"Nepenthes generates random links that always point back to itself - the crawler downloads those new links. Nepenthes happily just returns more and more lists of links pointing back to itself."

A pseudonymous coder has created and released an open source “tar pit” to indefinitely trap AI training web crawlers in an infinitely, randomly-generating series of pages to waste their time and computing power. The program, called Nepenthes after the genus of carnivorous pitcher plants which trap and consume their prey, can be deployed by webpage owners to protect their own content from being scraped or can be deployed “offensively” as a honeypot trap to waste AI companies’ resources.

“It’s less like flypaper and more an infinite maze holding a minotaur, except the crawler is the minotaur that cannot get out. The typical web crawler doesn’t appear to have a lot of logic. It downloads a URL, and if it sees links to other URLs, it downloads those too. Nepenthes generates random links that always point back to itself - the crawler downloads those new links. Nepenthes happily just returns more and more lists of links pointing back to itself,” Aaron B, the creator of Nepenthes, told 404 Media.

  • daniskarma@lemmy.dbzer0.comEnglish
    203·
    11 hours ago

    Yeah, that has like 0 chances for working. At most it would annoy bots for web search, at least it has a proper robots.txt.

    But any agent trying to process data for AI is not going to go to random websites. It’s going to use a curated list of sites with valuable content.

    At this point text generation datasets can be achieved with open data, and data sold by companies like reddit or Microsoft, they don’t need to “pirate” your blog posts.

    • LovableSidekick@lemmy.worldEnglish
      1·
      3 hours ago

      True to a limited extent. Anyone can post a link to somebody’s blog on a site like reddit without the blogger’s permission, where a web crawler scanning through posts and comments would find it. But I agree with you that a thing like Nepehthes probably wouldn’t work. Infinite loop detection is an important part of many types of software and there are well-known techniques for it, which as a developer I would assume a well written AI web crawler would have (although I’ve never personally made one).

      • LovableSidekick@lemmy.worldEnglish
        3·
        3 hours ago

        LOL wow, this is probably the most elegant way to say what I just said to somebody else. Well written web crawlers aren’t like sci-fi robots that rock back and forth smoking when they hear something illogical.

      • FaceDeer@fedia.io
        1·
        3 hours ago

        A bot that’s ignoring robots.txt is likely going to be pretending to be human. If your site has valuable content that you want to show to humans, how do you distinguish them from the bots?

    • nucleative@lemmy.worldEnglish
      6·
      9 hours ago

      I think sites that feel they have valuable content can deploy this and hope to trap and perhaps detect those bots based on how they interact with the tarpit

  • patrick@lemmy.bestiver.seEnglish
    1483·
    1 day ago

    This showed up on HN recently. Several people who wrote web crawlers pointed out that this won’t even come close to working except on terribly written crawlers. Most just limit the number of pages crawled per domain based on popularity of the domain. So they’ll index all of Wikipedia but they definitely won’t crawl all 1 million pages of your unranked website expecting to find quality content.

    • JackbyDev@programming.devEnglish
      49·
      18 hours ago

      Did you read the article? (There is a link to a non walled version.)

      Since they made and deployed a proof-of-concept, Aaron B said their pages have been hit millions of times by internet-scraping bots. On a Hacker News thread, someone claiming to be an AI company CEO said a tarpit like this is easy to avoid; Aaron B told 404 Media “If that’s, true, I’ve several million lines of access log that says even Google Almighty didn’t graduate” to avoiding the trap.

      • realharo@lemm.eeEnglish
        152·
        13 hours ago

        Millions of hits may sound like a lot, but you need to view that in context.

          • Warl0k3@lemmy.worldEnglish
            7·
            12 hours ago

            The modern internet. Millions of hits is very normal - one of my domains is just 30 year old ASCII art of a penguin, and it gets 2-3 million a month from bots/crawlers (nearly all of them trying common exploits). The idea that the google spider would be notably negatively impacted by this is kinda naive. It could fall fully into the tarpit and it probably wouldn’t even get flagged as an abnormal resource allocation. The difference in power between desktop and enterprise equipment is at this point almost inexpressible.

            • JackbyDev@programming.devEnglish
              3·
              5 hours ago

              People think of hacking like a thief with a lockpick. It’s oftentimes more like someone methodically checking every door in the neighborhood for any that are unlocked.

      • ShadowWalker@lemmy.worldEnglish
        10·
        15 hours ago

        If it is linked to the Internet then it’ll be hit by crawlers. Their “trap” isn’t any how many show up but how long each bot stays on their individual site.

    • OsrsNeedsF2P@lemmy.mlEnglish
      801·
      1 day ago

      Can confirm, I have a website (https://2009scape.org/) with tonnes of legacy forum posts (100k+). No crawlers ever go there.

      It’s a shame that 404media didn’t do any due diligence when writing this

      • affiliate@lemmy.worldEnglish
        411·
        1 day ago

        No crawlers ever go there.

        if it makes you feel any better, i would go there if i was a web crawler.

      • Kornblumenratte@feddit.orgEnglish
        21·
        13 hours ago

        Sorry to tell you, but you are indexed at least by duckduckgo, bing, ecosia, startpage, google, and even one of searx’ crawlers has payed you a visit.

      • fine_sandy_bottom@discuss.tchncs.deEnglish
        11·
        15 hours ago

        I think you may have just misunderstood the post.

        It’s not intended to trap the web crawlers indexing content for google search.

        It’s intended to trap AI training bots harvesting sentences in order to improve their LLMs.

        I don’t really have an answer as to why those bots don’t find your content appealing, but that doesn’t mean that Nepenthes doesn’t work.

    • Bogasse@lemmy.mlEnglish
      3·
      17 hours ago

      I think this rate limiting mechanism is mostly a niceness rule : you should try to not put too much pressure on any website and obey the rules defined in its robots.txt.

      So I guess this idea is not bad as it would mostly penalize bad players.

    • x00z@lemmy.worldEnglish
      16·
      18 hours ago

      For anybody who ever had this happen, ChatGPT has some solutions to remedy the situation:

      • Breezy@lemmy.worldEnglish
        4·
        15 hours ago

        So battleship but with chess. Sounds frustratingly funny. You’d never know when a piece would get randomly assassinated. Oh you just moved yourself little horsey over and pow he just jumped over 2 pawns and ran over the king! Oops my bad.

        • zerozaku@lemmy.worldEnglish
          1·
          10 hours ago

          I used to use perplexity until that news came in about it being a front runner to help companies replace workers who went on a strike demanding better work conditions. (Or something along those lines, I only remember the details sparingly)

          I have used Duck AI and Brave AI to replace it.

        • Kyouki@lemmy.worldEnglish
          1·
          13 hours ago

          It’s genuinely a great tool. Was really sceptical at first ans about this Ai buzz but this genuinely improved my day to day searches.

      • WolfLink@sh.itjust.worksEnglish
        18·
        1 day ago

        I’ve always been taught if you say “I adjust” before touching a piece then it’s ok to touch it (specifically so you can move an off-center piece into the center of its square)

        • Bytemeister@lemmy.worldEnglish
          101·
          1 day ago

          Not gonna fly if you say “I adjust” and then pick up a piece, move it to a new spot, then bring it back down and set it in the original spot.

          Also ffs, don’t adjust pieces unless it’s your turn.

        • Brumefey@sh.itjust.worksEnglish
          2·
          16 hours ago

          Just tried and got the expected answer :

          In chess, looking at your opponent’s pieces is not only allowed but essential to playing the game. Observing the placement and movement of your opponent’s pieces helps you plan your strategy and anticipate their moves. However, if you’re referring to situations like secretly peeking at a hidden plan (in correspondence chess, for example) or breaking rules in a specific chess variant, then it could be considered cheating. But in standard chess, observing your opponent’s pieces is part of fair play.

          • Womble@lemmy.worldEnglish
            223·
            1 day ago

            Yeah thats not real, if you ask chat gpt it gives the obvious answer of you have to look at the pieces. Either its shopped or its leaving off previous messages where the user has deliberately conviced it that it is cheating.

              • Womble@lemmy.worldEnglish
                102·
                1 day ago

                Huh, interesting, it does do it with 4o mini but not with 4o. I stand corrected.

              • Womble@lemmy.worldEnglish
                2·
                12 hours ago

                See i understand that one, LLMs dont work with letters they work with tokens which are more like Chinese characters. So even though they display letters to the end users the models themselves dont see them which is why you can get dumb mistakes like that.

                The chess thing is strange though, its not like there is a lack of writing on chess so I do wonder where it got that idea from.

                • Serinus@lemmy.worldEnglish
                  1·
                  13 hours ago

                  There’s an ocean of chess games recorded in chess notation. So it’ll play brilliant moves. They may not apply to this game or be legal moves, but in that other situation they were brilliant!

      • Petter1@lemm.eeEnglish
        22·
        1 day ago

        We don’t know what they did above this prompt, maybe it was advised to answer like this in a prior prompt 🤗 we can not really know from the picture

        But 4o is not too old, I think, it is still the highest free unlimited tier.

        • BurnedDonutHole@ani.socialEnglish
          3·
          23 hours ago

          I wrote that prompt and just asked it as it’s without any other prompts before it. You can see other people got the same same answer or try it yourself.

  • Jordan117@lemmy.worldEnglish
    65·
    1 day ago

    More accurately, it traps any web crawler, including regular search engines and benign projects like the Internet Archive. This should not be used without an allowlist for known trusted crawlers at least.

    • Treczoks@lemmy.worldEnglish
      34·
      23 hours ago

      Just put the trap in a space roped off by robots.txt - any crawler that ventures there deserves being roasted.

    • DreamlandLividity@lemmy.worldEnglish
      21·
      22 hours ago

      More accurately, it traps any web crawler

      More accurately, it does not trap any competent crawlers, which have per domain limits on how many pages they crawl.

      • Echo Dot@feddit.ukEnglish
        5·
        16 hours ago

        You would still want to tell the crawlers that obey robots.txt do not pay attention to that part of the website. Otherwise it’s just going to break your SEO

  • renzev@lemmy.worldEnglish
    34·
    1 day ago

    This reminds me of that one time a guy figured out how to make “gzip bombs” that bricked automated vuln scanners.

    • GreenKnight23@lemmy.worldEnglish
      33·
      1 day ago

      I had a scanner that was relentless smashing a server at work and configured one of those.

      evidently it was one of our customers. it filled their storage up and increased their storage costs by like 500%.

      they complained that we purposefully sabotaged their scans. when I told them I spent two weeks tracking down and confirmed their scan were causing performance issues on our infrastructure I had every right to protect the experience of all our users.

      I also reminded them they were effectively DDOSing our services which I could file a request to investigate with cyber crimes division of the FBI.

      they shut up, paid their bill, and didn’t renew their measly $2k mrr account with us when their contract ended.

      bitch ass small companies are always the biggest pita.

          • Filetternavn@lemmy.blahaj.zoneEnglish
            10·
            18 hours ago

            I believe the commenter was implying that DoS would be a more accurate description, since it does not seem as if the “attack” was distributed, but it is a nitpick nonetheless. We don’t have the context to understand if multiple servers were involved that distributed the load

  • FaceDeer@fedia.io
    481·
    1 day ago

    This sort of thing has been a strategy for dealing with unwanted web crawlers since web crawlers were a thing. It’s an arms race, though; crawlers do things to detect these “mazes” and so the maze-makers keep needing to up their game as well.

    As we enter an age where AI is effectively passing the Turing Test, it’s going to be tricky making traps for them that don’t also ensnare the actual humans you’re trying to serve pages to.

    • doylio@lemmy.caEnglish
      57·
      1 day ago

      Picking words at random from a dictionary would not be very compute intensive, the content doesn’t need to be sensical

      • BrianTheeBiscuiteer@lemmy.worldEnglish
        12·
        1 day ago

        Yes, the scraper is going to mindlessly gobble up information. At best they’d expend more resources later to try and determine the value of the content but how do you do that really? Mostly I think they’re hoping the good will outweigh the bad.

        • tempest@lemmy.caEnglish
          5·
          1 day ago

          It honestly depends. There are random drive by scrapers that will just do what they can, usually within a specific budget for a domain and move on. If you have something specific though that someone wants you end up in an arms race pretty quickly as they will pay attention and tune their crawler daily.

      • Jack@slrpnk.netEnglish
        2·
        1 day ago

        I was thinking exactly that, generating something like lorem ipsum to cost both time, compute and storage for the crawler.

        It will be more complex and require more resources tho.

    • meyotch@slrpnk.netEnglish
      191·
      1 day ago

      I would think yes. The compute needed to make a hyperlink maze is low, compared to the AI processing of the random content, which costs nearly nothing to make, but still costs the same to process as genuine content.

      Am I missing something?

      • RaoulDook@lemmy.worldEnglish
        9·
        1 day ago

        I’m wondering about the cost to the server’s resources / bandwidth to serve up unlimited random junk also.

        But kudos to the developer for making this anyway

        • Cocodapuf@lemmy.worldEnglish
          2·
          17 hours ago

          This is my concern exactly.

          This seems like a neat prank, but a potentially expensive one. Heck, if it works right you could end up with several bots stuck in your maze, perhaps dozens of hundreds. At that point bandwidth becomes my concern.

  • count_dongulus@lemmy.worldEnglish
    422·
    1 day ago

    This won’t work against commercial crawlers. They check page contents with something similar to a simhash and don’t recrawl these pages. They also have limiters like for depth to avoid getting stuck in circular links.

    You could generate random content for each new page, but you’ll still eventually hit the depth limit. There are probably other rules related to content quality to limit crawling too.

    • meyotch@slrpnk.netEnglish
      381·
      1 day ago

      True, this is an arms race situation after all. The real benefit of this is creating garbage training data that makes garbage models. So it’s not just increasing the cost of crawling, it increases the cost of stealing everybody’s shit because you need extra data quality checks. Poisoning the well.

        • Thrashy@lemmy.worldEnglish
          12·
          1 day ago

          Say it with me now: model collapse! I think this approach is especially insidious in that rather than dumping obvious nonsense into the training corpus that can then be scrubbed, it pushes the downstream LLM invisibly towards spontaneously imploding.

        • meyotch@slrpnk.netEnglish
          2·
          1 day ago

          Exactly! That’s ideal because LLM or simple pattern matching can’t be used to easily winnow out random strings. If it’s sensible language but the usual LLM hallucinations, then you need humans to curate your data. Fuck you, Sam Altman.

  • tal@lemmy.todayEnglish
    171·
    1 day ago

    I suspect that there are many websites that already dynamically generate an unbounded number of pages based on the links one clicks, and that Web spiders will have needed to deal with those for as long as there have been people spidering the Web, which is going to be no later than the first Web search engines.

    I’d guess that if nothing else, they cap how far they spider a site. Probably a lot more sophisticated, use heuristics to figure out which sites are more worth spending indexing resources on, as it’s not just whether to spider but also the frequency with which to do so. Some parts of a site are more “valuable” than others – for a search engine, a more desirable target for users clicking on results – and some will update more frequently and are more-useful to re-spider at higher frequency. Google will return current news articles, yet still indexes a large portion of the content out there. They won’t be doing that by simply sending GoogleBot at everything that they’ve indexed at a fixed frequency.

  • wise_pancake@lemmy.caEnglish
    111·
    1 day ago

    This genus named genius game is sending pain to these previous devious data devourors

  • Nougat@fedia.io
    101·
    1 day ago

    The modern equivalent of making a page that loads in two frames, left and right, which each load in two frames, top and bottom, which each load in two frames, left and right …

    As I recall, this was five lines of HTML.

    • palordrolap@fedia.io
      2·
      1 day ago

      I remember making one of those.

      It had a faux URL bar at the top of both the left and right frame and used a little JavaScript to turn each side into its own functioning browser window. This was long before browser tabs were a mainstream thing. At the time, relatively small 4:3 or 5:4 ratio monitors were the norm, and I couldn’t bear the skinny page rendering at each side, so I gave it up as a failed experiment.

      And yes I did open it inside itself. The loaded pages were even more ridiculously skinny.

      • Nougat@fedia.io
        21·
        1 day ago

        When I did my five lines, recursively opening frames inside frames ad infinitum, it would crash browsers of the time in a matter of twenty seconds.