I run a phpbb forum and I’m getting constantly throttled by my host because of CPU spikes caused by bad bots trying to scrape the forum, register, reply to topics etc
These are not DDoS attacks, we are talking like 6000 hits in a single day whereas an actual attack will do this in literally a few seconds. But it’s enough to trigger throttling from the host (HawkHost) for CPU abuse.
If I get into Under Attack mode (IUA), this stops the problem, BUT visitors on mobile phones / smartphones are presented with a hCaptcha that takes up to a minute to complete, is unclear on the small screens, uses poor quality images, has terrible ergonomics (if you zoom in to see what the f is going on, you end up selecting all the photos). It’s just not workable.
So I cannot use IUA mode unless I want to lose all my traffic.
Meanwhile, bad bots are becoming almost impossible to identify… see for instance an article called Nearly 1/3 of bad bots are now using residential IPs
Bad Bots are using millions of constantly changing IPs from all countries, they lie about the User Agent, simulate browsers and normal users etc). Very difficult or impossible to spot them, so you now have to use reputational databases like the one CloudFlare uses on its paid plans, and that’s an option that I cannot afford (site does not have the revenue).
So because bad bots are so hard to identify, all of CF’s other tools and rules don’t work.
CF’s high security level in firewall settings is useless.
Stuck. Is this the death of online forums?