[1]: https://arstechnica.com/tech-policy/2025/11/fbi-subpoena-tri...
[2]: https://adguard-dns.io/en/blog/archive-today-adguard-dns-blo...
Jani justifies his doxing as follows "I found it curious that we know so little about this widely-used service, so I dug into it" [1]
Archive.today on the other hand is a charitable archival project offered to the public for free. The operator of Archive.today risks significant legal liability, but still offers this service for free.
[1]: https://gyrovague.com/2026/02/01/archive-today-is-directing-...
It's weird to see people getting fixated on the DDoS, which is obviously far less nasty than actually attempting to dox someone. The only credible reason for Jani to publish something like this is if he desires to cause physical harm to the operator of archive.today
Or are we just looking at an unhinged fan stalking their favorite online celebrity?
People were critical of the Banksy piece, but this is much nastier. At least Banksy is a huge business, archive.today does not even make money.
I would say the opposite... The DDoS is pretty obviously ridiculous, completely unacceptable, and entirely indefensible, while the blog post seems like whatever.
I honestly cannot fathom defending using your popular website as a tool to DDoS someone you have personal beef with, without the consent of the DDoSing participants.
Just the fact alone that they modified archived pages has completely ruined their credibility, and over what? A blog post about them that (a) wasn't even an attack, it is mostly praising archive.today, and (b) doesn't reveal any true identities or information that isn't already easily accessible.
From my perspective at least, archive.today seems like the unhinged one, not Patokallio.
[1] https://arstechnica.com/tech-policy/2026/02/wikipedia-bans-a...
[1] https://webapps.stackexchange.com/questions/145817/who-owns-...
I've always understood doxing to be PII, which aliases aren't, AFAIK, unless they're connected to a real person. And, to my knowledge, everyone is contending that the names in the blog post are all aliases. And, regarding aliases, I've never understood it to be doxing for someone to say "FakeNameX and FakeNameY appear to be the same user."
So, to me, the thing that makes it not look like doxing is that it simply doesn't meet the basic definition of doxing. It provides no PII.
"Dox" is short for "documents", and it originally referred to compiling a multi-page document of all known personal information, using disparate public sources: name, address, phone, email, employer, family members, family address/phone etc, etc, etc. It came from troll boards and was designed to make it easy to harass targets.
The term got significantly watered down when it got out to the broader internet.
https://gyrovague.com/2023/08/05/archive-today-on-the-trail-...
Even a half-assed attempt at doxing is still an attempt at doxing.
It'd be much easier to accept that you're acting in good faith had you deleted the post when it became obvious that the target doesn't appreciate it.
You could still do that, and it would very simply be the right thing to do.
The weird part to me is that some people are seemingly trying to downplay a popular website abusing visitors to DDoS someone.
How does your information (two angles) change anything at all about that fact? Normally if any website was caught abusing visitors to DDoS another website there would be no debate about why this is a bad thing. What about your other angles was supposed to matter in deciding if this was a bad thing for a website to do?
Two wrongs don’t make a right. Feeling wronged by someone doesn’t give you freedom to abuse every visitor to your website to DDoS someone else.
Why even do that, then? Why not just make a public post of theirs like: "Hey, here's someone trying to doxx me, and here's the unfair and fictitious bullshit the lying government is trying to pin on me. Here's all the facts, decide for yourselves."
Why do something as childish as DDoSing someone which takes away any basic good will and decency/respect you might have had in the eyes of many?
That way, it'd also be way more clear whether attempts at censorship are motivated by them acting as a bad actor, or some sort of repression and censorship thing.
I don't really have a horse in this race, but it sounds like lashing out to one own's detriment.
In this case, question is recursive. I have no idea who Jani Patokallio or gyrovague.com are, and the way Jason Drury shifts from “tried to dox” to “doxx’d” makes me wonder if this is astroturfing by Jani or Jason or a 3rd party. Who knows!
Hell I use it to circumvent paywalls.
Here is the DDoS context https://gyrovague.com
I wish I could find it
I know there are a number of headers used to control cross-site access to websites, and the linked blog post shows archive.today's denial-of-service script sending random queries to the site's search function. Shouldn't there be a way to prevent those from running when they're requested from within a third-party site?
However, browsers will first send a preflight request for non-simple requests before sending the actual request. If the DDOS were effective because the search operation was expensive, then the blog could put search behind a non-simple request, or require a valid CSRF token before performing the search.
Mostly these headers are designed around preventing reading content. Sending content generally does not require anything.
(As a kind of random tidbit, this is why csrf tokens are a thing, you can't prevent sending so websites test to see if you were able to read the token in a previous request)
This is partially historical. The rough rule is if it was possible to make the request without javascript then it doesn't need any special headers (preflight)
Both sides look like they have been bullied in the past and not found their way out of reproducing the pattern yet.
Context matters. Which is why also different rules apply, and laws exist to guard these rules. DDoS is not an acceptable response in any jurisdiction, no matter what triggered them. We’re not in the Middle Ages, even if some behave like we are. Violence does not justify violence. Unjust action does not justify unjust responses.
The blog has a lot of more posts on random topics. Why do you imply that the owner of the bloh is part of a harassment campaign and "only" that is the reason for this years old blog to exist?
There are only two posts about archive.today on the blog, and one of them only exists because archive.today started DDoSing them. I fail to see how you could consider the entire blog to be a "harassment campaign", especially considering that the original blog post isn't even negative, it ends with a compliment towards archive.today's creator.
But it's not? This was published between the two posts about archive.today: https://gyrovague.com/2025/02/23/anatomy-of-a-boarding-pass-...
Writing about being ddos'd seems eminently reasonable. So if you elide that, you are talking about a single article in four years.
It's genuinely nothing.
What is the purpose of the DDoS JS in the archive website then? Not DDoS?
Easy stuff, no?
Neither of those is an attack.
That's not how the judicative system works.
Why are you pretending to be surprised by this view that is held by approximately every single person in the world?
Or do you think we should have different standards for DDoS and actual violence?
Doxing? Yes.
It's clear that the person running archive.today does not actively publicize their identity.
> As far as I read the tone of the post is full of admiration
Exactly like an unhinged fan stalking a celebrity.
Thinking about it, I think we might need better platform rules, maybe even regulations on this. There seems to be pretty much no line of defense, which might explain the rather desperate DoS. If you take anonymity as a right, discussion like ours here on HN are dangerous as well, as they easily make otherwise difficult to find knowledge easily visible. So while a single fan page might go unnoticed, in case of doxing amplification is also a problem. Just my spontaneous thought.
Edit: one afterthought. The story about hacking together a response to the GDPR takedown request quoting press rights and freedom of speech using an LLM shows actually the deeper problem. Actually rights come with obligations (at least ethical ones). At least in Europe press standards are typically rather aware of doxing risks. While actually celebraties also successfully use legal defenses, i still think the defenses for activist are weak balancing interest here (at least if you made something of public interest)
Jani Patokallio runs gyrovague.net in order to harass people who provide useful public services.
It's not surprising that the owner of archive.today does not like being exposed, archiving is a risky business.
That's a pretty small sin in my book. To be written off as wildly unsuccessful but entirely justified self defense.
DDoSing gyrovague.com is silly, not evil.
The content on gyrovague.com which targets archive.today is evil, plain and simple.
The ‘small sin’ of wielding your userbase as a botnet is only palatable for HN’s readers because the site provides a desirable use to HN’s readers. If it were, say, a women’s apparel site that archived copies of Vogue etc. (which would see a ton of page views and much more effective takedown efforts!) and pointed its own DDoS of this manner at Hacker News, HN would be clamoring for their total destruction for unethical behavior with no such ‘it’s just a evil for so much good’ arguments.
Maintaining ethical standards in the face of desire for the profits of unethical behavior is something tech workers are especially untrained to do. Whether with Palantir or Meta or Archive.today, the conflict is the same: Is the benefit one derives worth compromising one’s ethics? For the unfamiliar, three common means of avoiding admitting that one’s ethics are compromised: “it’s not that bad”, “ethics don’t apply to that”, and “that’s my employer’s problem”. None of those are valid excuses to tolerate a website launching DDoS attacks from our browsers.
Just my 2 ¢, not that it really matters anymore in this current information-warfare climate and polarization. :/
Wow, I had no idea. Thanks.
It allows website owners and third parties to tamper with archived content.
Look here, for example: https://web.archive.org/web/20140701040026/http://echo.msk.r...
Archive.today is by far the best option available.
1) The act of archive.today archiving stories (and thus circumventing paywalls) is arguably v low level illegal (computer miss-use/unauthorized access/etc) but it is up for interpretation whether a) the operator or the person requesting the page carries the most responsibility b) whether it's enforceable in third party countries neither archive.today or the page requester reside in
2) DDoSing a site that writes something bad about you is fundamentally wrong (and probably illegal too)
I think you're missing that circumventing paywalls is unlawful in most parts of the world.
Not really, no. It's not unlikely to result in the service ceasing to exist.
Edit: I misread the comment initially as from someone with more insight. However, I guess it is obvious that anyone can see the JavaScript and participates involuntarily in the DoS.
(1) May 04 2019: "Tell HN: Archive.is inaccessible via Cloudflare DNS (1.1.1.1)" [https://news.ycombinator.com/item?id=19828317]
eastdakota on May 4, 2019 on: Tell HN: Archive.is inaccessible via Cloudflare DNS...
[Via https://news.ycombinator.com/item?id=19828702]
We don’t block archive.is or any other domain via 1.1.1.1. Doing so, we believe, would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.
Archive.is’s authoritative DNS servers return bad results to 1.1.1.1 when we query them. I’ve proposed we just fix it on our end but our team, quite rightly, said that too would violate the integrity of DNS and the privacy and security promises we made to our users when we launched the service.
The archive.is owner has explained that he returns bad results to us because we don’t pass along the EDNS subnet information. This information leaks information about a requester’s IP and, in turn, sacrifices the privacy of users. This is especially problematic as we work to encrypt more DNS traffic since the request from Resolver to Authoritative DNS is typically unencrypted. We’re aware of real world examples where nationstate actors have monitored EDNS subnet information to track individuals, which was part of the motivation for the privacy and security policies of 1.1.1.1.
EDNS IP subsets can be used to better geolocate responses for services that use DNS-based load balancing. However, 1.1.1.1 is delivered across Cloudflare’s entire network that today spans 180 cities. We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results. For a relatively small operator like archive.is, there would be no loss in geo load balancing fidelity relying on the location of the Cloudflare PoP in lieu of EDNS IP subnets.
We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation targeting without risking user privacy and security. Those conversations have been productive and are ongoing. If archive.is has suggestions along these lines, we’d be happy to consider them.
Edit: reading some comments here seems that I was too fast, and that the story is much more complicated. Having just the Cloudflare page as a context, I assumed the news were a miscalssification. Could someone share more context on what is going on here?
You may have mixed it up with archive.org.
[1] https://radar.cloudflare.com/domains/domain/web.archive.org
TIL, thank you. Time to go tweak my pi-hole server...
Because "if it ain't broke, don't fix it." i'm not one of those users who want to endlessly tweak their ad blocker. i want to set it up, clicking as few checkboxes as necessary to get it going, and then leave it. However, (now) knowing that Cloudflare filters different only each of their servers, i'm incentivized to go tweak a number in the config (as opposed to researching the pros and cons of every possible provider, a detail i truly have no interest in pursuing).
i had no clue which one was active. It was, for me, just a checkbox at the time. This thread prompted me to go check and tweak appropriately.
The upside is there's no single entity receiving all your queries. The downside is there's no encryption (IIRC root servers do not support it), so your ISP sees your queries (but they don't receive them).
Since ISP know your identity, and all it takes is to (request and get) the DNS logs and ISP servitude for all sort of questionable information, you as an identity are giving away all sites domains you visit.
Correction: they can log host names/IPs, not URLs. The path of any given URL is part of the HTTP header, invisible to onlookers (assuming HTTP and assuming HTTPS is uncracked).
So to simplify, the DNS provider has a map of IPs to Domains visited, while the other hand an ISP has a map of IP addresses to identities.
To even cross-reference the data, the ISP and the DNS provider would need to partner, and violate their privacy guarantees.
At the very least it's obvious that using a separate DNS provider than your ISP's provides additional anonimity by decentralizing your traffic. Although this comes with a tradeoff, having 2 providers increases the odds of partial leaks.
This analysis is so overkill for your personal traffic that it borders tinfoil territory, if we are in a professional setting and are discussing the competitive data of a company or that of thousands of users, then this level of scrutiny is merited, but as-is, separating your DNS provider from your ISP is already very marginal and a bit paranoid. Evaluating the DNS providers to such an extent that a huge security company with good legal standing would somehow qualify as unsafe, for the traffic of one user, I stress, is paralyzingly over-engineering the security of an infrastructure that has already been secured such that users don't need to know what a DNS and how to configure it in order to have safe and private internet.
Imagine going to the bank and asking the teller for a withdrawal but not disclosing the amount and coming up with a mechanism to withdraw without anyone from the bank knowing what you withdrew. Sure, it increases your security, but also come on, what are we doing here?
https://developers.cloudflare.com/fundamentals/reference/clo...
if you think a little creatively about how this information could be used by an organization that was created at the insistence of the United States Department of Homeland Security, then you're on the right track.
Supposedly it should be an external party that's requiring Cloudflare not to publish the DNS record. https://www.rfc-editor.org/rfc/rfc8914.html#name-extended-dn...
Many years ago I used Cloudflare, and more than once I had issues with them blocking websites I wanted to access.
I absolutely despise that. I want my DNS to resolve domain names, nothing else.
For blocking things I have Pi-Hole, which is under my control for that reason. I can blacklist or whitelist addresses to my needs, not to the whims of a corporation that wants to play gatekeeper to what I can browse.
1.1.1.2 and .3 are explicitly offered with filtered responses.
Quad9 behaves exactly as I expect a DNS to work, in the sense that I only remember I use it when the topic of DNS pops up.
Are you saying now you just had issues with the quality of service? Or do you want to provide more details to substantiate the claim that they were blocking sites?
I used the term "blocking" in a loose sense. I have no idea if Cloudflare was failing to resolve certain domains because it is a shitty service, or if it was ordered to block those domain names by its government, or if it was actively not resolving domain names because it thought a good idea to be a sort of arbiter and gatekeeper. I suspect the last option, but it is just speculation.
What I can affirm is that I had issues more than once with domain name resolution when I used 1.1.1.1. After it annoyed me enough I switched to Quad9, and it has been great ever since, which is why I recommend it as a user of their service.
I'm going to go with option D) whatever shitty site you were browsing to had a broken DNS or more likely DNSSEC configuration and Cloudflare was correct to not serve a corrupt response.
99% of the time, tales of "they're blocking my site! you guys are nazis!" always turn out to have a root cause of broken DNS configuration.
And once I switched DNS I could browse it normally.
This does not align quite well with the scenario you propose.
> "they're blocking my site! you guys are nazis!"
I said no such thing. I said it was a shitty DNS because it failed at the thing I was trying to use it for.
There's this thing - when you offer a service to the public, the users of your service, can, will, and should review your service.
So, yes, I am free to "trash talk" a service that was, frankly, terrible at its job in providing domain name resolution. That works as any other user review, a data point so other users may switch away from a bad provider to a better one.
I imagine if someone goes to a restaurant and they their hot dish is served cold, if your response to the user review is a silly request for proof that the food was indeed served cold, and whining that their review is "trash talking based on fear and guesswork".
I offered some possibilities of why they did a shitty job in providing naming resolution. I even speculated what was the most likely one (not the one you mentioned).
But it's okay, at this point I have very little optimism regarding your reading ability.
ASHandle: AS19281
Street: CleanerDNS Inc. dba Quad9
Street: 1442A Walnut Street, Suite 501
City: Berkeley
State/Prov: CA
Country: US
Switching to literally any other DNS and the same domains resolve instantly.
Could be a issue specific to my location or devices, but its been consistent enough that I stopped bothering.
Just as a side note: Something I have done with this in the past as a fun experiment was to set up an Unbound DoT server on assorted VPS nodes in assorted locations around the country, run this script and configure each Unbound to use the 5 to 10 fastest servers on each node and cache results longer. Then I used Tinc (open source VPN) to connect to these VPS nodes from my home's Unbound and distribute the requests among all of them. I save query logs from all of them and use cron to look up all my queries hourly to keep the cache fresh and mess up any analytic patterns for my queries. Just a fun experiment. 99.99% of the time I just query the root DNS servers for what NS servers are authoritative for a given domain or what I call bare-backing the internet.
Apparently, respond to me with inane thoughts, to which I patiently reply.
> You sufficiently devolved the conversation by feeling it worth voicing “I don’t know why different people willingly use different things”.
Also, let's appreciate the irony of your message here: https://news.ycombinator.com/item?id=47464134#47477847
The c&c/botnet designation would seem to be new though.
The current situation is due to Cloudflare flagging archive.today's domains for malicious activity, Cloudflare actually still resolves the domains on their normal 1.1.1.1 DNS, but 1.1.1.2 ("No Malware") now refuses. Exactly why they decided to flag their domains now, over a month after the denial-of-service accusations came out, is unclear, maybe someone here has more information.
This is notably not a change to how 1.1.1.1 works, it’s specifically their filtered resolution product.
Looking forward to when Google Safe Browsing adds their domains as unsafe, as that ripples to Chrome and Firefox users.
Just tells me they are an unreliable resolver. Instead of being a neutral web infra, they actively participate in political agendas and censor things they "think" is wrong.
2. 1.1.1.2, the resolver being discussed in this post, is explicitly Cloudflare’s malware-filtered DNS host. 1.1.1.1 does not filter this site.
Why? I did not visit the site to participate in a DoS attack; yet my machine was coaxed into participating against my will. Whether this is happening in JS or a drive-by download or a browser 0-day is irrelevant.
Does archive.today?
Hijacking a software like the browser is something completely different to a simple JS on a website.
Yes.
>Does archive.today?
Yes.
It’s just a website with a simple request loop, not C&C server tells when the attacks have to happen.
This doesn’t make your browser a bot
setInterval(function() {
fetch("https://gyrovague.com/?s=" + Math.random().toString(36).substring(2, 3 + Math.random() * 8), {
referrerPolicy: "no-referrer",
mode: "no-cors"
});
}, 300);20 years ago during the P2P heyday this was assumed to come with the territory. Play with fire and you could get burned.
If you walk into a seedy brothel in the developing world, your first thought should be "I might get drugged and robbed here" and not what you're going to type in the Yelp review later about their lack of ethics.
Nobody was shedding any tears 20 years ago for the virus makers who had their viruses flagged by virus scanners.
https://megalodon.jp/2026-0219-1634-10/https://archive.ph:44...
This is an archive of an Archive.is archive of a blog post. The first sentence of the post says “ Jani Patokallio was a woman of exceptional intellect…” This was changed, it originally had someone else’s name (see second paragraph). So, who knows what other archived pages were changed?
What I do not see is the irony you insinuate in your post. It is not immoral to charge people for content, nor does that make you less credible. (It might even make you more credible since you now earn money by having happy customers instead of serving more ads.)
Some news sources are not trustworthy but that's independent of there being a paywall.
Sacrificing performance for a faster lookup time makes no sense in 2026. This is the one area where I continue to use Google DNS as it just works. Use anything but Cloudflare in this case, please.
Parent pro-tip: Next time the iPad is having Bluey episode playback issues, check to see if you're actually using Cloudflare DNS.
Given that the vast majority of us live in or near a major city, it means that your vaguely gloom and doom commentary doesn't apply.
If you live in the boondocks or if CDN matching misbehaves for some reason, by all means run benchmarks!
But all other things being equal, Cloudflare's privacy policy is better than Google's.
https://quad9.net/service/service-addresses-and-features/
Secured w/ECS: Malware blocking, DNSSEC Validation, ECS enabled
IPv4
9.9.9.11
149.112.112.11
IPv6
2620:fe::11
2620:fe::fe:11
HTTPS
https://dns11.quad9.net/dns-query
TLS
tls://dns11.quad9.netRegardless, another user reports the attack is still ongoing[1], so this isn't a discussion that's going to happen about archive.today anytime soon.
They've shown they're willing to deliberately weaponize their users to fight a personal dispute with someone, and didn't take corrective action when called out. Trustworthiness is something you lose and don't get back.
Because once the problematic content is removed it should no longer be blocked.
>It's accurate
It is neither a C&C server for a botnet, nor any other server related to a botnet. I would not call it accurate.
>Nobody should ever use that site
It has a good reputation for archiving sites, has stead the test of time, and doesn't censor pages like archive.org does allowing you to actually see the history of news articles instead of them being deleted like archive.org does on occasion.
...On 20 February 2026, English Wikipedia banned links to archive.today, citing the DDoS attack and evidence that archived content was tampered with to insert Patokallio's name.[19] The decision was made despite concerns over maintaining content verifiability[19] while removing and replacing the second-largest archiving service used across the Wikimedia Foundation's projects.[20] The Wikimedia Foundation had stated its readiness to take action regardless of the community verdict.[19][20]
Did AT go beyond that and manipulate any relevant part? That's rather difficult to say now. AT is obviously tampering with evidence, but so is Wikipedia; their admins have heavily redacted their archived Talk pages out of fear one of these pseudonyms might be an actual person, so even what exactly WP accuses AT of is not exactly clear.
Unless you're arguing that the response by archive.today retroactively justifies the behaviour of Jani Patokallio, which would be a bizarre take.
How is that supposed to be a big deal when the one of core services archive.today provides is obviously illegal anyway?
I also think "but they also do that other crime" doesn't help their case.
It's problematic because it's childish and pointlessly degrades the user experience.
>the site has a bad reputation
Not compared to archive.org. archive.is has a much better track record.
Archive.org is awful. It allows site owners and random third parties to edit old archived pages.
Archive.today does not.
At least site owners have the copyright on the pages that Archive.org saves. They can just get the content pulled through DMCA anyway.
Do you actually mean edit or do you just mean delete
Both are problematic, but falsifying a historic record is orders of magnitude worse than deleting one, and conflating them would be extremely dishonest
I suppose if all the users go on the site intentionally wanting to take part in a DDoS, then sure it’s not a botnet. But that’s not reality.
Cant have that.
Now, show me your ID to login to your Linux box.
Ditto for their other domains like archive.is and archive.ph
Example DoH request:
$ curl -s "https://1.1.1.2/dns-query?name=archive.is&type=A" -H "accept: application/dns-json"
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"archive.is","type":1}],"Answer":[{"name":"archive.is","type":1,"TTL":60,"data":"0.0.0.0"}],"Comment":["EDE(16): Censored"]}
---
Relevant HN discussions:
https://news.ycombinator.com/item?id=46843805 "Archive.today is directing a DDoS attack against my blog"
https://news.ycombinator.com/item?id=47092006 "Wikipedia deprecates Archive.today, starts removing archive links"
https://news.ycombinator.com/item?id=46624740 "Ask HN: Weird archive.today behavior?" - Post about the script used to execute the denial-of-service attack
Wikipedia page on deprecating and replacing archive.today links:
https://en.wikipedia.org/wiki/Wikipedia:Archive.today_guidan...
I now have my dream DNS lookup web tool! https://tools.simonwillison.net/dns#d=news.ycombinator.com&t...