I'm also operating a phpBB forum and face the exact same types of problems with UserAgent-less bots scanning thousand of pages, comming from multiple IPs.Given the existence of bots that don't advertise themselves in User-agent strings (and so can't be registered as bot accounts), and that also treat all GET parameters as unique addresses, I hope that we can add the sid removal discussed in this thread as a supported feature.
The per IPs defense is relentless and the risk of false positive by blocking legitimate user is high.
The User-Agent based won't work as all bots do not identify themself
And we shouldn't need an external service like CloudFlare to operate a forum.
I've tried the hacks for removing the sid= parameter so that bots won't try to download hundreds of time the same page and slowly (a few days) the trafic started to reduce by itself.
Of course, this hack will not survive a phpBB update, the Bot category approach isn't enough to deal with such threats, a config switch in the ADM could be a nice to have addition to disable altogether this relic of a cookie-less session that newage bots don't understand.
Statistics: Posted by sly — Tue May 13, 2025 7:28 am