this post was submitted on 24 Jan 2025
62 points (100.0% liked)

Cybersecurity

14 readers
31 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Rules

Community Rules

founded 2 years ago
MODERATORS
[email protected]
[email protected]
62
"A pseudonymous coder has created and released an open source “tar pit” to indefinitely trap AI training web crawlers in an infinitely, randomly-generating series of pages to waste their time and (tldr.nettime.org)
submitted 1 day ago by [email protected] to c/[email protected]
11 comments fedilink hide all child comments
 

"A pseudonymous coder has created and released an open source “tar pit” to indefinitely trap AI training web crawlers in an infinitely, randomly-generating series of pages to waste their time and computing power. The program, called Nepenthes after the genus of carnivorous pitcher plants which trap and consume their prey, can be deployed by webpage owners to protect their own content from being scraped or can be deployed “offensively” as a honeypot trap to waste AI companies’ resources.

“It's less like flypaper and more an infinite maze holding a minotaur, except the crawler is the minotaur that cannot get out. The typical web crawler doesn't appear to have a lot of logic. It downloads a URL, and if it sees links to other URLs, it downloads those too. Nepenthes generates random links that always point back to itself - the crawler downloads those new links. Nepenthes happily just returns more and more lists of links pointing back to itself,” Aaron B, the creator of Nepenthes, told 404 Media.

“Of course, these crawlers are massively scaled, and are downloading links from large swathes of the internet at any given time,” they added. “But they are still consuming resources, spinning around doing nothing helpful, unless they find a way to detect that they are stuck in this loop.”"

https://www.404media.co/developer-creates-infinite-maze-to-trap-ai-crawlers-in/

#AI #GenerativeAI #AITraining #WebCrawling #CyberSecurity

top 11 comments
sorted by: hot top controversial new old
[–] [email protected] 2 points 8 hours ago

Assuming they choose not to easily patch this with a simple depth limit, this is a good way to just waste your server resources and cost yourself money while impacting site performance for everyone else, ensuring that the only people visiting your site are the bots. So far all these "anti-AI" projects are either nothing-burgers or self-imposed malware.

[–] [email protected] 10 points 1 day ago

@remixtures that's great, some days ago i saw some people on r/selfhosting discussing how to stop AI crawlers that don't respect robots.txt (so all of them) and there were a lot of people basically reinventing the tarpit idea, having a dedicated tool for that is great, combined with a simple logging of all ip ranges falling for it to get blacklisted we might get a fighting chance, there were even people serving zip bombs to ai bots, but i don't believe they would bother to open it

[–] [email protected] 1 points 1 day ago* (last edited 1 day ago)

Nepenthe! Nepenthe! And forget this lost Lenore

Quoth the raven,

[–] [email protected] 5 points 1 day ago (1 children)

I guess just adding something like a link depth limit would already counter that
Not sure, if that would reduce the gathered information on legitim sites much, but I don't think so

[–] [email protected] 3 points 1 day ago (1 children)

Yeah, this sounds like something I tackled when mirroring webcomics, twenty years ago. Dynamic webpages with a "Next" button are not new.

[–] kogasa 2 points 1 day ago

The interesting part is the detection of AI crawlers and selectively feeding them markov chain nonsense

[–] [email protected] 7 points 1 day ago (1 children)

@[email protected] they seem to repeatedly and endlessly hammer certain pages on sites, too, for no reason. Some of the stories on here are horrendous - openAI &tc effectively DDOSing entire sites!

[–] [email protected] 1 points 13 hours ago (1 children)

I'm betting this, alongside rampant advertising, is a big part of why the Internet seems so much slower than a decade and a half ago, in spite of speeds of home Internet being many times what they were then

[–] [email protected] 1 points 11 hours ago

@laurelraven We had cable internet, 30 years ago in Preston. 30mbps and it was far faster than the 750mbps we have now!
A few years ago the average webpage was larger than the whole of Doom. What they are now, who even knows?

[–] [email protected] 2 points 1 day ago

People used to do something similar to email-harvesting bots.

[–] [email protected] 2 points 1 day ago

@[email protected] interesting, the hackernews thread linked in that article has someone talking about similar tools
https://news.ycombinator.com/item?id=42726426