TechBeetle | How the FSF Sysadmins are Blocking Botnets with reaction
Tech Beetle briefing UNITED STATES OF AMERICA AI

How the FSF Sysadmins are Blocking Botnets with reaction

Essential brief

The Free Software Foundation (FSF) has been combating aggressive web crawlers, including botnets scraping data for AI training, for nearly two years. In 2025, a botnet controlling around five milli

Key topics

sysadmins blocking botnets reaction Free Software Foundation AI DDoS Using Further

Key facts

The FSF has been combating aggressive web crawlers and botnets targeting their systems since 2024.
They identified abnormal scraper patterns and used regular expressions to detect malicious IP addresses.
Some botnet traffic originated from the Vo1d botnet, involving compromised smart TVs.
Integration of fail2ban and ipset helped overcome firewall rule limitations and improve blocking efficiency.

Highlights

In 2025, a botnet with about five million IPs attacked an FSF system for six months.
FSF sysadmins classify these incidents as distributed denial-of-service attacks.
Regular expressions were used to identify and block malicious scraper traffic.
The Vo1d/Popa botnet, involving smart TVs, was confirmed as a source of attacks.
Firewall performance issues led to the adoption of ipset for managing large IP sets efficiently.

Why it matters

The FSF's experience highlights the growing threat of botnets leveraging residential IPs and compromised devices like smart TVs to conduct large-scale scraping and DDoS attacks. Their adaptive use of detection patterns and firewall management tools demonstrates effective strategies for organizations facing similar threats. This case underscores the importance of evolving cybersecurity measures to protect critical infrastructure from increasingly sophisticated botnet activities.

For almost two years, the Free Software Foundation (FSF) has been actively addressing the challenge posed by aggressive web crawlers, many of which scrape data for AI model training. In 2025, one of their systems was targeted for six months by a botnet controlling approximately five million IP addresses. The FSF's systems administrators consider these attacks as distributed denial-of-service (DDoS) incidents due to their scale and impact.

To counter these threats, the FSF team analyzed the traffic and identified abnormal patterns in the web scrapers' behavior. These patterns enabled them to create regular expressions that matched the malicious requests. Using these expressions, they compiled extensive lists of IP addresses involved in the scraping activities.

Further investigation into the origins of these IP addresses revealed that some crawlers operated through botnets composed of residential IP addresses, which allowed them to scrape data more rapidly and evade detection. One notable botnet identified was the "Vo1d" botnet, which reportedly consists of smart TVs running compromised applications.

The FSF confirmed that a portion of the botnet traffic targeting their GNU Savannah platform originated from the Vo1d/Popa botnet. To mitigate the attacks, they integrated their regular expressions into fail2ban, an intrusion prevention software. However, they encountered limitations with the Uncomplicated Firewall (UFW), which showed performance degradation when handling around 65,000 rules.

To overcome these constraints, the FSF adopted ipset, a tool designed to efficiently manage large sets of IP addresses within firewall rules. This approach improved their ability to block malicious traffic without compromising system performance, strengthening their defense against large-scale botnet attacks.

Key topics in this update include sysadmins, blocking botnets, and reaction.