15 Security

Milovann Yanatchkov edited this page 2025-12-25 18:32:25 +01:00

Table of Contents

• Security
• Foreword
• The Waves
• Friends & Enemies
• The Weight Of Souls
• A Fox At The Rescue
• Less is More
• A Deadly Poison

Security

Foreword

In December 2025, when I realized that once again, my small server hosting this Forge was literally assaulted by AI bot gangs, I was so fed up I decided to take every possible actions to quickly stop the situation. Observing that the main cause of the assault was linked to the repo hosting the sources of Forgejo from which I make GitAec, I decided to shut down the repo and move it to Codeberg. In this page, my aim is to document the situation and centralize some technical information.

The Waves

My very first issue with security started in April 2024, when someone or something named 'O' decided to fill my Forge with gigabytes of garbage data. I was still accepting registrations at the time, and with this first episode, I changed my mind and decided to close registration. I'll never know what was in those garbage data, and how serious this first "incident" was, but this was just the first wave of a coming storm. Then a few months later, things went a bit more tough...

Friends & Enemies

2024, notes from the logbook.

🚨 June 28th : gitaec.org is currently offline due to a DDoS attack on its git services. We will be back online as soon as possible. In the meantime, you can browse examples on gitaec.com. July, 1st : The incident is now closed

✏️ Postmortem report : Starting at the end of June 2024, we began noticing that our forges were slow to respond. We then checked our servers and discover that they were at full CPU capacity, permanently. This was caused by some computationally intensive requests involving git commands such as git blame. We had to shut down our services for a couple of days to find a solution. Our web server logs showed up to 350,000 requests a day targeting git repositories from hundreds of different IPs. But despite this apparent diversity, a single user agent was involved : facebookexternalhit. After some quick research, we found out that we were victims of a DDoS attack involving a malicious use of the Facebook API. By adding a simple user agent test in front of our server proxy (Nginx), we were able to reject these malicious requests. This seems to have "solved" the issue for now.

The Weight Of Souls

In 2025, from Forgejo to Linux and Wikipedia — even HackerNews — literally everyone is impacted by the misbehavior of these AI gangs. In January 2025, the release of Anubis brought some relief, but unfortunately, it appeared that it's just not enough ...

A Fox At The Rescue

• Guarding My Git Forge Against AI Scrapers

Less is More

• How I protect my Forgejo instance from AI web crawlers

A Deadly Poison

• December 2025. While wandering in some remote code glacier, I found that Codeberg has started using the deadliest poison known to AI, a dark elixir concocted by a few mad scientists.