Email or username:

Password:

Forgot your password?
Top-level
Andres Jalinton

@nemobis
Great work!
I'm also trying to help the :fediverse: announcing a weak point on the way the user actions are handled and notified to the origin instance:
hardcoredevs.com/fediverse-int
So far without any luck.

5 comments
Nemo_bis 🌈

@Andres Interesting. I don't know how heavy these actions are in practice. I also filed a report about a specific case of inefficient federation, it's about user deletions: github.com/mastodon/mastodon/i

Andres Jalinton

@nemobis
Nice!
The interactions are not heavy at all, but those can be unlimited in amount, due to the lack of any rate-limit.
I imagine a 1 person DDoS is possible from a big instance to a smaller one.

Nemo_bis 🌈

@Andres Yes, Aral famously is one such big user able to melt other people's instances. ;) ar.al/2022/11/09/is-the-fedive

However I think the far worse problem is that by default Mastodon doesn't control at all whether ActivityPub requests are coming from a "real" ActivityPub server/user, so I believe it's still easy to produce a spam wave like github.com/mastodon/mastodon/i .

Andres Jalinton

@nemobis
Thanks for the link to Aral's article!
Yes I have been thinking about exactly that an how a potential millions-of-followers user back in Threads would kill any instance.

Go Up