Is blocking all of the "Suspicious IPs" a sane idea? #5323

mbledkowski · 2025-10-13T13:16:21Z

mbledkowski
Oct 13, 2025

Hello,
I have noticed a lot of bot activity on my instance, which causes me, to get rate limited by almost all of the popular search engines.
From what I see, basically every block from ip limiter is made to suspicious IPs. It could be a survivorship bias, but I forked searxng, and made all of the limiter values lower (BURST_MAX and other *_MAX values), and still only suspicious ips are blocked, so I think this is unlikely.

What are the examples of genuine users, that could be marked as suspicious IPs? From what I can tell, suspicious IPs are those that do not load css, where I think even the paranoid users, block JS, but not CSS (see Tor Browser).

If I decide to block all of the suspicious IPs, would that still be in the spirit of the SearXNG project. The reason why I have not put my instance behind Cloudflare DDOS protection, is exactly because it is against the values of this project, and I would like for my instance to be with agreement with those.

Best regards,
Maciej Błędkowski

return42 · 2025-10-13T13:30:08Z

return42
Oct 13, 2025
Maintainer

Accept only the incoming requests from IPv4 .. the IP ranges in IPv6 are to big to effective detect suspicious ones ..

3 replies

mbledkowski Oct 13, 2025
Author

Good idea, at the same time a lot of spam requests are from ipv4 also

rywng Nov 6, 2025

I'm also considering a similar idea. This has happened to me from time to time. In the past it wasn't too bad, but now all of the popular search engines on my instance has been rate-limited.

I'm planning to integrate anubis with this, which act as a open source alternative of cloudflare's DDOS protection feature, is this accepted by the devs? @return42

return42 Nov 6, 2025
Maintainer

@rywng I can't speak for serxng-instances, but for your own use, you are free to do whatever you prefer. BTW: Anubis can be bypassed by setting HTTP header User-Agent without "Mozilla" in it: Challenge presentation -->

Anubis decides to present a challenge using this logic:

User-Agent contains "Mozilla"

Request path is not in /.well-known, /robots.txt, or /favicon.ico
Request path is not obviously an RSS feed (ends with .rss, .xml, or .atom)

This should ensure that git clients, RSS readers, and other low-harm clients can get through without issue, but high-risk clients such as browsers and AI scraper bots will get blocked.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Is blocking all of the "Suspicious IPs" a sane idea? #5323

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Is blocking all of the "Suspicious IPs" a sane idea? #5323

Uh oh!

Uh oh!

mbledkowski Oct 13, 2025

Replies: 1 comment · 3 replies

Uh oh!

return42 Oct 13, 2025 Maintainer

Uh oh!

mbledkowski Oct 13, 2025 Author

Uh oh!

rywng Nov 6, 2025

Uh oh!

return42 Nov 6, 2025 Maintainer

mbledkowski
Oct 13, 2025

Replies: 1 comment 3 replies

return42
Oct 13, 2025
Maintainer

mbledkowski Oct 13, 2025
Author

return42 Nov 6, 2025
Maintainer