Introduction to Negative SEO Attack
Someone recently posted about a novel negative SEO attack that appeared to be a Core Web Vitals performance poisoning attack. This attack seemed to intentionally delay the rendering of web pages, affecting multiple sites. The person who posted about the issue tagged Google’s John Mueller and Rick Viscomi, a DevRel Engineer at Google, to get their assistance in figuring out what was going on.
What is a Core Web Vitals Performance Poisoning Attack?
The person who posted about the issue explained that they were seeing a weird type of negative SEO attack that looked like core web vitals performance poisoning. This attack seemed to be injecting an intentional render delay into multiple sites. The person attached a screenshot to their post and mentioned that the data was pulled by webvitals-js. They initially thought it might be a dodgy AI crawler, but the traffic pattern was coming from multiple countries and hitting the same set of pages, with the referrer being forged in many cases.
Could This Affect Rankings?
The person who posted about the issue did not say if the "attack" had impacted search rankings. However, it is unlikely that this would affect rankings, given that website performance is a weak ranking factor and less important than things like content relevance to user queries. Google’s John Mueller responded to the post, sharing his opinion that it’s unlikely to cause an issue. He tagged Chrome Web Performance Developer Advocate Barry Pollard in his response, asking for his input.
Investigation into the Issue
Barry Pollard wondered if it’s a bug in the web-vitals library and asked the original poster if it’s reflected in the CrUX data (Chrome User Experience Report). The CrUX report is a record of actual user visits to websites. The person who posted about the issue responded to Pollard’s question, saying that the CrUX report does not reflect the page speed issues. They also mentioned that the website in question is experiencing a cache-bypass DoS (denial-of-service) attack. This type of attack sends a massive number of web page requests that bypass a CDN or a local cache, causing stress to server resources.
Understanding the Cache-Bypass DoS Attack
The method employed by a cache-bypass DoS attack is to bypass the cache (whether that’s a CDN or a local cache) in order to get the server to serve a web page (instead of a copy of it from the cache or CDN), thus slowing down the server. The local web-vitals script is recording the performance degradation of those visits, but it is likely not registering with the CrUX data because that comes from actual Chrome browser users who have opted in to sharing their web performance data.
What’s Going On?
Judging by the limited information in the discussion, it appears that a DoS attack is slowing down server response times, which in turn is affecting page speed metrics on the server. The Chrome User Experience Report (CrUX) data is not reflecting the degraded response times, which could be because the CDN is handling the page requests for the users recorded in CrUX. There’s a remote chance that the CrUX data isn’t fresh enough to reflect recent events, but it seems logical that users are getting cached versions of the web page and thus not experiencing degraded performance.
Conclusion
The bottom line is that CWV scores themselves will not have an effect on rankings. Given that actual users themselves will hit the cache layer if there’s a CDN, the DoS attack probably won’t have an effect on rankings in an indirect way either. The investigation into the issue suggests that the attack is likely a cache-bypass DoS attack, which is slowing down server response times and affecting page speed metrics. However, the impact of this attack on search rankings is likely to be minimal, and website owners should not be too concerned about it.