@narugo1992 on Hugging Face: "Org Rate Limits = Free DDoS Invitation? 🤡 One serious question: Is there any…"

Join the conversation

Join the community of Machine Learners and AI enthusiasts.

narugo1992

posted an update 27 days ago

Post

1067

Org Rate Limits = Free DDoS Invitation? 🤡
One serious question: Is there any way to actually ban clowns abusing this system?
Right now all it takes is one bored script kiddie with a grudge (or too much caffeine) to lawnmower an entire org's API endpoints into the stone age. They get to bathe in 429s while we're sitting here like 🤡 "Gee I wonder whose IP is carpet-bombing us today!"
The kicker? Zero accountability. Zero fingerprints. Just vibes™ and chaos. It’s basically a public invitation to hold entire communities hostage while wearing pajamas.
"Come for the open-source collaboration, stay for the unhinged DDoS piñata party!" 🎉
Fix when?

John6666

27 days ago

•

edited 27 days ago

Online, the attackers always have the upper hand, you know...

The Internet (the open Web) once hosted various information resources, but they either failed to monetize or simply became dysfunctional due to trolling scripts and gradually disappeared. Generally, systems vulnerable to trolling disappeared first.

Today, only a small portion of the open web remains, alongside the vast deep web and personal communications... The functional web now exists almost exclusively under the umbrella of large corporations, with everything else being minimal. Trends play a role, but I believe the harsh reality outside that sphere is the biggest factor.

The only things I've seen that actually work against online trolls are legal action (or the threat of it) and physical pressure.

Compared to those, Cloudflare Turnstile, reCAPTCHA, SMS authentication, and such are somewhat less but effective—though they cost money. But trolls need money to counter them too.

Otherwise, the victim site just has to divert resources away from existing users, which is usually the troll's tactical goal.
And if the site doesn't explain anything to its users, they'll feel like, “Hey, we're being bullied for no reason.” That's also a troll's tactical goal.

Accountability is important, right... At least we can avoid the mental divisions caused by misunderstandings and miscommunication.

narugo1992

26 days ago

Let's be real: If someone's hammering our repos with legit downloads, we'll happily absorb the hit—that's the open-source tax.

But here's the spicy meatball: This clown isn't downloading squat. Their script exclusively blasts hub APIs while avoiding resolve APIs like a vampire dodging garlic bread. Translation: zero actual data transfer, maximum resource sabotage.

Even if we charitably assume it's some botched script stuck in a retry hellscape (we've all been there), we're talking 1000+ calls in 2 minutes flat

Bottom line for @huggingface:

For internal screwups (e.g. DeepGHS, which has hundreds of members): Let us trace which member's Franken-script nuked the API quota so we can talk to him.
For external attackers: Give us IPs/accounts to ban—or at least let us throttle anonymous traffic before they turn our community hub into their personal stress ball.

Open-source shouldn’t mean "open season for API carpet-bombing." 🔥

In this post