So, Mastodon is a nice escape from the big tech social media platforms.
Whether it is about ignoring Elon Musk's mood swings on X (or formerly Twitter) or refusing to be a part of Mark Zuckerberg's data points, Mastodon has proved to be an impressive open-source social media platform.
While it is privacy-friendly, and lets users take control of their data, the platform is not perfect.
Nothing is, unless you are arrogant enough to think of it that way.
What's the problem I am referring to here? Is it a feature that I'm missing, or the user experience?
Unfortunately, I am not complaining about either. There is always room for improvements, but I am not talking about that here.
I am talking about Mastodon's ability to DDoS a website 💣 And, our sites, It's FOSS News, and It's FOSS, are some of the sites being affected by the issue.
📋
Don't get me wrong: Mastodon is not doing this knowingly. The problem occurs because of federation. But, they have been aware of this concern for a long time now, and it hasn't seen a meaningful fix. Moreover, there is no expected date for a fix on that, which is concerning 😕
Care to Explain? Sure!
When you share a link on Mastodon, a link preview is generated for it, right?
With Mastodon being a federated platform (a part of the Fediverse), the request to generate a link preview is not generated by just one Mastodon instance. There are many instances connected to it who also initiate requests for the content almost immediately.
And, this "fediverse effect" increases the load on the website's server in a big way.
Sure, some websites may not get overwhelmed with the requests, but Mastodon does generate numerous hits, increasing the load on the server. Especially, if the link reaches a profile with more followers (and a broader network of instances).
❗
UPDATE: The website uses Cloudflare proxy presently, and still gets impacted when we share something on Mastodon.
I should clarify that our server handles plenty of requests when a post gets viral through Google News/Reddit or other platforms. However, only when we share it on Mastodon is when we notice an immediate downtime.
I believe we have 15k followers, and that gives us a decent reach.
And, as a result, we get affected for a couple of minutes in a day, for readers to encounter 504 Gateway Timeout error or the webpage being unresponsive for a few seconds, whenever a link is shared on mastodon.social instance (primarily).
Furthermore, when a user with a huge following list or having connections to a bigger network of instances boosts that post, the request to the site is amplified again, as explained by Chris Partridge, a security engineer.
💡
It does not affect us when you (readers) with fewer followers share our links. But, when we share our articles along on our profile, it impacts our server resources immediately for a couple of minutes.
One of our readers notified us about this Fediverse effect originally, before we investigated the root cause:
And, turns out, the downtimes caused by this issue (as the majority) looks like this:
And, such an effect increases the frequency of downtimes, affecting our availability times:
Maybe you can also reproduce this issue if you have a higher follower count.
We tried it on our Mastodon profile, and every time we shared a link, we were able to successfully make our website unresponsive or slow to load 😲
Presently, we use Cloudflare as our CDN or WAF, as it is a widely adopted solution.
But, what if we switch to a separate CDN provider, which would cost us for the resources being served? Do you think any web server should pay for extra resources being served for no reason? Wouldn't they want it to be blocked or fixed?
Quoting Chris Partridge's older findings, he mentioned:
However, I got a bit of a nasty surprise when I looked into how much traffic this had consumed - a single roughly ~3KB POST to Mastodon caused servers to pull a bit of HTML and… fuck, an image. In total, 114.7 MB of data was requested from my site in just under five minutes - making for a traffic amplification of 36704:1.
An amplified resource request like this — should be on top of the priority list for Mastodon to fix, right?
And, no, it is not just an older blog post I am referencing. Another software developer, Michael Nordmeyer also shared similar findings on his blog post about Mastodon DDoS'ing websites/servers in 2023.
Here's another blog post by JWZ talking about the same issue. And, there's also a new blog post by a tinkerer after our article was circulated, discussing the Fediverse DDoS problem.
Let's go through some GitHub issues reported on the same:
- GitHub Issue 1 (Concerns about Mastodon being innocently used as a DDoS tool were reported 6 years ago).
- GitHub Issue 2 (Mastodon sending massive hits to outside websites, Oct, 2023)
- GitHub Issue 3 (Reduce load of preview fetching, Feb, 2023)
And, the issue listed was added to their milestone for the next upcoming release, 4.3.0 (or so I thought):
Unfortunately, now, it appears that the issue has been deprioritized, and moved as a milestone for a future 4.4.0 release.
As things stand now, the 4.4.0 release could take a year or more (who knows?). And, I think that the issue should have been prioritized for a faster fix, not put back to their bucket list of doing things.
Do I sound entitled? Do you think it is wrong for me to talk about this?
Let me tell you why I chose to do this...
It's Mastodon, That's Why!
Mastodon is a free and open-source platform that aims to tackle the big tech, right?
We even list it as one of the best open source social media platforms:
Well, the thing is — the big tech platforms are not impacting our website at the moment. But, Mastodon is...
A bug like this could be impacting several independent sites like us with downtimes or amplifying their resource/bandwidth usage for no good reason. And, we are not the only ones:
Just one? Here, I link another user mentioning the same. And, another.
Don't you think as a community-powered, open-source project, it should be possible to attend to a long-standing bug, as serious as this one?
Sure, one can argue that it's not Mastodon's fault. So, why put it that way? I believe, with a platform as big as Mastodon (compared to other federated solutions), someone has to take a lead on fixing this bug.
Moreover, if Mastodon wants to become the modern Twitter (or better), it should resolve fundamental issues like this.
The decentralized social media idea should fix things on the web, and not break the traditional web experience.
Hopefully, Mastodon developers see this (along with the community), and get this sorted out as soon as possible. The current solution includes blocking Mastodon as a user-agent, which would disable our link previews, making it look like spam and uninformative.
💬 What do you think about this? Did you know about this thing with Mastodon? What are your thoughts on this?
Suggested Read 📖
Here's why you should opt for It's FOSS Plus Membership
- Even the biggest players in the Linux world don't care about desktop Linux users. We do.
- We don't put content behind paywall. Your support keeps it open for everyone. Think of it like 'pay it forward'.
- Don't like ads? With the Plus membership, you get an ad-free reading experience.
- When millions of AI-generated content is being published daily, you read and learn from real human Linux users.
- It costs just $2 a month, less than the cost of your favorite burger.