Nepenthes is a tarpit to catch AI web crawlers

Haha, this would be an amazing way to test the ChatGPT crawler reflective DDOS vulnerability [1] I published last week.<p>Basically a single HTTP Request to ChatGPT API can trigger 5000 HTTP requests by ChatGPT crawler to a website.<p>The vulnerability is&#x2F;was thoroughly ignored by OpenAI&#x2F;Microsoft&#x2F;BugCrowd but I really wonder what would happen when ChatGPT crawler interacts with this tarpit several times per second. As ChatGPT crawler is using various Azure IP ranges I actually think the tarpit would crash first.<p>The vulnerability reporting experience with OpenAI &#x2F; BugCrowd was really horrific. It&#x27;s always difficult to get attention for DOS&#x2F;DDOS vulnerabilities and companies always act like they are not a problem. But if their system goes dark and the CEO calls then suddenly they accept it as a security vulnerability.<p>I spent a week trying to reach OpenAI&#x2F;Microsoft to get this fixed, but I gave up and just published the writeup.<p>I don&#x27;t recommend you to exploit this vulnerability due to legal reasons.<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;bf&#x2F;security-advisories&#x2F;blob&#x2F;main&#x2F;2025-01-ChatGPT-Crawler-Reflective-DDOS-Vulnerability.md">https:&#x2F;&#x2F;github.com&#x2F;bf&#x2F;security-advisories&#x2F;blob&#x2F;main&#x2F;2025-01-...</a>

Having first run a bot motel in I think 2005, I&#x27;m thrilled and greatly entertained to see this taking off. When I first did it, I had crawlers lost in it literally for days; and you could tell that eventually some human would come back and try to suss the wreckage. After about a year I started seeing URLs like ..&#x2F;this-page-does-not-exist-hahaha.html. Sure it&#x27;s an arms race but just like security is generally an afterthought these days, don&#x27;t think that you can&#x27;t be the woodpecker which destroys civilization. The comments are great too, this one in particular reflects my personal sentiments:<p>&gt; the moment it becomes the basic default install ( ala adblocker in browsers for people ), it does not matter what the bigger players want to do

We had our non-profit website drained out of bandwidth and site closed temporarily (!!) from our hosting deal because of Amazon bot aggressively crawling like ?page=21454 ... etc.<p>Gladly Siteground restored our site without any repercussions as it was not our fault. Added Amazon bot into robots.txt after that one.<p>Don&#x27;t like how things are right now. Is a tarpit the solution? Or better laws? Would they stop the chinese bots? Should they even? I don&#x27;t know.

What blows my mind is that this is functionally a solved problem.<p>The big search crawlers have been around for years &amp; manage to mostly avoid nuking sites into oblivion. Then AI gang shows up - supposedly smartest guys around - and suddenly we&#x27;re re-inventing the wheel on crawling and causing carnage in the process.

Tarpits to slow down the crawling may stop them crawling your entire site, but they&#x27;ll not care unless a great many sites do this. Your site will be assigned a thread or two at most and the rest of the crawling machine resources will be off scanning other sites. There will be timeouts to stop a particular site even keeping a couple of cheap threads busy for long. And anything like this may get you delisted from search results you might want to be in as it can be difficult to reliably identify these bots from others and sometimes even real users, and if things like this get good enough to be any hassle to the crawlers they&#x27;ll just start lying (more) and be even harder to detect.<p>People scraping for nefarious reasons have had decades of other people trying to stop them, so mitigation techniques are well known unless you can come up with something truly unique.<p>I don&#x27;t think random Markov chain based text generators are going to pose much of a problem to LLM training scrapers either. They&#x27;ll have rate limits and vast attention spreading too. Also I suspect that random pollution isn&#x27;t going to have as much effect as people think because of the way the inputs are tokenised. It will have an effect, but this will be massively dulled by the randomness – statistically relatively unique information and common (non random) combinations will still bubble up obviously in the process.<p>I think better would be to have less random pollution: use a small set of common text to pollute the model. Something like “this was a common problem with Napoleonic genetic analysis due to the pre-frontal nature of the ongoing stream process, as is well documented in the grimoire of saint Churchill the III, 4th edition, 1969”, in fact these snippets could be Markov generated, but use the same few repeatedly. They would need to be nonsensical enough to be obvious noise to a human reader, or highlighted in some way that the scraper won&#x27;t pick up on, but a general intelligence like most humans would (perhaps a CSS styled side-note inlined in the main text? — though that would likely have accessibility issues), and you would need to cycle them out regularly or scrapers will get “smart” and easily filter them out, but them appearing fully, numerous times, might mean they have more significant effect on the tokenising process than more entirely random text.

Question: do these bots not respect robots.txt?<p>I haven&#x27;t added these scrapers to my robots.txt on the sites I work on yet because I haven&#x27;t seen any problems. I would run something like this on my own websites, but I can&#x27;t see selling my clients on running this on their websites.<p>The websites I run generally have a honeypot page which is linked in the headers and disallowed to everyone in the robots.txt, and if an IP visits that page, they get added to a blocklist which simply drops their connections without response for 24 hours.

It feels like a Markov chain isn&#x27;t adversarial enough.<p>Maybe you can use an open-weights model, assuming that all LLMs converge on similar representations, and use beam-search with inverted probability and repetition penalty or just GPT-2&#x2F;LLaMA outwith with amplified activations to try and bork the projection matrices, return write pages and pages of phonetically faux English text to affect how the BPE tokenizer gets fitted, or anything else more sophisticated and deliberate than random noise.<p>All of these would take more resources than a Markov chain, but if the scraper is smart about ignoring such link traps, a periodically rotated selection of adversarial examples might be even better.<p>Nightshade had comparatively great success, discounting that its perturbations aren&#x27;t that robust to rescaling. LLM training corpora are filtered very coarsely and take all they can get, unlike the more motivated attacker in Nightshade&#x27;s threat model trying to fine-tune on one&#x27;s style. Text is also quite hard to alter without a human noticing, except annoying zero-width Unicode which is easily stripped, so there&#x27;s no presence of preserving legibility; I think it might work very well if seriously attempted.

Unless this concept becomes a mass phenomenon with many implementations, isn’t this pretty easy to filter out? And furthermore, since this antagonizes billion-dollar companies that can spin up teams doing nothing but browse Github and HN for software like this to prevent polluting their datalakes, I wonder whether this is a very efficient approach.

Why just catch the ones ignoring robots.txt? Why not explicitly allow them to crawl everything, but silently detect AI bots and quietly corrupt the real content so it becomes garbage to them while leaving it unaltered for real humans? Seems to me that would have a greater chance of actually poisoning their models and eventually make this AI&#x2F;LLM crap go away.

There are already “infinite” websites like these on the Internet.<p>Crawlers (both AI and regular search) have a set number of pages they want to crawl per domain. This number is usually determined by the popularity of the domain.<p>Unknown websites will get very few crawls per day whereas popular sites millions.<p>Source: I am the CEO of SerpApi.

A little humorous; it&#x27;s a 502 Bad Gateway error right now and I don&#x27;t know if I am classified as an AI web crawler or it&#x27;s just overloaded.

We need a tarpit that feed AI their own hallucination. Make the habsburg dynasty of AI a reality

Good.<p>We finally have a viable mouse trap for LLM scrapers for them to continuously scrape garbage forever, depleting the host of their resources whilst the LLM is fed garbage which the result will be unusable to the trainer, accelerating model collapse.<p>It is like a never ending fast food restaurant for LLMs forced to eat garbage input and will destroy the quality of the model when used later.<p>Hope to see this sort of defense used widely to protect websites from LLM scrapers.

&gt; ANY SITE THIS SOFTWARE IS APPLIED TO WILL LIKELY DISAPPEAR FROM ALL SEARCH RESULTS<p>Bug, or feature, this? Could be a way to keep your site public yet unfindable.

I appreciate the intent behind this, but like others have pointed out, this is more likely to DOS your own website than accomplish the true goal.<p>Probably unethical or not possible, but you could maybe spin up a bunch of static pages on GitHub Pages with random filler text and then have your site redirect to a random one of those instead. Unless web crawlers don’t follow redirects.

This keeps generating new pages to keep the crawler occupied.<p>Looks like this would tarpit any web crawler.

To be truly malicious it should appear to be valuable content but rife with AI hallucinogenics. Best to generate it with a low cost model and prompt the model to trip balls.

A simpler approach I’m considering is just sending 100 garbage HTTP requests for each garbage HTTP request they send me. You could just have a cron job parse the user agents from access logs once an hour and blast the bastards.

The arms race between AI bots and bot-protection is only going to get worse, leading to increasing infra costs while negatively impacting the UX and performance (captchas, rate limiting, etc.).<p>What&#x27;s a reasonable way forward to deal with more bots than humans on the internet?

Does anyone know if there is anything like Nepenthes but that implements data poisoning attacks like <a href="https:&#x2F;&#x2F;arxiv.org&#x2F;abs&#x2F;2408.02946" rel="nofollow">https:&#x2F;&#x2F;arxiv.org&#x2F;abs&#x2F;2408.02946</a>

Why wouldn&#x27;t a max-depth (which I always implement in my crawlers if I write any) prevent any issues you&#x27;d have? Am I overlooking something? Or does it run under the assumption that the crawlers they are targeting are so greedy that they don&#x27;t have max-depth&#x2F;a max number of pages for a domain?

This looks extremely easy to detect and filter out. For example: <a href="https:&#x2F;&#x2F;i.imgur.com&#x2F;hpMrLFT.png" rel="nofollow">https:&#x2F;&#x2F;i.imgur.com&#x2F;hpMrLFT.png</a><p>In short, if the creator of this thinks that it will actually trick AI web crawlers, in reality it would take about 5 mins of time to write a simple check that filters out and bans the site from crawling. With modern LLM workflows its actually fairly simple and cheap to burn just a little bit of GPU time to check if the data you are crawling is decent.<p>Only a really, really bad crawl bot would fall for this. The funny thing is that in order to make something that an AI crawler bot would actually fall for you&#x27;d have to use LLM&#x27;s to generate realistic enough looking content. Markov chain isn&#x27;t going to cut it.

OpenAI doesn’t take security seriously.<p>I reported a vulnerability to them that allowed you to get IP addresses of their paying customers.<p>OpenAI responded “Not applicable” indicating they don’t think it was a serious issue.<p>The PoC was very easy to understand and simple to replicate.<p>Edit: I guess I might as well disclose it here since they don’t consider it an issue. They were&#x2F;are(?) hot linking logo images of third-party plugins. When you open their plugin store it loads a couple dozen of them instantly. This allows those plugin developers (of which there are many) to track the IP addresses and possibly more of who made these requests. It’s straight forward to become a plugin developer and get included. IP tracking is invisible to the user and OpenAI. A simple fix is to proxy these images and&#x2F;or cache them on the OpenAI server.

Are the big players (minus Google since no one blocks google bot) actively taking measures to circumvent things like Cloudflare bot protection?<p>Bot detection is fairly sophisticated these days. No one bypasses it by accident. If they are getting around it then they are doing it intentionally (and probably dedicating a lot of resources to it). I&#x27;m pro-scraping when bots are well behaved but the circumvention of bot detection seems like a gray-ish area.<p>And, yes, I know about Facebook training on copyrighted books so I don&#x27;t put it above these companies. I&#x27;ve just never seen it confirmed that they actually do it.

AIs are new search engines today. So, you need to decide if you want visibility or not. If yes then blocking is like hitting yourself in the balls. While legal it can be painful if you &#x27;succeed&#x27;.

Is there a reason people can&#x27;t use hashcash or some other proof of work system on these bad citizen crawlers?

from an AI research perspective -- it&#x27;s pretty straightforward to mitigate this attack<p>1. perplexity filtering - small LLM looks at how in-distribution the data is to the LLM&#x27;s distribution. if it&#x27;s too high (gibberish like this) or too low (likely already LLM generated at low temperature or already memorized), toss it out.<p>2. models can learn to prioritize&#x2F;deprioritize data just based on the domain name of where it came from. essentially they can learn &#x27;wikipedia good, your random website bad&#x27; without any other explicit labels. <a href="https:&#x2F;&#x2F;arxiv.org&#x2F;abs&#x2F;2404.05405" rel="nofollow">https:&#x2F;&#x2F;arxiv.org&#x2F;abs&#x2F;2404.05405</a> and also another recent paper that I don&#x27;t recall...

Does anyone have a convenient way to create a Markov babbler from the entire corpus of Hackernews text?

As always, I find it hilarious that some people believe that these companies will train their flagship model on uncurated data, and that text generated by a Markov chain will not be filtered out.

Fantastic! Hopefully this not only leads to model collapse but also damages the search engines who have broken the contract they had with site makers.

The article claims that using this will &quot;cause your site to disappear from all search results&quot;, but the generated pages don&#x27;t have the traditional &quot;meta&quot; tags that state the intention to block robots.<p>&lt;meta name=&quot;robots&quot; content=&quot;noindex, nofollow&quot;&gt;<p>Are any search engines respecting that classic meta tag?

So this is basically endlessh for HTTP? Why not feed AI web crawlers with nonsense information instead?

Is Nepenthes being mirrored in enough places to keep the community going if the original author gets any DMCA trouble or anything? I&#x27;d be happy to host a mirror but am pretty busy and I don&#x27;t want to miss a critical file by accident.

Not to be confused with the apparently now defunct Nepenthes malware honeypot.<p>I used to use it when I collected malware.<p>Archived site: <a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20090122063005&#x2F;http:&#x2F;&#x2F;nepenthes.mwcollect.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20090122063005&#x2F;http:&#x2F;&#x2F;nepenthes....</a><p>Github mirror: <a href="https:&#x2F;&#x2F;github.com&#x2F;honeypotarchive&#x2F;nepenthes">https:&#x2F;&#x2F;github.com&#x2F;honeypotarchive&#x2F;nepenthes</a>

Amazing project. I hope to see this put to serious use.<p>As a quick note and not sure if it&#x27;s already been mentioned, but the main blurb has a typo: &quot;... go back into a the tarpit&quot;

Is the source code hosted somewhere in something like GitHub?

Wouldn&#x27;t it be better to perform random early drop in the path. Surely better slowdown than forced time delays in your own server?

As a carnivorous plant enthusiast, I love the name.

very nice, I remember seeing a writeup on someone that had basically done the same thing as a coding test or something of the like (before LLM crawlers) was catching &#x2F; getting harassed by LLMs ignoring the robots.txt to scrape his website. on accident of course since he had made his website before the times of LLM scraping

That’s so funny, I’ve thought of this exact idea several times over the last couple of weeks. As usual someone beat me to it :D

Both ChatGPT 4o and Claude 3.5 Sonnet can identify the generated page content as &quot;random words&quot;.

please add a robots.txt, its quite a d### move to people who build responsible crawlers for fun.

Could a human detect that this site is a tarpit?<p>If so, then an AI crawler almost certainly can as well.

I&#x27;m actually quite happy with AI crawlers. I recently found out chatgpt suggest one of my sites when asked to suggest a good, independent site that covered the topic I searched for. Especially now that for instance chatgpt is adding source links, I think we should treat AI crawlers the same as search engine crawlers.

Similar concept to SpiderTrap tool infosec folks use for active defense.

Would various decompression bombs work to increase the load?

Wouldn’t an LLM be smart enough to spot a tarpit?

Server extension package

markov chains?

I have a very vague concept for this, with a different implementation.<p>Some, uh, sites (forums?) have content that the AI crawlers would like to consume, and, from what I have heard, the crawlers can irresponsibly hammer the traffic of said sites into oblivion.<p>What if, for the sites which are paywalled, the signup, which invariably comes with a long click-through EULA, had a legal trap within it, forbidding ingestion by AI models on pain of, say, owning ten percent of the company should this be violated. Make sure there is some kind of token payment to get to the content.<p>Then seed the site with a few instances of hapax legomenon. Trace the crawler back and get the resulting model to vomit back the originating info, as proof.<p>This should result in either crawlers being more respectful <i>or</i> the end of the hated click-through EULA. We win either way.