Please don't share our links on Mastodon

https://news.itsfoss.com/mastodon-link-problem/

So, Mastodon is a nice escape from the big tech social media platforms.

Whether it is about ignoring Elon Musk's mood swings on X (or formerly Twitter) or refusing to be a part of Mark Zuckerberg's data points, Mastodon has proved to be an impressive open-source social media platform.

While it is privacy-friendly, and lets users take control of their data, the platform is not perfect.

Nothing is, unless you are arrogant enough to think of it that way.

What's the problem I am referring to here? Is it a feature that I'm missing, or the user experience?

Unfortunately, I am not complaining about either. There is always room for improvements, but I am not talking about that here.

I am talking about Mastodon's ability to DDoS a website 💣 And, our sites, It's FOSS News, and It's FOSS, are some of the sites being affected by the issue.

📋

Don't get me wrong: Mastodon is not doing this knowingly. The problem occurs because of federation. But, they have been aware of this concern for a long time now, and it hasn't seen a meaningful fix. Moreover, there is no expected date for a fix on that, which is concerning 😕

Care to Explain? Sure!

When you share a link on Mastodon, a link preview is generated for it, right?

With Mastodon being a federated platform (a part of the Fediverse), the request to generate a link preview is not generated by just one Mastodon instance. There are many instances connected to it who also initiate requests for the content almost immediately.

And, this "fediverse effect" increases the load on the website's server in a big way.

Sure, some websites may not get overwhelmed with the requests, but Mastodon does generate numerous hits, increasing the load on the server. Especially, if the link reaches a profile with more followers (and a broader network of instances).

UPDATE: The website uses Cloudflare proxy presently, and still gets impacted when we share something on Mastodon.

I should clarify that our server handles plenty of requests when a post gets viral through Google News/Reddit or other platforms. However, only when we share it on Mastodon is when we notice an immediate downtime.

I believe we have 15k followers, and that gives us a decent reach.

And, as a result, we get affected for a couple of minutes in a day, for readers to encounter 504 Gateway Timeout error or the webpage being unresponsive for a few seconds, whenever a link is shared on mastodon.social instance (primarily).

itsfoss timeout errors

Furthermore, when a user with a huge following list or having connections to a bigger network of instances boosts that post, the request to the site is amplified again, as explained by Chris Partridge, a security engineer.

💡

It does not affect us when you (readers) with fewer followers share our links. But, when we share our articles along on our profile, it impacts our server resources immediately for a couple of minutes.

One of our readers notified us about this Fediverse effect originally, before we investigated the root cause:

And, turns out, the downtimes caused by this issue (as the majority) looks like this:

itsfoss downtime stats

And, such an effect increases the frequency of downtimes, affecting our availability times:

itsfoss news downtime stats

Maybe you can also reproduce this issue if you have a higher follower count.

We tried it on our Mastodon profile, and every time we shared a link, we were able to successfully make our website unresponsive or slow to load 😲

Presently, we use Cloudflare as our CDN or WAF, as it is a widely adopted solution.

But, what if we switch to a separate CDN provider, which would cost us for the resources being served? Do you think any web server should pay for extra resources being served for no reason? Wouldn't they want it to be blocked or fixed?

Quoting Chris Partridge's older findings, he mentioned:

However, I got a bit of a nasty surprise when I looked into how much traffic this had consumed - a single roughly ~3KB POST to Mastodon caused servers to pull a bit of HTML and… fuck, an image. In total, 114.7 MB of data was requested from my site in just under five minutes - making for a traffic amplification of 36704:1.

An amplified resource request like this — should be on top of the priority list for Mastodon to fix, right?

And, no, it is not just an older blog post I am referencing. Another software developer, Michael Nordmeyer also shared similar findings on his blog post about Mastodon DDoS'ing websites/servers in 2023.

On Mastodon DDoS’ing Sites

Mastodon link previews can lead to excessive requests at the same time, which is not Mastodon’s fault.

Michael NordmeyerMichael Nordmeyer

Here's another blog post by JWZ talking about the same issue. And, there's also a new blog post by a tinkerer after our article was circulated, discussing the Fediverse DDoS problem.

Let's go through some GitHub issues reported on the same:

  • GitHub Issue 1 (Concerns about Mastodon being innocently used as a DDoS tool were reported 6 years ago).
  • GitHub Issue 2 (Mastodon sending massive hits to outside websites, Oct, 2023)
  • GitHub Issue 3 (Reduce load of preview fetching, Feb, 2023)

And, the issue listed was added to their milestone for the next upcoming release, 4.3.0 (or so I thought):

mastodon ddos issue milestone added

Unfortunately, now, it appears that the issue has been deprioritized, and moved as a milestone for a future 4.4.0 release.

mastodon milsetone 4.4.0

As things stand now, the 4.4.0 release could take a year or more (who knows?). And, I think that the issue should have been prioritized for a faster fix, not put back to their bucket list of doing things.

Do I sound entitled? Do you think it is wrong for me to talk about this?

Let me tell you why I chose to do this...

It's Mastodon, That's Why!

Mastodon is a free and open-source platform that aims to tackle the big tech, right?

We even list it as one of the best open source social media platforms:

11 Decentralized, Open Source Alternative Social Media Platforms

Tired of Big Tech prying on your data and invading your privacy? Here are some open source, decentralized alternate social platforms.

It's FOSSAbhishek Prakash

Well, the thing is — the big tech platforms are not impacting our website at the moment. But, Mastodon is...

A bug like this could be impacting several independent sites like us with downtimes or amplifying their resource/bandwidth usage for no good reason. And, we are not the only ones:

mastodon ddos complain by stux

Just one? Here, I link another user mentioning the same. And, another.

Don't you think as a community-powered, open-source project, it should be possible to attend to a long-standing bug, as serious as this one?

Sure, one can argue that it's not Mastodon's fault. So, why put it that way? I believe, with a platform as big as Mastodon (compared to other federated solutions), someone has to take a lead on fixing this bug.

Moreover, if Mastodon wants to become the modern Twitter (or better), it should resolve fundamental issues like this.

The decentralized social media idea should fix things on the web, and not break the traditional web experience.

Hopefully, Mastodon developers see this (along with the community), and get this sorted out as soon as possible. The current solution includes blocking Mastodon as a user-agent, which would disable our link previews, making it look like spam and uninformative.

💬 What do you think about this? Did you know about this thing with Mastodon? What are your thoughts on this?

Suggested Read 📖

Bluesky vs. Mastodon: Which Twitter Alternative Should You Choose?

Mastodon is one of the most-loved open-source social media platforms. But, what’s different with Bluesky? Let us find out here.

It's FOSSAnkush Das


Here's why you should opt for It's FOSS Plus Membership

  • Even the biggest players in the Linux world don't care about desktop Linux users. We do.
  • We don't put content behind paywall. Your support keeps it open for everyone. Think of it like 'pay it forward'.
  • Don't like ads? With the Plus membership, you get an ad-free reading experience.
  • When millions of AI-generated content is being published daily, you read and learn from real human Linux users.
  • It costs just $2 a month, less than the cost of your favorite burger.
{
"by": "todsacerdoti",
"descendants": 105,
"id": 40222067,
"kids": [
40222264,
40222534,
40222360,
40222347,
40222623,
40222575,
40222302,
40222143,
40222258,
40222627,
40222872,
40222556,
40222338,
40222447,
40222215,
40225707,
40224255,
40222528,
40222654,
40224748,
40223474
],
"score": 92,
"time": 1714564966,
"title": "Please don't share our links on Mastodon",
"type": "story",
"url": "https://news.itsfoss.com/mastodon-link-problem/"
}
{
"author": "Ankush Das",
"date": "2024-05-02T18:05:18.000Z",
"description": "We need to talk about this problem. Should Mastodon step up?",
"image": "https://news.itsfoss.com/content/images/2024/05/dont-share-link-in-mastodon.png",
"logo": "https://logo.clearbit.com/itsfoss.com",
"publisher": "It's FOSS",
"title": "Please Don’t Share Our Links on Mastodon: Here’s Why!",
"url": "https://news.itsfoss.com/mastodon-link-problem/"
}
{
"url": "https://news.itsfoss.com/mastodon-link-problem/",
"title": "Please Don’t Share Our Links on Mastodon: Here’s Why!",
"description": "So, Mastodon is a nice escape from the big tech social media platforms.Whether it is about ignoring Elon Musk's mood swings on X (or formerly Twitter) or refusing to be a part of Mark Zuckerberg's data...",
"links": [
"https://news.itsfoss.com/mastodon-link-problem/"
],
"image": "https://news.itsfoss.com/content/images/2024/04/dont-share-link-in-mastodon.png",
"content": "<article>\n <div>\n <p><a href=\"https://www.pikapods.com/?utm_campaign=banner-2024-05&amp;utm_source=itsfoss\" target=\"_blank\"><img src=\"https://news.itsfoss.com/assets/images/pikapods-banner-v3.webp\" /></a></p><p>So, Mastodon is a nice escape from the big tech social media platforms.</p><p>Whether it is about ignoring Elon Musk's mood swings on X (or formerly Twitter) or refusing to be a part of Mark Zuckerberg's data points, Mastodon has proved to be an impressive open-source social media platform.</p><p>While it is privacy-friendly, and lets users take control of their data, the platform is not perfect.</p><p>Nothing is, unless you are arrogant enough to think of it that way.</p><p><em>What's the problem I am referring to here? Is it a feature that I'm missing, or the user experience?</em></p><p>Unfortunately, I am not complaining about either. There is always room for improvements, but I am not talking about that here.</p><p>I am talking about <strong>Mastodon's ability to DDoS a website </strong>💣 And, our sites, <strong>It's FOSS News, and It's FOSS</strong>, are some of the sites being affected by the issue.</p><div><p>📋</p><p><b><strong>Don't get me wrong: </strong></b>Mastodon is not doing this knowingly. The problem occurs because of federation. But, they have been aware of this concern for a long time now, and it hasn't seen a meaningful fix. Moreover, there is no expected date for a fix on that, which is concerning 😕</p></div><h2 id=\"care-to-explain-sure\">Care to Explain? Sure!</h2><p>When you share a link on Mastodon, a link preview is generated for it, right?</p><p>With Mastodon being a federated platform (a part of the Fediverse), the request to generate a link preview is not generated by just one Mastodon instance. There are many instances connected to it who also initiate requests for the content almost immediately.</p><p>And, this \"fediverse effect\" increases the load on the website's server in a big way. </p><p>Sure, some websites may not get overwhelmed with the requests, but Mastodon does generate numerous hits, increasing the load on the server. Especially, if the link reaches a profile with more followers (and a broader network of instances).</p><div><p>❗</p><div><p><b><strong>UPDATE: </strong></b><i><em>The website uses Cloudflare proxy presently, and still gets impacted when we share something on Mastodon.</em></i></p><p><i><em>I should clarify that our server handles plenty of requests when a post gets viral through Google News/Reddit or other platforms. However, only when we share it on Mastodon is when we notice an immediate downtime.</em></i></p></div></div><p>I believe we have <strong>15k followers</strong>, and that gives us a decent reach.</p><p>And, as a result, we get affected for a couple of minutes in a day, for readers to encounter <strong>504 Gateway Timeout error or the webpage being unresponsive for a few seconds,</strong> whenever a link is shared on mastodon.social instance (primarily).</p><figure><img src=\"https://news.itsfoss.com/content/images/2024/04/itsfoss-main.png\" alt=\"itsfoss timeout errors\" srcset=\"https://news.itsfoss.com/content/images/size/w600/2024/04/itsfoss-main.png 600w, https://news.itsfoss.com/content/images/size/w1000/2024/04/itsfoss-main.png 1000w, https://news.itsfoss.com/content/images/2024/04/itsfoss-main.png 1001w\" /></figure><p>Furthermore, when a user with a huge following list or having connections to a bigger network of instances boosts that post, the request to the site is amplified again, as <a target=\"_blank\" href=\"https://chris.partridge.tech/2022/request-amplification-in-mastodon/?ref=news.itsfoss.com\">explained by Chris Partridge</a>, a security engineer.</p><div><p>💡</p><p>It does not affect us when you (readers) with fewer followers share our links. But, when we share our articles along on our profile, it impacts our server resources immediately for a couple of minutes.</p></div><p>One of our <a target=\"_blank\" href=\"https://mastodon.social/@[email protected]/112276384042399399?ref=news.itsfoss.com\">readers</a> notified us about this Fediverse effect originally, before we investigated the root cause:</p><figure><img src=\"https://news.itsfoss.com/content/images/2024/04/mastodon-effect.png\" srcset=\"https://news.itsfoss.com/content/images/size/w600/2024/04/mastodon-effect.png 600w, https://news.itsfoss.com/content/images/size/w1000/2024/04/mastodon-effect.png 1000w, https://news.itsfoss.com/content/images/2024/04/mastodon-effect.png 1172w\" /></figure><p>And, turns out, the downtimes caused by this issue (as the majority) looks like this:</p><figure><img src=\"https://news.itsfoss.com/content/images/2024/04/itsfoss-main-issues.png\" alt=\"itsfoss downtime stats\" srcset=\"https://news.itsfoss.com/content/images/size/w600/2024/04/itsfoss-main-issues.png 600w, https://news.itsfoss.com/content/images/size/w1000/2024/04/itsfoss-main-issues.png 1000w, https://news.itsfoss.com/content/images/2024/04/itsfoss-main-issues.png 1029w\" /></figure><p>And, such an effect increases the frequency of downtimes, affecting our availability times:</p><figure><img src=\"https://news.itsfoss.com/content/images/2024/04/itsfoss-news.png\" alt=\"itsfoss news downtime stats\" srcset=\"https://news.itsfoss.com/content/images/size/w600/2024/04/itsfoss-news.png 600w, https://news.itsfoss.com/content/images/size/w1000/2024/04/itsfoss-news.png 1000w, https://news.itsfoss.com/content/images/2024/04/itsfoss-news.png 1029w\" /></figure><p>Maybe you can also reproduce this issue if you have a higher follower count.</p><p>We tried it on our Mastodon profile, and every time we shared a link, we were able to successfully make our website unresponsive or slow to load 😲</p><p>Presently, we use Cloudflare as our CDN or WAF, as it is a widely adopted solution.</p><p>But, what if we switch to a separate CDN provider, which would cost us for the resources being served? Do you think any web server should pay for extra resources being served for no reason? Wouldn't they want it to be blocked or fixed?</p><p>Quoting <strong>Chris Partridge's</strong> older findings, he mentioned:</p><blockquote><em>However, I got a bit of a nasty surprise when I looked into how much traffic this had consumed - a single roughly ~3KB POST to Mastodon caused servers to pull a bit of HTML and… fuck, an image. In total, 114.7 MB of data was requested from my site in just under five minutes - making for a <strong>traffic amplification of 36704:1</strong>.</em></blockquote><p>An amplified resource request like this — should be on top of the priority list for Mastodon to fix, right?</p><p>And, no, it is not just an older blog post I am referencing. Another software developer, Michael Nordmeyer also shared similar findings on his <a target=\"_blank\" href=\"https://michaelnordmeyer.com/on-mastodon-ddosing-sites?ref=news.itsfoss.com\">blog post about Mastodon DDoS'ing websites/servers</a> in 2023.</p><figure><a target=\"_blank\" href=\"https://michaelnordmeyer.com/on-mastodon-ddosing-sites?ref=news.itsfoss.com\"><div><p>On Mastodon DDoS’ing Sites</p><p>Mastodon link previews can lead to excessive requests at the same time, which is not Mastodon’s fault.</p><p><img src=\"https://michaelnordmeyer.com/assets/icons/grey.webp\" /><span>Michael Nordmeyer</span><span>Michael Nordmeyer</span></p></div><p><img src=\"https://michaelnordmeyer.com/assets/icons/grey.webp\" /></p></a></figure><p>Here's another <a target=\"_blank\" href=\"https://www.jwz.org/blog/2022/11/mastodon-stampede/?ref=news.itsfoss.com\">blog post by JWZ</a> talking about the same issue. And, there's also a new blog post by a tinkerer after our article was circulated, discussing the <a target=\"_blank\" href=\"https://aumetra.xyz/posts/the-fedi-ddos-problem?ref=news.itsfoss.com\">Fediverse DDoS problem</a>.</p><p>Let's go through some GitHub issues reported on the same:</p><ul><li><a target=\"_blank\" href=\"https://github.com/mastodon/mastodon/issues/4486?ref=news.itsfoss.com\">GitHub Issue 1</a> (Concerns about Mastodon being innocently used as a DDoS tool were reported <strong>6 years ago).</strong></li><li><a target=\"_blank\" href=\"https://github.com/mastodon/mastodon/issues/27266?ref=news.itsfoss.com\">GitHub Issue 2</a> (Mastodon sending massive hits to outside websites, <strong>Oct, 2023</strong>)</li><li><a target=\"_blank\" href=\"https://github.com/mastodon/mastodon/issues/23662?ref=news.itsfoss.com\">GitHub Issue 3</a> (Reduce load of preview fetching, <strong>Feb, 2023</strong>)</li></ul><p>And, the issue listed was added to their milestone for the next upcoming release, <strong>4.3.0</strong> (or so I thought):</p><figure><img src=\"https://news.itsfoss.com/content/images/2024/04/mastodon-milestone-release.png\" alt=\"mastodon ddos issue milestone added\" srcset=\"https://news.itsfoss.com/content/images/size/w600/2024/04/mastodon-milestone-release.png 600w, https://news.itsfoss.com/content/images/size/w1000/2024/04/mastodon-milestone-release.png 1000w, https://news.itsfoss.com/content/images/size/w1600/2024/04/mastodon-milestone-release.png 1600w, https://news.itsfoss.com/content/images/2024/04/mastodon-milestone-release.png 1861w\" /></figure><p>Unfortunately, now, it appears that the issue has been deprioritized, and moved as a milestone for a <a target=\"_blank\" href=\"https://github.com/mastodon/mastodon/milestone/5?ref=news.itsfoss.com\">future 4.4.0 release</a>.</p><figure><img src=\"https://news.itsfoss.com/content/images/2024/04/mastodon-issue-milestone-4-4-0.png\" alt=\"mastodon milsetone 4.4.0\" srcset=\"https://news.itsfoss.com/content/images/size/w600/2024/04/mastodon-issue-milestone-4-4-0.png 600w, https://news.itsfoss.com/content/images/size/w1000/2024/04/mastodon-issue-milestone-4-4-0.png 1000w, https://news.itsfoss.com/content/images/size/w1600/2024/04/mastodon-issue-milestone-4-4-0.png 1600w, https://news.itsfoss.com/content/images/2024/04/mastodon-issue-milestone-4-4-0.png 1735w\" /></figure><p>As things stand now, the 4.4.0 release could take a year or more (who knows?). And, I think that the issue should have been prioritized for a faster fix, not put back to their bucket list of doing things. </p><p>Do I sound entitled? Do you think it is wrong for me to talk about this? </p><p>Let me tell you why I chose to do this...</p><h2 id=\"its-mastodon-thats-why\">It's Mastodon, That's Why!</h2><p>Mastodon is a free and open-source platform that aims to tackle the big tech, right?</p><p>We even list it as one of the <a target=\"_blank\" href=\"https://itsfoss.com/mainstream-social-media-alternaives/?ref=news.itsfoss.com\">best open source social media platforms</a>:</p><figure><a target=\"_blank\" href=\"https://itsfoss.com/mainstream-social-media-alternaives/?ref=news.itsfoss.com\"><div><p>11 Decentralized, Open Source Alternative Social Media Platforms</p><p>Tired of Big Tech prying on your data and invading your privacy? Here are some open source, decentralized alternate social platforms.</p><p><img src=\"https://itsfoss.com/content/images/size/w256h256/2022/12/android-chrome-192x192.png\" /><span>It's FOSS</span><span>Abhishek Prakash</span></p></div><p><img src=\"https://itsfoss.com/content/images/2023/12/decentralized-social-media-platform.png\" /></p></a></figure><p>Well, the thing is — the big tech platforms are not impacting our website at the moment. But, Mastodon is...</p><p>A bug like this could be impacting several independent sites like us with downtimes or amplifying their resource/bandwidth usage for no good reason. And, we are not <a target=\"_blank\" href=\"https://mstdn.social/@stux/112346188861924441?ref=news.itsfoss.com\">the only ones</a>:</p><figure><img src=\"https://news.itsfoss.com/content/images/2024/05/stux-on-mastodon-ddos.png\" alt=\"mastodon ddos complain by stux\" srcset=\"https://news.itsfoss.com/content/images/size/w600/2024/05/stux-on-mastodon-ddos.png 600w, https://news.itsfoss.com/content/images/size/w1000/2024/05/stux-on-mastodon-ddos.png 1000w, https://news.itsfoss.com/content/images/2024/05/stux-on-mastodon-ddos.png 1134w\" /></figure><p>Just one? Here, I link <a target=\"_blank\" href=\"https://disabled.social/@richard/112367825632049001?ref=news.itsfoss.com\">another user</a> mentioning the same. And, <a target=\"_blank\" href=\"https://github.com/simonw/simonwillisonblog/issues/415?ref=news.itsfoss.com\">another</a>.</p><p>Don't you think as a community-powered, open-source project, it should be possible to attend to a long-standing bug, as serious as this one? </p><p>Sure, one can argue that it's not Mastodon's fault. So, why put it that way? I believe, with a platform as big as Mastodon (compared to other federated solutions), someone has to take a lead on fixing this bug. </p><p>Moreover, if Mastodon wants to become the modern Twitter (or better), it should resolve fundamental issues like this.</p><blockquote>The decentralized social media idea should fix things on the web, and not break the traditional web experience.</blockquote><p>Hopefully, <strong>Mastodon developers see this (along with the community)</strong>, and get this sorted out as soon as possible. The current solution includes blocking Mastodon as a user-agent, which would disable our link previews, making it look like spam and uninformative.</p><p>💬<em> What do you think about this? Did you know about this thing with Mastodon? What are your thoughts on this?</em></p><p><strong>Suggested Read </strong>📖</p><figure><a target=\"_blank\" href=\"https://itsfoss.com/bluesky-vs-mastodon/?ref=news.itsfoss.com\"><div><p>Bluesky vs. Mastodon: Which Twitter Alternative Should You Choose?</p><p>Mastodon is one of the most-loved open-source social media platforms. But, what’s different with Bluesky? Let us find out here.</p><p><img src=\"https://itsfoss.com/content/images/size/w256h256/2022/12/android-chrome-192x192.png\" /><span>It's FOSS</span><span>Ankush Das</span></p></div><p><img src=\"https://itsfoss.com/content/images/2024/02/bluesky-mastodon-ft.png\" /></p></a></figure>\n <hr />\n <h2 id=\"more-from-its-foss\">Here's why you should opt for It's FOSS Plus Membership</h2>\n <ul>\n <li>Even the biggest players in the Linux world don't care about desktop Linux users. We do.</li>\n <li>We don't put content behind paywall. Your support keeps it open for everyone. Think of it like 'pay it forward'.</li>\n <li>Don't like ads? With the Plus membership, you get an ad-free reading experience.</li>\n <li>When millions of AI-generated content is being published daily, you read and learn from real human Linux users.</li>\n <li>It costs just $2 a month, less than the cost of your favorite burger.</li>\n </ul>\n </div>\n </article>",
"author": "",
"favicon": "https://news.itsfoss.com/content/images/size/w256h256/2022/08/android-chrome-192x192.png",
"source": "news.itsfoss.com",
"published": "2024-05-02T18:05:18.000Z",
"ttr": 266,
"type": "article"
}