I'm sorry! I know it's a pain and we're trying hard to avoid it. But it has nothing to do with any individual user. How would we even know who's accessing HN unless they tell us?
This sort of automatic block clears itself in 3 days, and in the meantime anyone in this situation can unban their IP as described at https://news.ycombinator.com/newsfaq.html. (You have to do that from a different IP address, of course.)
People are, of course, also welcome to email hn@ycombinator.com to get this kind of thing fixed. It's easy to take care of in specific cases and we're happy to help anyone.
Edit: I just cleared all those IP blocks from any time before 24 hours ago, so hopefully that will help.
<https://toot.cat/@dredmorbius/111161109931108606>
I frequently browse HN unauthenticated, both from a tablet I'm desperately trying to keep from becoming a timesuck itself (somewhat unsuccessfully), and when doing quick checks and searched on HN (something I do a lot) from a private/incognito browser session.
It's also useful to verify issues, such as I had with a submission of mine yesterday which was itself autokilled based on the domain. I'd posted an archive of the original URL from a now-dead site, using the archived version which includes the comments (Internet Archive's Wayback Machine does not, for some reason): <https://news.ycombinator.com/item?id=37732186>
Dang quickly undid the kill, but I couldn't actually validate it myself given the botnet mitigations.
(And the post has done much better than I'd expected.)
I'd forgotten the self-service IP unbanning option, though putting that outside HN's protected IP space (or at least in a different one) might be helpful.
The worst part though is knowing that legitimate users will get caught as collateral damage.
> How would we even know who's accessing HN unless they tell us?
My browser sends a cookie telling HN it's me. More advanced tooling would let you allow-list aged accounts with > 1000 karma in, while blocking a different subset. Of course, once that becomes known, then the attacking botnet will just use aged accounts with > 1000, so it's a game of cat a mouse.
What this really speaks to though is that HN has now garnered the attention of a sufficiently motivated attacker that more advanced technology is required to block them. Fighting it yourself takes away from time spent on moderation, among other things. Maybe it's one attacker and they'll get bored after their attempts prove fruitless, but maybe they won't. Either way, this is why Cloudflare's bot shield and others like it are so popular. A recaptcha in order to submit a comment wouldn't be the worst thing, though I'm sure there will be many loud shouty voices against it, but that's the unfortunately the nature of running any popular site on the Internet these days.
Yes, that's what I mean: if people log in, then we know at least a bit about who's accessing the site. But the particular blocks I posted about above only apply to logged-out users. Logging in immunizes you from them immediately.
(Hector Martin, a.k.a marcan, was also a target of the lawsuit)
[1] I don't like the shadow banning though
