of 'Dr Who' during which The Doctor defeated a malevolent computer by stating a logical antimony akin to 'the liar paradox' and asked whether the statement was true. The computer did not seek a 'get out' via, for example, the Russell/Whitehead 'theory of types', and it duly went into an endless loop and exploded.

The LLM itself is not solving the challenges. The challenges are being completed by the retrieval bot, a normal piece of software which is similar to or even the same as the browsers humans are using. That's why they're hoping that comparative expense will do it; it is almost impossible to come up with something a bot can't do and software used by humans can.

I want the ones that benefit me: the search engines (google, bing, etc); they help people find my pages. These spiders tend to be well behaved and do not overload my machine.

I do not want the ones that just suck my data but bring me no benefit: LLM crawlers. These crawlers do not care what they do to my servers, they grab too many pages per second.

The problem is how to distinguish the two.

User agents, typically - the current scourge of AI bots are pretending to be regular browsers. They're quite deliberately not identifying themselves as crawlers.

Initially - a few months ago - they were just using a dumb lookup table of and picking at random, so you'd see Presto 5 on Mac OS 10.2 or Windows XP using Trident, or even Win CE Internet explorer 4 user agents. Basically, if you set a redirect to block any major browser that was more than, say, two years old, you knocked out 90% of the bot traffic. A rough solution for sure, but if you couldn't use cloudflare for whatever reason (And there are valid ones, like not owning the domain, if you're hosting for other people) then that at least kept the site up, even if it got in the way sometimes.

But then they caught on and started using more modern browsers, but they can't do crypto challenges like modern browsers on real devices, and that's where this tool comes in - we'd been testing it up to that point, then kinda had no choice but to go live with it, and it worked a treat.

You can put in exceptions to allow IP ranges and user agents through without a challenge, so you can let Google, Bing, etc in without a challenge if you want to be SEO'd, but challenge everything else if you like. I believe, upcoming, will be geographic/ASN filtering which will be very handy....

Hope that helps clear that up a bit :-)

Steven R

Install a tar pit.

Put the tarpit URL in robots.txt with a "Disallow" directive for every user agent, and then parse the log files with a cronned script for obvious bot access to that resource.

All good bots will honour robots.txt.

Use this list of IP addresses to block access to the whole server, and others, for X amount of days.

That will stop the majority of ai bots, without screwing up those who don't enable JavaScript, or use something like "w3m" ... Who uses text based browsers these days? Well, often the sort of people who want to access that very git repository you are effectively blocking!

See here: [1]https://zadzmo.org/code/nepenthes/

[1] https://zadzmo.org/code/nepenthes/

Search engines are caching the content so they probably aren't making a million requests in a single day like iFixit reported Claude was doing to them.

A better solution would be for Anubis to offer "licenses" to responsible crawlers. So if Google or Bing or whoever wants to crawl a site they can get some sort cryptographic key that allows bypassing Anubis. So when a site installs Anubis they might have configuration section that shows all the parties that have been granted licenses and for what, under broad categories. So you have a "search engine" category and unless you want to block them (or block one or two specific ones) you leave the whole category enabled. Maybe there's an "archiver" section so Wayback Machine has its license. There could also be a control panel for AI crawlers - it would obviously default to off since site owners install Anubis to block them but if for example they come to an agreement with OpenAI they can enable OpenAI's license to crawl their site while blocking all the rest.

Anubis is actually a GENIUS solution that not only allows sites to block abusive AI crawlers but would also let them reassert control over their IP instead of giving it away for free. If your site hosts something valuable to AI companies then they would have to compensate you. So instead of letting AIs grab all the information in the Reg's article and comments for free, the Register could demand compensation to let them through the Anubis gate. For a site with valuable enough content, that could become a decent revenue stream and maybe they wouldn't have to rely as much upon ads.

Maybe I'm dreaming on that last part - it would be cheaper for AI companies to start caching everything (and pay the one time price of the Anubis proof of work) than it would for them to actually pay for the IP they're stealing.

human visitor merely sees a jackal-styled animé girl

That's already been done in various animes.

The likes of Google / Microsoft figure out that they could use their chrome / edge browser to do the scraping for them ?

Or even just bake it into every Android / ChromeOS / Windows device ?

That way the compute penalty would be distributed over millions of other people's pc's...

Shh! Don't give them any more horrible ideas than they currently do!