Someone posted details of a novel negative SEO attack that they said appeared to be a Core Web Vitals performance poisoning attack. Google’s John Mueller and Chrome’s Barry Pollard assisted in figuring out what was going on. This is an interesting situation because the problem may be related to an unusual variation of a denial-of-service attack.
The person posted on Bluesky, tagging Google’s John Mueller and Rick Viscomi, the latter a DevRel Engineer at Google.
They posted:
“Hey we’re seeing a weird type of negative SEO attack that looks like core web vitals performance poisoning, seeing it on multiple sites where it seems like an intentional render delay is being injected, see attached screenshot.Seeing across multiple sites & source countries
..this data is pulled by webvitals-js. At first I thought dodgy AI crawler but the traffic pattern is from multiple countries hitting the same set of pages and forging the referrer in many cases”
Web-vitals.js is a lightweight JavaScript library developed by the Google Chrome Team that can be used by publishers and SEOs to measure Core Web Vitals on their own or clients’ sites. It reports metrics in a way that’s consistent with PageSpeed Insights and Search Console, which makes it useful for measuring actual CWV scores.
The significance of the reference to “web-vitals.js” is that the degraded Core Web Vitals scores come from requests for pages that are hitting the server instead of grabbing it from a cache or CDN. These are actual performance scores recorded on the website itself using the Web-vitals.js.
Web-vitals.js can also be triggered by a CDN like Cloudflare, but the person who posted about the issue didn’t say that the script is triggered by a CDN, but they did note in a follow-up response that there is an ongoing cache-bypass DoS attack so maybe the script which is measuring actual CWV scores is just triggered by hits on the server itself.
Could This Affect Rankings?
The person making the post did not say if the “attack” had impacted search rankings, although that is unlikely, given that website performance is a weak ranking factor and less important than things like content relevance to user queries.
Google’s John Mueller responded, sharing his opinion that it’s unlikely to cause an issue, and tagging Chrome Web Performance Developer Advocate Barry Pollard (@tunetheweb) in his response.
Mueller said:
“I can’t imagine that this would cause issues, but maybe @tunetheweb.com has seen things like this or would be keen on taking a look.”
Barry Pollard wondered if it’s a bug in the web-vitals library and asked the original poster if it’s reflected in the CrUX data (Chrome User Experience Report), which is a record of actual user visits to websites. The person responded by saying that the degradation in core web vitals scores is not reflected in the CrUX data.
DoS (Denial-Of-Service) attack
The person who posted about the issue also mentioned that the site under discussion was also experiencing a DoS attack.
They wrote:
“Hard to get a clear picture because the on top of the LCP issue the site is being hit with some kind of cache-bypass DOS attack that jacked up TTFB & has had the hosting maxxed out…”
They also stated that the website in question is experiencing a cache-bypass DoS (denial-of-service) attack, which is when an attacker sends a massive number of web page requests that bypass a CDN or a local cache, causing stress to server resources.
The method employed by a cache-bypass DoS attack is to bypass the cache (whether that’s a CDN or a local cache) in order to get the server to serve a web page (instead of a copy of it from the cache or CDN), thus slowing down the server.
The local web-vitals script is recording the performance degradation of those visits, but it is likely not registering with the CrUX data because that comes from actual Chrome browser users who have opted in to sharing their web performance data.
So What’s Going On?
Judging by the limited information in the discussion, it appears that a DoS attack is slowing down server response times, which in turn is affecting page speed metrics on the server. The Chrome User Experience Report (CrUX) data is not reflecting the degraded response times, which could be because the CDN is handling the page requests for the users recorded in CrUX. There’s a remote chance that the CrUX data isn’t fresh enough to reflect recent events but it seems logical that users are getting cached versions of the web page and thus not experiencing degraded performance.
I think the bottom line is that CWV scores themselves will not have an effect on rankings. Given that actual users themselves will hit the cache layer if there’s a CDN, the DoS attack probably won’t have an effect on rankings in an indirect way either.
Featured Image by Shutterstock/mentalmind
