I also managed to keep millions of requests on 2 100$ servers (EU, US) and a simple load balancer with simple express js infra, cachegoose
once my NDA is over I could OS everything, if you guys are interested I’m open to share some old bypasses and methods from time to time
I was managing the queue for a big sneaker store in EU.
Wanted to share how I managed to block Cybersole from getting valid sessions.
I would simply check if the client ever requested the website favicon.ico file, no full request bot ever requests the favicon, also the session validity was never returned in any API endpoint, meaning they could never guessed if the session was valid.
Yes, this simple method worked, felt like sharing after a couple years because I still think to this day it is very funny.