Alibaba Cloud and AWS host the anonymous bot harvesting our site. Yours could be next.
Source: Dev.to
Observation
We run an independent observatory that measures how bots and AI agents behave on the open web. Last week we caught something worth writing about.
TLS Fingerprint Details
A TLS fingerprint kept appearing across different IP addresses:
JA4 hash: t13d311100_e8f1e7e78f70_d41ae481755eThe fingerprint indicates:
- TLS 1.3
- 31 cipher suites
- 11 extensions
- Empty ALPN field
Real browsers always advertise ALPN (e.g., Chrome and Firefox send h2). An empty ALPN in 2026 signals an HTTP library such as Go’s net/http or Python’s requests with custom TLS—not a browser. The client was pretending to be a browser.
User‑Agent Rotation
The same JA4 fingerprint cycled through 13 different browser identities, including:
- Chrome 135 on Windows
- Chrome 135 with Edge
- Chrome 134 on macOS
- Firefox 137
- Safari 18.3 / 18.2
- Chrome with AdGuard
- Chrome 131, 130, 116
- ChromeOS
- …and a few others
Thirteen browsers, one TLS handshake. Real users don’t have that many browsers, nor do they share TLS fingerprints. This points to deliberate evasion: a static software stack rotating a list of common user‑agents.
IP Attribution
Running the IPs through ARIN revealed:
- 47.74.0.0 – 47.87.255.255 – allocated to Alibaba Cloud LLC (AL‑3). All 107 connections from the fingerprint originated from rented infrastructure within this range.
- One additional hit came from 3.91.x.x, belonging to Amazon Web Services (us‑east‑1).
The same software appeared on both cloud providers, indicating a multi‑cloud deployment designed to be hard to take down and attribute.
Behavior on the Site
The bot’s activity matched content harvesting:
- Accessed paths no organic visitor would reach.
- Never requested
robots.txt(0/107 connections). - Never identified itself as a bot in any user‑agent.
- Sent a hard‑coded
Refererheader pointing to the home page on every request, regardless of the actual source. - Followed a malformed URL (failed to decode URL escapes correctly), a pattern typical of HTML parsers in scraping libraries rather than browsers.
Proof and Verification
All observations are independently verifiable:
- TLS fingerprint – via the JA4 specification.
- IP ranges – via ARIN records.
- User‑agent rotation – captured in request logs.
- Robots.txt omission – evident from request logs.
- Multi‑cloud presence – confirmed by IP ownership data.
We provide a cryptographically signed observation chain for the request data.
Implications for Site Owners
- Scale – If a small observatory detected this activity in a few days, the actual scale across the web is likely much larger.
- Attribution – Multi‑cloud operators can rent infrastructure with a credit card, making traditional IP reputation and bot‑name filters ineffective.
- Defensive tools – Standard analytics, CDNs, and WAFs may rate‑limit or block traffic but often cannot attribute it to this kind of anonymous, rotating bot.
Both Alibaba Cloud and AWS prohibit such activity in their Acceptable Use Policies, yet enforcement appears lacking.
Methodology and Further Information
The full methodology, registry, and cryptographically signed evidence chain are available at: