Arctos security and ongoing bot attacks

5 views

Skip to first unread message

Michelle S. Koo

unread,

Jun 10, 2026, 6:16:19 PM (12 days ago) Jun 10

to Arctos Working Group

Dear all, Yesterday Dusty informed me that Arctos was bearing under ~200K nuisance-to-malicious requests in bursts of high frequency attacks. He shared a few seconds of the access logs, and it's just all nonsense requests, thousands and thousands of times, which impacts Arctos whether they gain access or not. The main resource available to us is reactive blocking of tens of millions of IPs to ensure legitimate traffic can come in.

From Dusty: "and I've blocked a LOT of traffic, even from some US ISPs (but I've tried not to block anything that's ever had anyone authenticate from it). On the flip side, I don't think anything truly scary has gotten through, and Arctos seems to be weathering this fairly well, so maybe there's little to worry about - but the cost of being wrong could be catastrophic. "

Unfortunately the costs of this crude defense (besides lost staff time to deal with the bot swarms) is that we are certainly inadvertently blocking legitimate traffic from users. We can recommend VPN to users or try to target specific IPs to unblock but these are stopgap measures and recognize they are not great longterm solutions for users.

I do believe that so far our measures have allowed Arctos to stay functional despite these ongoing ai-bot driven traffic that, intentional or not, mimics Denial of Service attempts. We recognize that bringing back anonymous access to web pages is a priority but we still believe it is not yet "safe" to do so without putting all of Arctos in jeopardy.

We have applied to Cloudflare's Project Galileo program for additional technical tools and continue to pursue consultations with other security minded people but it is a moving target at best. Currently enterprise level AI tools to combat AI-bots (fighting fire with fire) costs are fairly high ($1000s per month) but may be our last if not best resort. I also am writing to regular Arctos users like you to keep you informed about the changing state of the internet, steps we've taken, how serious we take Arctos security, and why access remains behind a log in. I welcome any suggestions or resources to address this ongoing concern that impacts all of us, not just Arctos.

All the best, Michelle

More readings (or google: ai bot attacks and museums):

Forbes: Bots Now Outnumber Humans Online And The Internet Was Never Built For This
AI scraper bots are disrupting online collections, report finds

https://www.glamelab.org/products/are-ai-bots-knocking-cultural-heritage-offline/

Reply all

Reply to author

Forward

0 new messages