I think my home connection is blocked but my mobile is not. Should I email you my IP or something?

YES -> see a few messages above.

I removed the firewall rule because the booby-trap seems to be working!!!
Flood almost completely stopped.

Julien

It only took *4 hours* to get the bobby-trap to stop the botnet!

I guess the MCP (Master Control Program) didn't like seeing all the compromised hosts crashing or not responding anymore after a reboot.

Idea was provided here: https://idiallo.com/blog/zipbomb-protection

If a bot is detected: don't serve the normal page or block it... but offer a 10MB gzip-compressed file filled of only zeros that decompresses to 10GB.

Small hosts like phones, IoT devices, internet boxes don't have that much memory and -- if there is no counter-measure to avoid crashes -- will try to extract 10GB of zeros to their own demise.

Only took 4 hours to stop the flood. Served over 45GB or this 10MB payload, that potentially decompressed for them into 45 petabytes of memory.

Either most of them crashed... or whoever controls the botnet decided that it was not worth wasting so many compromised hosts on us.

Hopefully I've been blacklisted as a target for now!

Julien

Scratch that.

I removed the protection and they came back a few hours later.

So... back in booby-trap mode for now.

Julien

I still get flooded but now I'm serving Error 403 (Unauthorized access) instead for a 1-month long IP block.

Most, if not all, users should be able to access the Forum freely again.
If you get an error 403, make sure to access the forum via the main LDDb link => https://www.lddb.com/forum.php

Julien

Another botnet/AI robot has been crashing the web server repeatedly this morning.

Sending hundreds of searches in a few seconds from IPs all around the world.
No obvious pattern, it comes from all kinds of randomized User-Agent from many countries (but mostly the USA).

To let the web server breath, if the search is not coming from a human visitor simply clicking on links or making search box queries, you will be greeted with:



In the first 10 minutes alone, I blocked 11,600 hits.
They come in flooding every 20 seconds or so.

Julien

FLOOD BECAME EXTREME.

Had to block each IP for 1, 4, 12, 24 hours (might have to increase that) to slow down the DDOS.

143,000 IPs blocked after 5 hours so far.

Julien

Whew. I thought I was blocked again. Glad to be back.

264,000+ IP blocked this morning but the flood has decreased to few hits/minute now.

I'm serving back a stinking bomb that explodes to 10GB of RAM when decompressed.
That should freeze/crash most of the hacked devices participating in the botnet.

Only use the links/search boxes, do not try to manually modify a URL to perform a manual search or you'll be blocked too.

Julien

Hello. I am a network engineer by trade.
I may be able to help you (for $0). What kind of firewall software are you running? Does it support regex domain filtering or gravity lists?
I have a custom built compilation of block lists comprised of over 5 million domains/addresses I would be willing to export for you.
This blocklist may not be perfect, but it should help supplement your already existing filters.

Oh it's already quite documented with a GUI => https://banhammer.lddb.com/

Just Fail2ban with ipset and various rules to ban certain types of traffic based on User-Agent, Referrer, hitting non-existing URLs, trying wrong passwords too many times, etc

I block China, Iran, North Korea, most of the Chinese/HK/Singapore cloud hosting and AI companies.

Julien

Very cool setup. I'm used to the more old school approaches.
I may look into supplementing my home lab firewall with fail2ban for the sites I host.
It's also good to know that URL surfing could get me banned
Long live lddb

Static list of blocked IPs does not work anymore (like RBL for spammers)... most of the hits come from compromised smartphones/TV/STB/IoT/computers and they regularly change IPs.

Julien

I can see why. There's more bot traffic today than ever. What is it? 48% of all internet traffic?
Sometime within late 2025 it climbed to over 51%. Grim.

I forgot to mention that I also do not run static lists. You're right. They don't work so well anymore. Especially with how out of hand bot traffic is.
I mostly run gravity lists and geographic restrictions. Some of the gravity lists I use are FOSS/crowd sourced. Some are professionally curated, to varying degrees.
Looking through my config I only have very few statically blocked IPs and domains.

What kind of traffic visualizer to you use, if any? For professional use I'm accustomed to solar winds and a few products cisco provide, along with decrepit equipment that only reports error codes through light codes and LED statuses.
For my home lab I have been interested in installing something better to supplement the (very basic) statistics my firewall provide by default.

Slightly changing strategy...

A dynamic blocking of IPs on seemingly random external searches is also blocking a lot of good people.
Allowing any search anytime also brings my server CPU/resource to crash or make using the website painfully slow.

I will add a mid-point:

• If the CPU load if less than 5.0, I will serve all requests.
• If the CPU load is more than 5.0, I will only display:
  
  Quote:
  Too many direct searches happening at the same time. Please wait a little between requests or use the human search box on the main page.

This way, when the traffic is reasonable, I will play nicely.
But when things get heavier, I will only serve users using the website as intended.

Julien

The CPU load protection seems to be working very well!

I even removed all the 315K IPs blocked because suddenly the flood stopped.

I am 99% sure this was related to:

• No Place Like Home Network: Disrupting the World's Largest Residential Proxy Network (Google)
• Google Disrupts Major Residential Proxy Network IPIDEA
• To stop crims, Google starts dismantling residential proxy network they use to hide

They were over 9M IPs unknowingly participating in this botnet via Trojan code present in cheap VPNs and games mobile phone apps from Chinese companies.

Julien

And it keeps holding up.

Sadly the botnet rebooted itself and came back to life after 48h.

Requests blocked due to the CPU load heating up:



So I'll keep the CPU load throttling on CPU-heavy requests + block IPs from obvious liars pretending to be using an OS or a Browser that has been obsolete for more than 15 years.

Julien

This dump of 16.2M IPs confirms that IPIDEA proxy botnet is back to life...

... and that the IPs I'm blocking are indeed from IPIDEA.

https://deviceandbrowserinfo.com/learning_zone/articles/inside-ipidea-residential-proxy-network

Almost tempted to block all 16.2M...

CHECK YOUR MOBILE DEVICES!

While on 4G/5G network => https://www.whatismyip.com/
Then check against the DB => https://deviceandbrowserinfo.com/data/ips/proxies/search

Me:



Julien

This thread really demonstrates why message boards have died off in favor of social media spaces like reddit or facebook; this is what they all have to deal with.

There are some really big ones, like blu-ray.com, but I think the size also means way more staff to deal with the issues as they crop up, so this only seems like a problem smaller boards like this one because you don't have people working behind the scenes 24/7.

And it just further bolsters my respect for Julien for keeping up with this.

You can check phpBB3 forum, the webmasters are hard at work on how to stop such floods (or just give up because the monthly bill becomes unsustainable).

Problem of LDDb is that it's 20+ years old, well documented, well referenced, sitemap up-to-date, high Page Ranking on Google.

Very easy to find, very easy to automate.

For 2026, we had so far 3,207,325 unique visitors over 35 days.
For 2024 (a normal year for traffic), we have about 300,000 unique visitors over the whole year.

We're looking at a 100x traffic increase coming in burst of 500 requests in one second each time the proxy botnet gets a payload request.

I will strongly look into Anubis (https://anubis.techaro.lol/) to try to manage load balancing/bots/AI agents on an industrial scale and not applying bandages each time their strategy shifts.

But all this distraction makes the server migration a moving target... it should have happened a year ago, still not fully ready

EDIT: I'm tired of this flood so I'm creating an IPSET big enough to hold all 16,192,295 proxy botnet IPs + the ones that newly joined the botnet.
If your phone can't connect anymore... maybe you have installed an app participating silently to this chaos!

Julien