New Evidence: archive.today CAPTCHA Fires Repeated Requests, Causing DDoS-Scale Load
New Evidence: archive.today CAPTCHA Fires Repeated Requests, Causing DDoS-Scale Load
Direct inspection and community reporting show a small client-side script on archive.today’s CAPTCHA page repeatedly issues requests to a third-party blog roughly every 300ms. That pattern produces sustained, DDoS-scale traffic while the page is open.
What the script does (plain language)
A tiny loop on the archive page sends repeated, slightly different search queries to the target blog about three times per second. Because each query looks unique, it avoids normal caching and forces the target server to process every request.
fetch("https://example-blog.com/?s=" + Math.random().toString(36).substring(2, 10), { mode: "no-cors" });
}, 300);
Translation for non-technical readers: if a visitor opens the archive’s CAPTCHA page, their browser can be made to continuously ask the target site for data. Multiply that by dozens or hundreds of visitors and the target sees a flood of traffic.
Practical impact
Sustained requests at ~3 per second per open page add up fast: a single open CAPTCHA tab can generate ~10,000 requests in a day. For small blogs or low-tier hosting, that can mean slow pages, exhausted resources, or outright downtime.
Immediate mitigation (for site owners)
If you manage a site, take these steps:
- Enable rate limiting on search and high-cost endpoints (return 429 when limits are hit).
- Use CDN/WAF rules to throttle repeated requests from the same referrer/user-agent patterns.
- Ignore or return cheap cached responses for obviously-random short queries to search endpoints.
- Log request headers, timestamps, and raw queries to support abuse reports or forensics.
Community verification & discussion
Independent reporting and community threads contain code snippets, screenshots, and timelines documenting the behavior. Follow the original investigation and discussion for technical details and updates.
Comments
Post a Comment