Free Software Foundation Faces Ongoing DDoS Attacks Amid Limited Resources

The Free Software Foundation (FSF) recently reported ongoing DDoS attacks targeting the organization’s IT resources. The FSF’s SysOps team comprises only two full-time technical staff members and a few volunteers.

The foundation noted that a significant portion of its work involves managing software and the physical servers hosting websites and services for GNU, FSF, and other free software projects, including virtual machines for the JShelter browser extension, desktop environments, KDE software collections, and Sugar Labs, an organization that develops educational tools for children. Overall, FSF supports 70 different services and operates a dozen physical servers across two data centers in the Boston area.

Since August 2024, the foundation has increasingly encountered DDoS attacks. A common defense strategy employed by FSF specialists is to identify the IP addresses sending requests and instruct the server to ignore them.

One of the primary sources of these attacks has been web scrapers used for AI training data collection. For instance, in August of last year, gnu.org was targeted in an attack that appeared aimed at taking the site offline, although the attackers were not web scrapers.

The frequency of attacks escalated over time. In January, the FSF’s collaborative software development system, GNU Savannah, faced an assault from a powerful botnet managing around 5 million IP addresses, and this attack is still ongoing. The likely goal of this attack is to create a training dataset for large language models.

Additionally, at the end of May, gnu.org and ftp.gnu.org became targets of a new DDoS attack aimed at taking these resources offline. The impact of this attack has currently been mitigated, but it went through several iterations, each causing hours of downtime.

Since June 18, the server directory.fsf.org, which hosts the free software directory, has been under another attack. This is likely a web scraper specifically engineered to target MediaWiki sites using a botnet. This attack is currently partially neutralized.

The FSF has pointed out that the programs used to identify botnet-associated IP addresses occasionally mistakenly block the IPs of legitimate users. Such erroneous data has been removed from the list of IP addresses flagged for DDoS attacks, and the defense measures have been enhanced. Users who cannot access gnu.org are urged to email sysadmin@fsf.org with their IP address to rectify the issue. For those experiencing problems with VPNs, switching exit nodes may help.

Some web developers have also started incorporating the Anubis program to reduce the number of requests generated by automated systems. The foundation has expressed concerns about Anubis attempts to force websites to serve a free JavaScript program that functions like malware, performing pointless computations with random numbers and putting a full load on one processor. FSF does not support this approach as it contradicts the principles of software freedom, noting that the Anubis JavaScript works similarly to programs used for cryptocurrency mining.

“We have been defending our websites from intense attacks for almost a year and will continue our efforts until they cease. Our full-time technical staff at FSF consists of only two system administrators, and we currently lack the funds to hire additional personnel. While many readers support the free software movement in various ways, which we deeply appreciate, we need more associate members to improve our staffing situation,” the foundation concluded.

Meanwhile, Reddit has restricted access to its content for AI bots and web scrapers, indexing only through Google. However, this has resulted in companies launching attacks on the platform with AI-generated messages. Now, the company is exploring several new approaches to address this issue, including the use of World ID technology promoted by Sam Altman from OpenAI.