July 14, 2026

Botnets, blackholes, and comment chaos

How the FSF sysadmins block botnets with reaction

FSF fights a bot swarm, and the comments immediately turn into a messy AI ethics food fight

TLDR: The FSF says it found a faster way to block giant waves of malicious traffic, including some tied to smart-TV botnets, by switching tools and building its own setup. Commenters then turned the story into a brawl over AI scraping, politics in software, and who really counts as an “attacker.”

The Free Software Foundation basically posted a war diary about fending off huge waves of fake visitors hammering its sites, including traffic linked to a botnet made of hijacked smart TVs. Their big win: ditching an older setup that choked on massive blocklists and switching to reaction, a newer tool they tuned to shut out millions of suspicious internet addresses fast. In plain English, they found a better bouncer for the door after the old one started wheezing.

But the real show was in the comments, where the crowd instantly split into tech support mode, culture-war mode, and conspiracy mode. One of the hottest reactions was the blunt moral question: are these “attackers,” or just AI companies vacuuming up the web and pretending it’s normal business? That kicked off the spiciest subtext of all: is the internet being strip-mined for artificial intelligence, and who’s willing to say it out loud?

Then came the classic engineer flexes. One commenter casually dropped a lower-overhead alternative like they were tossing a folding chair into the ring, while another noted this kind of scaling pain isn’t unique. And yes, there was side-drama: one person got hung up on a political message in the software’s page and turned a server-defense thread into a debate about ideology in open-source software. Meanwhile, another commenter pointed out the FSF’s own anti-JavaScript values may limit easier anti-bot tricks, which gave the whole thread a very on-brand vibe: fight the bots, preserve user freedom, and argue about absolutely everything else online.

Key Points

  • The FSF observed abnormal scraper traffic patterns, used regular expressions to identify source IPs, and found evidence that some traffic came through residential botnets.
  • The article says at least some traffic targeting GNU Savannah was confirmed to originate through the Vo1d/Popa botnet, with supporting data published by Qurium researchers.
  • The FSF's initial fail2ban plus UFW approach hit scaling problems, with degradation appearing around 65,000 firewall rules.
  • Switching to ipset allowed the FSF to manage much larger blocklists, with the article reporting no instability at about five million rules.
  • After fail2ban with ipset still hit architectural limits, the FSF adopted reaction, built a custom ipset-based configuration, and contributed its implementation details upstream.

Hottest takes

"are scrapers attackers?" — cyanydeez
"This software is gay, trans and anticolonialist" — Magicrafter13
"ip route add blackhole ${net}" — Bender
Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.