benjojo.co.uk

benjojo posted 28 May 2026 20:54 +0000

FWIW, It seems like one of the old Twitter ASNs AS63179 seems to be now doing heavy web scraping (presumably for grok), you can probs get away with dropping the whole thing

A cloudflare radar screenshot showing traffic exploding out of AS63179

dbelson@mastodon.soc.. replied 28 May 2026 21:07 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/4YW6YLwD2J45VSr4C2

@benjojo Looks like there may be some human traffic hiding in there as well, at least over the last week or so. JavaScript content also makes up a greater share of the HTTP responses during those "human" spike periods.

https://radar.cloudflare.com/traffic/as63179?dateRange=28d#bot-vs-human
https://radar.cloudflare.com/traffic/as63179?dateRange=28d#content-type

benjojo replied 28 May 2026 22:43 +0000
in reply to: https://mastodon.social/users/dbelson/statuses/116654239082191405

@dbelson Given how I discovered them doing this (They tripped a weird tripwire on my end) I think that "Human" traffic is misclassified on CF's end

uvok@woof.tech replied 29 May 2026 04:44 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/4YW6YLwD2J45VSr4C2

@benjojo how would you drop an entire AS? nftables level, or in the webserver?
I actually whois'd a cloudflare AS once to generate a filter for nginx, but I wonder whether there's a more effective option.