How the FSF Sysadmins are Blocking Botnets with reaction
Essential brief
The Free Software Foundation (FSF) has been combating aggressive web crawlers, including botnets scraping data for AI training, for nearly two years. In 2025, a botnet controlling around five milli
Key topics
Key facts
Highlights
Why it matters
The FSF's experience highlights the growing threat of botnets leveraging residential IPs and compromised devices like smart TVs to conduct large-scale scraping and DDoS attacks. Their adaptive use of detection patterns and firewall management tools demonstrates effective strategies for organizations facing similar threats. This case underscores the importance of evolving cybersecurity measures to protect critical infrastructure from increasingly sophisticated botnet activities.
For almost two years, the Free Software Foundation (FSF) has been actively addressing the challenge posed by aggressive web crawlers, many of which scrape data for AI model training. In 2025, one of their systems was targeted for six months by a botnet controlling approximately five million IP addresses. The FSF's systems administrators consider these attacks as distributed denial-of-service (DDoS) incidents due to their scale and impact.
To counter these threats, the FSF team analyzed the traffic and identified abnormal patterns in the web scrapers' behavior. These patterns enabled them to create regular expressions that matched the malicious requests. Using these expressions, they compiled extensive lists of IP addresses involved in the scraping activities.
Further investigation into the origins of these IP addresses revealed that some crawlers operated through botnets composed of residential IP addresses, which allowed them to scrape data more rapidly and evade detection. One notable botnet identified was the "Vo1d" botnet, which reportedly consists of smart TVs running compromised applications.
The FSF confirmed that a portion of the botnet traffic targeting their GNU Savannah platform originated from the Vo1d/Popa botnet. To mitigate the attacks, they integrated their regular expressions into fail2ban, an intrusion prevention software. However, they encountered limitations with the Uncomplicated Firewall (UFW), which showed performance degradation when handling around 65,000 rules.
To overcome these constraints, the FSF adopted ipset, a tool designed to efficiently manage large sets of IP addresses within firewall rules. This approach improved their ability to block malicious traffic without compromising system performance, strengthening their defense against large-scale botnet attacks.
Key topics in this update include sysadmins, blocking botnets, and reaction.