So, Mastodon is a nice escape from the big tech social media platforms.
Whether it is about ignoring Elon Musk's mood swings on X (or formerly Twitter) or refusing to be a part of Mark Zuckerberg's data points, Mastodon has proved to be an impressive open-source social media platform.
While it is privacy-friendly, and lets users take control of their data, the platform is not perfect.
Nothing is, unless you are arrogant enough to think of it that way.
What's the problem I am referring to here? Is it a feature that I'm missing, or the user experience?
Unfortunately, I am not complaining about either. There is always room for improvements, but I am not talking about that here.
I am talking about Mastodon's ability to DDoS a website 💣 And, our sites, It's FOSS News, and It's FOSS, are some of the sites being affected by the issue.
Care to Explain? Sure!
When you share a link on Mastodon, a link preview is generated for it, right?
With Mastodon being a federated platform (a part of the Fediverse), the request to generate a link preview is not generated by just one Mastodon instance. There are many instances connected to it who also initiate requests for the content almost immediately.
And, this "fediverse effect" increases the load on the website's server in a big way.
Sure, some websites may not get overwhelmed with the requests, but Mastodon does generate numerous hits, increasing the load on the server. Especially, if the link reaches a profile with more followers (and a broader network of instances).
I should clarify that our server handles plenty of requests when a post gets viral through Google News/Reddit or other platforms. However, only when we share it on Mastodon is when we notice an immediate downtime.
I believe we have 15k followers, and that gives us a decent reach.
And, as a result, we get affected for a couple of minutes in a day, for readers to encounter 504 Gateway Timeout error or the webpage being unresponsive for a few seconds, whenever a link is shared on mastodon.social instance (primarily).
Furthermore, when a user with a huge following list or having connections to a bigger network of instances boosts that post, the request to the site is amplified again, as explained by Chris Partridge, a security engineer.
One of our readers notified us about this Fediverse effect originally, before we investigated the root cause:
And, turns out, the downtimes caused by this issue (as the majority) looks like this:
And, such an effect increases the frequency of downtimes, affecting our availability times:
Maybe you can also reproduce this issue if you have a higher follower count.
We tried it on our Mastodon profile, and every time we shared a link, we were able to successfully make our website unresponsive or slow to load 😲
Presently, we use Cloudflare as our CDN or WAF, as it is a widely adopted solution.
But, what if we switch to a separate CDN provider, which would cost us for the resources being served? Do you think any web server should pay for extra resources being served for no reason? Wouldn't they want it to be blocked or fixed?
Quoting Chris Partridge's older findings, he mentioned:
However, I got a bit of a nasty surprise when I looked into how much traffic this had consumed - a single roughly ~3KB POST to Mastodon caused servers to pull a bit of HTML and… fuck, an image. In total, 114.7 MB of data was requested from my site in just under five minutes - making for a traffic amplification of 36704:1.
An amplified resource request like this — should be on top of the priority list for Mastodon to fix, right?
And, no, it is not just an older blog post I am referencing. Another software developer, Michael Nordmeyer also shared similar findings on his blog post about Mastodon DDoS'ing websites/servers in 2023.
Michael NordmeyerHere's another blog post by JWZ talking about the same issue. And, there's also a new blog post by a tinkerer after our article was circulated, discussing the Fediverse DDoS problem.
Let's go through some GitHub issues reported on the same:
- GitHub Issue 1 (Concerns about Mastodon being innocently used as a DDoS tool were reported 6 years ago).
- GitHub Issue 2 (Mastodon sending massive hits to outside websites, Oct, 2023)
- GitHub Issue 3 (Reduce load of preview fetching, Feb, 2023)
And, the issue listed was added to their milestone for the next upcoming release, 4.3.0 (or so I thought):
Unfortunately, now, it appears that the issue has been deprioritized, and moved as a milestone for a future 4.4.0 release.
As things stand now, the 4.4.0 release could take a year or more (who knows?). And, I think that the issue should have been prioritized for a faster fix, not put back to their bucket list of doing things.
Do I sound entitled? Do you think it is wrong for me to talk about this?
Let me tell you why I chose to do this...
It's Mastodon, That's Why!
Mastodon is a free and open-source platform that aims to tackle the big tech, right?
We even list it as one of the best open source social media platforms:
Abhishek Prakash
Well, the thing is — the big tech platforms are not impacting our website at the moment. But, Mastodon is...
A bug like this could be impacting several independent sites like us with downtimes or amplifying their resource/bandwidth usage for no good reason. And, we are not the only ones:
Just one? Here, I link another user mentioning the same. And, another.
Don't you think as a community-powered, open-source project, it should be possible to attend to a long-standing bug, as serious as this one?
Sure, one can argue that it's not Mastodon's fault. So, why put it that way? I believe, with a platform as big as Mastodon (compared to other federated solutions), someone has to take a lead on fixing this bug.
Moreover, if Mastodon wants to become the modern Twitter (or better), it should resolve fundamental issues like this.
The decentralized social media idea should fix things on the web, and not break the traditional web experience.
Hopefully, Mastodon developers see this (along with the community), and get this sorted out as soon as possible. The current solution includes blocking Mastodon as a user-agent, which would disable our link previews, making it look like spam and uninformative.
💬 What do you think about this? Did you know about this thing with Mastodon? What are your thoughts on this?
Suggested Read 📖
Ankush Das
More from It's FOSS...
- Support us by opting for It's FOSS Plus membership.
- Join our community forum.
- 📩 Stay updated with the latest on Linux and Open Source. Get our weekly Newsletter.
