> We will shortly be reaching out to the abuse desk of the affected ISP for assistance.<p>Does anyone here have experience working with an ISP in abuse cases like this one, specially a Chinese ISP?
<i>These requests originated from over 200 IP addresses – almost all owned by an ISP for a particular province in China. The confirmation emails for this volume of requests overwhelmed our email service. As a result, many arXiv users may not have received their daily emails. And other users may not have received their confirmation emails for registering accounts, or legitimate email change requests.</i><p>this should be easy to block, no? just 200 out of millions
Look, arxiv.org is awesome and I love them, but they really can't expect the ITU or abuse-reporting groups to bail them out here.<p>If you have some web service that sends emails, it's on you to pick a sensible rate limit for it (<i>not</i> 1,000,000 messages per day unless you're Fastmail) and to hierarchically bucket that ratelimit by the routable prefix (first 24 bits) of the requester's IP address. As the bucket empties, respond more and more slowly. This way the worst a DDoSer can do is mildly annoy people who happen to use the same ISP that they do -- but eventually even those people will still get through.<p>I'm sorry, but this is just the sort of thing everybody has to do in order to preserve a decentralized Internet. Because if we don't all do this sort of stuff, pretty soon it won't be the Internet anymore, it'll be the CloudflareNet.<p>Alright go ahead, downvote me to negative-billion. I can handle it.
A million password resets is shockingly low for a DDOS, could this have been an university assignment gone wrong? I can imagine some clueless dean ordering all their engineering grads to submit research to arXiv. If they have 100-200K students, a single poorly written script to link the institution's SSO with automatically created arXiv accounts could easily overwhelm the system.