DEV Community

Cover image for How we handled a coordinated scraper botnet and moved to wishdo.io
wishdo.io
wishdo.io

Posted on

How we handled a coordinated scraper botnet and moved to wishdo.io

#seo #startup #webdev #security

Building and scaling a platform transparently is a great way to engage the community, but it also exposes your infrastructure to targeted attacks. Recently, our team at wishdo.io (formerly cadou.me) went through a 5-stage negative SEO and scraping campaign that forced us to overhaul our security and migrate our entire domain.

Here is the technical breakdown of the attack and our mitigation strategy.

The attack vectors

1. Malicious 301 redirect injection
The campaign started with a domain-level attack. An external site, admngrsgames.com, pointed a permanent 301 redirect to our root. The referring domain was saturated with thousands of low-quality, toxic backlinks. The intent was to poison our link profile and trigger a manual action from Google.

2. Distributed scraping via Tencent AS139341
Our monitoring picked up a massive scraping operation. We identified over 1,400 unique IPs originating from Tencent/Aceville infrastructure.

  • Behavior: Systematic traversal of 247 categories across 27 languages.
  • Fingerprinting: Spoofed Chrome headers (20+ versions) and complete disregard for robots.txt (specifically paths like /livewire-).
  • Rate: Approximately 1 request per IP every 3 hours to avoid simple threshold-based rate limiting.

3. Traffic fraud and referrer pollution
Attackers used fake Referer: https://admngrsgames.com/ headers to flood our analytics. Technical analysis revealed affiliate parameters (psystem=pw, traffictarget=reseller) used to monetize the scraped traffic through a secondary network of "doorway" sites under the ".games" brand.

The technical response

We implemented a multi-layered defense to regain control of our infrastructure.

Cloudflare custom rules

Instead of blocking individual IPs, we used Cloudflare’s expression engine to block entire ASNs and specific bot patterns.

(ip.src in {43.128.0.0/11 43.160.0.0/11 101.32.0.0/14 ...} or http.request.uri.path contains "lazy-") and not cf.client.bot
Enter fullscreen mode Exit fullscreen mode

This allowed us to drop malicious traffic at the edge before it ever reached our origin, significantly reducing server load.

Infrastructure reports

We filed forensic evidence with abuse departments:

  • GoDaddy: Reported the redirecting domain.
  • Tencent/Aceville: Provided logs of coordinated scraping from AS139341.
  • Cloudflare: Reported the downstream ".games" network using their CDN for content redistribution.

The decision to migrate

While the technical defense was successful, the SEO impact on the original domain was significant. We decided to migrate to wishdo.io for three reasons:

  1. Clean link profile: Moving to a new domain allowed us to shed the toxic backlinks inherited from the 301 redirect.
  2. Global TLD: The .io extension better fits our roadmap for AI-driven features on a global scale.
  3. Zero-trust architecture: We used the migration as an opportunity to implement stricter rate limiting and signature-based request validation from day one.

Takeaways for developers

  • Monitor raw logs: Tools like GA4 won't show you the technical nature of a scraper botnet. You need raw access logs and ASN-level data.
  • Leverage edge computing: Blocking at the application level (Nginx/PHP) is too late during a high-volume attack. Move your firewall rules to the edge (Cloudflare/Fastly).
  • Don't fear the migration: If your domain is strategically compromised by negative SEO, a clean move can be faster than waiting for search engines to recalibrate.

We are now fully operational at wishdo.io. The attack was a massive stress test, but it ultimately led us to build a more resilient, scalable infrastructure.

Have you faced similar coordinated attacks? Let's discuss mitigation strategies in the comments.

Top comments (0)