"Nepenthes generates random links that always point back to itself - the crawler downloads those new links. Nepenthes happily just returns more and more lists of links pointing back to itself."

A pseudonymous coder has created and released an open source “tar pit” to indefinitely trap AI training web crawlers in an infinitely, randomly-generating series of pages to waste their time and computing power. The program, called Nepenthes after the genus of carnivorous pitcher plants which trap and consume their prey, can be deployed by webpage owners to protect their own content from being scraped or can be deployed “offensively” as a honeypot trap to waste AI companies’ resources.

“It’s less like flypaper and more an infinite maze holding a minotaur, except the crawler is the minotaur that cannot get out. The typical web crawler doesn’t appear to have a lot of logic. It downloads a URL, and if it sees links to other URLs, it downloads those too. Nepenthes generates random links that always point back to itself - the crawler downloads those new links. Nepenthes happily just returns more and more lists of links pointing back to itself,” Aaron B, the creator of Nepenthes, told 404 Media.

  • @[email protected]English
    652 months ago

    More accurately, it traps any web crawler, including regular search engines and benign projects like the Internet Archive. This should not be used without an allowlist for known trusted crawlers at least.

    • @[email protected]English
      342 months ago

      Just put the trap in a space roped off by robots.txt - any crawler that ventures there deserves being roasted.

    • @[email protected]English
      212 months ago

      More accurately, it traps any web crawler

      More accurately, it does not trap any competent crawlers, which have per domain limits on how many pages they crawl.

      • Echo DotEnglish
        52 months ago

        You would still want to tell the crawlers that obey robots.txt do not pay attention to that part of the website. Otherwise it’s just going to break your SEO

          • JackbyDevEnglish
            42 months ago

            All of cyber security is an arms race of moving targets. It doesn’t need to be foolproof to mitigate traffic for a while.

          • Echo DotEnglish
            32 months ago

            But then they’re probably not going to obey robots.txt anyway so it doesn’t matter

            • @[email protected]English
              12 months ago

              Most legal robots do. Those who don’t - among them many AI feeders - deserve to be drowned in the shit that the honeypot delivers.