The blog Its FOSS has 15,000 followers for its Mastodon account — which they think is causing problems:

When you share a link on Mastodon, a link preview is generated for it, right? With Mastodon being a federated platform (a part of the Fediverse), the request to generate a link preview is not generated by just one Mastodon instance. There are many instances connected to it who also initiate requests for the content almost immediately. And, this “fediverse effect” increases the load on the website’s server in a big way.

Sure, some websites may not get overwhelmed with the requests, but Mastodon does generate numerous hits, increasing the load on the server. Especially, if the link reaches a profile with more followers (and a broader network of instances)… We tried it on our Mastodon profile, and every time we shared a link, we were able to successfully make our website unresponsive or slow to load.

It’s Foss blog says they found three GitHub issues about the same problem — one from 2017, and two more from 2023. And other blogs also reported the same issue over a year ago — including software developer Michael Nordmeyer and legendary Netscape programmer Jamie Zawinski.

And back in 2022, security engineer Chris Partridge wrote:

[A] single roughly ~3KB POST to Mastodon caused servers to pull a bit of HTML and… an image. In total, 114.7 MB of data was requested from my site in just under five minutes — making for a traffic amplification of 36704:1. [Not counting the image.]

Its Foss reports Mastodon’s official position that the issue has been “moved as a milestone for a future 4.4.0 release. As things stand now, the 4.4.0 release could take a year or more (who knows?).”

They also state their opinion that the issue “should have been prioritized for a faster fix… Don’t you think as a community-powered, open-source project, it should be possible to attend to a long-standing bug, as serious as this one?”

Abstract credit: https://slashdot.org/story/428030

  • Sleepkever@lemm.ee
    link
    fedilink
    arrow-up
    18
    arrow-down
    2
    ·
    7 months ago

    It is not, but a write amplification of 36704:1 is one hell of an exploitable surface.

    With that same Raspberry Pi and a single 1gbit connection you could also do 333333 post requests of 3 KB in a single second made on fake accounts with preferably a fake follower on a lot of fediverse instances. That would result in those fediverse servers theoretically requesting 333333 * 114MB = ~38Gigabyte/s. At least for as long as you can keep posting new posts for a few minutes and the servers hosting still have bandwidth. DDosing with a ‘botnet’ of fediverse servers/accounts made easy!

    I’m actually surprised it hasn’t been tried yet now that I think about it…

    • algernon
      link
      fedilink
      arrow-up
      13
      arrow-down
      1
      ·
      7 months ago

      That would result in those fediverse servers theoretically requesting 333333 * 114MB = ~38Gigabyte/s.

      On the other hand, if the site linked would not serve garbage, and would fit like 1Mb like a normal site, then this would be only ~325mb/s, and while that’s still high, it’s not the end of the world. If it’s a site that actually puts effort into being optimized, and a request fits in ~300kb (still a lot, in my book, for what is essentially a preview, with only tiny parts of the actual content loaded), then we’re looking at 95mb/s.

      If said site puts effort into making their previews reasonable, and serve ~30kb, then that’s 9mb/s. It’s 3190 in the Year of Our Lady Discord. A potato can serve that.

      • MinekPo1 [She/Her]@lemmygrad.ml
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        7 months ago
        autistic complaining about units

        ok so like I don’t know if I’ve ever seen a more confusing use of units . at least you haven’t used the p infix instead of the / in bandwith units .

        like you used both upper case and lowercase in units but like I can’t say if it was intentional or not ? especially as the letter that is uppercased should be uppercased ?

        anyway

        1Mb

        is theoretically correct but you likely ment either one megabyte (1 MB) or one megibyte (MiB) rather than one megabit (1 Mb)

        ~325mb/s

        95mb/s

        and

        9mb/s

        I will presume you did not intend to write ~325 milibits per second , but ~325 megabits per seconds , though if you have used the 333 333 request count as in the segment you quoted , though to be fair op also made a mistake I think , the number they gave should be 3 exabits per second (3 Eb/s) or 380 terabytes per seconds (TB/s) , but that’s because they calculated the number of requests you can make from a 1 gigabit (which is what I assume they ment by gbit) wrong , forgetting to account that a byte is 8 bits , you can only make 416 666 of 4 kB (sorry I’m not checking what would happen if they ment kibibytes sorry I underestimated how demanding this would be but I’m to deep in it now so I’m gonna take that cop-out) requests a second , giving 380 terabits per second (380 Tb/s) or 3.04 terabytes per second (3.04 TB/s) , assuming the entire packet is exactly 114 megabytes (114 MB) which is about 108.7 megibytes (108.7 MiB) . so anyway

        packet size theoretical bandwidth
        1 Mb 416.7 Gb/s 52.1 GB/s
        1 MB 3.3 Tb/s 416.7 GB/s
        1 MiB 3.3 Tb/s 416.7 GB/s
        300 kb 125.0 Gb/s 15.6 GB/s
        300 kB 1000.0 Gb/s 125.0 GB/s
        300 kiB 1000.0 Gb/s 125.0 GB/s
        30 kb 12.5 Gb/s 1.6 GB/s
        30 kB 100.0 Gb/s 12.5 GB/s
        30 kiB 100.0 Gb/s 12.5 GB/s

        hope that table is ok and all cause im in a rush yeah bye