Meta shouldn't be doing this, they need to be more careful, but...
I used to work on a site with basic caching, a big web framework, every page dynamic, and 3 frontend webservers plus a database primary and replica. Super basic infra, and a bill close to this user.
We would never have noticed 3 to 4 requests per second like this. And we weren't being that smart about it, we were rendering every page not serving from cache (we mostly cached DB results). We were also conscious of not accidentally building SEO bot traps that would cause them to go around in loops, not because of the traffic generated, but because it was bad for SEO!
This just strikes me as bad engineering on both sides. Yes Meta is the one with the big budgets and they should sort this out, but also you can't pay 10-100x for your infra and get annoyed when you have a big bill. On the web people and bots are going to make requests and you just have to design for that.
Obviously horrendous but why isn’t this person monitoring his site?
Also, why do people use vercel nowadays? I’m sure there are reasons, but I moved over to railway (you can insert alternative provider here) and I no long f* around trying to fix page load time due to cold starts, I have predictable pricing, and my sites on railway are fast so much faster. Plus, if cost is a factor, railway offers serverless. It’s not as shiny as vercel, but nextjs works perfectly on it.
It astounds me that vercel has positioned themselves as a sanctuary city for normies and yet, the city is littered with landmines and booby traps.
Don’t underestimate the amount of people who don’t care how their companies money is spent.
Crazy to me that someone would run a website where you pay for every request you receive, instead of a fixed monthly rate. It’s an obvious recipe for disaster - crossing the wrong guy would cost you dearly. Or just a crawler running amok.
So sue Meta. Denial of service is a crime.
That's like 4 requests per second, hardly seems excessive at all. We're not on dial-up anymore.
You’re not serious, right?
I am. Modern computers and network connections are so fast that this amounts to literally nothing. It's standard internet background noise and it's really not a problem.
[flagged]
> He probably thinks the internet works on static 5k html pages, while the norm is 100kb, dynamically generated pages.
I just work on web stuff that people actually use. It's 2026, thousands of requests per second is nothing. You'll probably be fine even with stock apache2 and some janky php scripts.
A single gbit line will serve a 100kB page thousand times a second without issues.
Dynamically generated pages you can't easily serve at rates in excess of tens of thousands of requests per second from commodity hardware are extremely rare.
For most web apps, bandwidth won't be the issue, it'll still be I/O bound, or maybe CPU bound.
Sure, but CPUs and I/O are so fast now that it's genuinely difficult to hit those bottlenecks unless you're doing something weird.
Also, hardware these days is good enough that a CRUD web app could very well be bandwidth limited.
i don’t think you realize how fast modern CPUs are. If this stresses your server out, you probably have no business hosting things publicly on that server. This person is hosting stuff on Vercel using serverless which is the root of their problem.
4 request per second is just noise. it’s like complaining about car noise when deciding to buy a house next to the freeway. Exposing things publicly on the internet means _anyone_ can try talking to your server. Real users, bots, hackers, whatever. You can’t guarantee bots are bug-free!
Dynamic content is _typically_ served to logged in users. Content that is public facing is typically cached, for obvious reasons. Of course Meta should fix this…but using Vercel and serverless in this manner is a very poor choice.
Meta isn’t going to fix this because they have your mindset.
Meanwhile, my website with 48M pages over 8 domains is getting hammered with over 200 req/s 24/7 from AI bots in addition to the regular search engine bots. It seems like every day new bots appear that all want to download every single one of my URL’s.
To me it’s not background noise. It’s a problem. It simply requires a lot of CPU power and traffic. I could do with 95% less resources and have faster response times for my actual users if these bots would just bugger off.
even 100 kB dynamically generated pages should be a piece of cake. if it's CRUD like (original op's site is), it should be downright trivial to transfer that much on like... shared hosting (although even a VPS would be much better).
(in original op's case, i clocked 197 requests using 20.60 MB while browsing their site for a little bit. most of it is static assets and i had caching disabled so each new pageload loaded stuff like the apple touch icons.)
honestly you could probably put it behind nginx for the statics and just use bog standard postgres or even prolly sqlite. nice bonus in that you don't have to worry about cold start times either!
I don't have a car. I don't need one because trains exist. My website can also handle 4 requests per second.
I have the same problem. I have 6M URL’s per domain. 8 different domains. 80% of search traffic is long tail.
If I don’t block, 95% of my resources will be spent on feeding bots.
I had to block all “official” AI useragents and entire countries like Singapore and China. But there are so many unofficial bots which spread their work over dozes of IP addresses that it seems impossible to block on the reverse proxy level. How do you block those?
> If I don’t block, 95% of my resources will be spent on feeding bots. How do you block those?
A very good and important question. I was thinking about some combination of proof of work and a dynamic list of offending IPs which servers would update periodically, similar to how such lists are used by ad-blockers.
It would be ideal to have some legislative protection from ddos together with technical means of disclosure and prevention, bot scraping is a from of soft ddos.
>If I don’t block, 95% of my resources will be spent on feeding bots.
Okay, but why should you care? Resource usage for a regular website that isn't doing some heavy dynamic stuff or video streaming tends to be rather negligible. You can easily serve 100k+ requests per second on servers that costs less than $100/mo.
It really shouldn't be worth your time to do anything about the bots unless you're doing something unusual.
>> If I don’t block, 95% of my resources will be spent on feeding bots... How do you block those?
A very important question which deserves a good answer.
> Okay, but why should you care?
Not that kind of answer - this is bad manners or worse. The counter-question "Why do you ask that" isn't an honest or meaningful answer - it's indefensible defense of allowing meaningless traffic without any defenses.
> Resource usage for a regular website that isn't doing some heavy dynamic stuff or video streaming tends to be rather negligible.
Maybe it is doing video streaming, or audio, or lots of images or very dynamic, or written in Python - the trend is to use more and more bandwidth to make the sites more attractive.
> You can easily serve 100k+ requests per second on servers that costs less than $100/mo.
Maybe $100/mo isn't a trivial amount for a site that has no video, isn't dynamic, etc - your assumptions contradict themselves and reality.
Without any maybe, the prices of RAM, bandwidth and hosting are going up while usage limits are going down - inflation. There's no reason to sacrifice $100/mo to hostile bot daemons which are sure to ask for more and more in the future.
It's absolutely clear that giving a free reign to bots will encourage more bots and more sinister behavior because the boundary between bot scraping and ddos is blurry, you're essentially arguing for allowing soft ddos which can be turned up at times just to make a site ineffective when it's needed.
>Not that kind of answer - this is bad manners or worse. The counter-question "Why do you ask that" isn't an honest or meaningful answer - it's indefensible defense of allowing meaningless traffic without any defenses.
Nah. Based on years of experience, the typical person asking this question is asking because they're bothered by log entries. They're not asking it because the requests are actually being somehow disruptive. The correct answer is "don't stress out about normal background noise".
>Maybe $100/mo isn't a trivial amount for a site that has no video, isn't dynamic, etc - your assumptions contradict themselves and reality.
$100/mo is a trivial amount for anything that is visited hundred thousand times in a second.
>It's absolutely clear that giving a free reign to bots will encourage more bots and more sinister behavior because the boundary between bot scraping and ddos is blurry, you're essentially arguing for allowing soft ddos which can be turned up at times just to make a site ineffective when it's needed.
Not really. The bots have a strong incentive to not be disruptive.
>Without any maybe, the prices of RAM, bandwidth and hosting are going up while usage limits are going down - inflation. There's no reason to sacrifice $100/mo to hostile bot daemons which are sure to ask for more and more in the future.
Prices of bandwidth and hosting are not going up, usage limits are not going down. This is not a real thing that's happening. Servers (and bandwidth) are in fact cheaper than ever, except perhaps for the RAM.
Believe it or not, but the website is not a static txt file.
Anything significantly more complicated than CRUD apps like HN is pretty rare on the web.
If the resource usage of a website is a concern, either your code is straight up broken or you're doing something rather unusual. While doing unusual things, it's normal to encounter unusual problems. However, when encountering an unusual problem it's good to stop for a moment and consider if your approach is wrong.
At some point the only good way to stop scraping becomes paywalls. You can't defeat sophisticated scrapers through any other means.
So you’re blaming the destruction of the open internet on the technical prowess of indie developers like me and not on the greedy big tech leeches with thousands of mindless developers who do everything in their power to make life worse for the little guys.
I don't think the open internet is being destroyed at all. This is just the usual complaining about internet background noise that's been happening for decades.
Is there more background noise than before? Yes, probably. Is it a big deal yet? Still not.
> Yes, probably. Is it a big deal yet? Still not.
"Trust me bro, not a big deal... YET, pay up and move along, nothing to see here"
That might be true for you, but it definitely isn't true for everybody, if you don't want to stop bots, nobody is stopping you from not stopping them, but you keep arguing as if your life depends on it... Are you a bot too?
Who in his right mind would wait for some problem to become a really big deal without seeking a way to prevent it?
Block based on cookies (i.e., set a cookie on the browser and check on the server whether it exists).
That helps, but the big bot farms use clients that support cookies, we need to add more defenses on top of them.
This project implements a variety of similar JSless checks, such as image loading
[dead]