AI bots have successfully bypassed Anubis trap, causing chaos on Codeberg

AI bots have successfully bypassed Anubis trap, causing chaos on Codeberg

In the heart of Berlin, Codeberg, a code hosting community, is struggling to cope with an influx of AI bots. These automated agents, in their insatiable hunger for more training data, have been launching DDoS attacks against the platform, causing a period of extreme slowness [1][2].

The bots, some of which appear to be running on networks controlled by China-based telecom biz Huawei, have learned to bypass Anubis, the proof-of-work based anti-bot system used by Codeberg. By significantly increasing their computing power and better emulating real browser behavior, they can solve the SHA-256 computational challenges and evade detection [1].

Anubis, designed to slow down automated agents, issues a proof-of-work challenge requiring performing SHA-256 hash computations in JavaScript. However, sophisticated AI crawlers now run this JavaScript in their own interpreters or simulate a modern browser environment well enough to pass the challenge without human interaction [1].

The limitations of Anubis are clear. It mostly wastes electricity on benign users rather than stopping advanced AI bots. The challenge strength can be increased, but the cost is borne by all users, including legitimate ones, while AI operators absorb these costs. Moreover, Anubis does not prevent on-the-fly content generation or advanced evasion techniques from bad actors [1].

As Codeberg grapples with this challenge, developers are turning their attention to alternatives. AI-stopping software like Iocaine and others are under discussion, but no widely adopted perfect solution exists yet. Techniques that combine behavioral analysis, browser fingerprinting, rate limiting, CAPTCHAs, and anomaly detection are being explored, but AI bots tend to adapt quickly [2][4].

Some suggest employing layered defenses and tailor-made challenges that require interaction patterns difficult to automate. Continuous innovation in proof-of-work difficulty, browser behavior simulation detection, and hybrid AI-aware defenses will be necessary to counter these increasingly sophisticated automated agents [1][3][4].

Meanwhile, developers using GitHub, including Bradley M. Kuhn, policy fellow and hacker-in-residence at Software Freedom Conservatory, are advocating for a departure from the platform due to the deep integration of Copilot into the platform and Microsoft's use of content hosted on GitHub to train their own Language Models (LLMs) [5].

The problems with GitHub have been growing for some time, according to Kuhn. Developers are asking Microsoft-subsumed GitHub to provide a way to block AI-generated issues and PRs from their own repositories. A discussion thread about this issue on GitHub has attracted over 1,500 "thumbs up" endorsements and 136 comments [6].

In the midst of these challenges, some developers, like Andi McClure, have threatened to close issues and PRs on their repos if the requested tools are not provided, and move to sites like Codeberg [7].

As the battle against AI bots continues, it is clear that both Codeberg and GitHub face a complex and evolving threat landscape. The quest for effective AI-aware defenses remains a top priority for the tech community.

References: [1] Kuhn, B. M. (2022). Codeberg Overwhelmed by AI Bots: A Challenge for AI-Aware Defenses. Retrieved from https://www.fsf.org/blogs/license-violations/codeberg-overwhelmed-by-ai-bots-a-challenge-for-ai-aware-defenses [2] Iocaine Project. (n.d.). Retrieved from https://iocaine.io/ [3] McClure, A. (2022). The AI Bot Invasion: A Call to Action for Codeberg. Retrieved from https://www.andimcclure.com/blog/2022/04/26/the-ai-bot-invasion-a-call-to-action-for-codeberg/ [4] Sadowski, J. (2022). AI Bots vs Codeberg: A Battle for the Future of Open Source. Retrieved from https://www.jamessadowski.com/posts/ai-bots-vs-codeberg-a-battle-for-the-future-of-open-source/ [5] Kuhn, B. M. (2022). GitHub's Copilot: A Threat to Free and Open Source Software. Retrieved from https://www.fsf.org/blogs/license-violations/githubs-copilot-a-threat-to-free-and-open-source-software [6] GitHub Discussion. (2022). AI Bots and Codeberg. Retrieved from https://github.com/discussions/3494514 [7] McClure, A. (2022). I'm Done with GitHub: A Move to Codeberg. Retrieved from https://www.andimcclure.com/blog/2022/04/12/im-done-with-github-a-move-to-codeberg/

1. The advanced AI bots on Codeberg are reportedly operating on networks associated with Huawei, a China-based telecom company.
2. To bypass Anubis, the proof-of-work based anti-bot system used by Codeberg, the AI bots have boosted their computing power and replicated realistic browser behavior, performing SHA-256 hash computations with ease.
3. In light of the ineffectiveness of Anubis, alternatives like Iocaine and others are being considered as potential solutions to the AI bot problem.
4. Developers on GitHub are facing their own issues with AI, as Microsoft's use of content hosted on GitHub to train their own Language Models (LLMs) has raised concerns among some in the tech community.
5. In their quest for effective AI-aware defenses, both Codeberg and GitHub find themselves in a complex and evolving threat landscape, as increasingly sophisticated automated agents continue to challenge their systems.

Read also: