Ryan Barrett
Follow

Interesting unintended consequence of federation: when you post a link, >1k mastodon nodes all fetch it at the same time to render a link preview, which results in a small DDoS.

· Web · 0 · 1 · 6
neekz0r  

@snarfed oh snap, that would mean it can be used as an amplifcation attack.

nice find! But also troubling for the internets at large.

@ashfurrow thoughts?

0
Ash Furrow 🏳️‍🌈  

@neekz0r @snarfed huh! That’s really interesting – and a bit troubling.

0
neekz0r  

@ashfurrow @snarfed One of the ways I think that could prevent it would be to pass the link preview along with the link. That way only one server fetches.

0
Ash Furrow 🏳️‍🌈  

@neekz0r @snarfed there’s a vulnerability there, though: how does the receiving server know the link preview it got is correct? Malicious instances could modify it, or maybe the link preview could have changed since the lag fetch.

0
neekz0r  

@ashfurrow @snarfed I would argue a malicious instance can do that anyway; or outright rewrite the link to a phishing site regardless of the link preview showing up or not.

0
Ash Furrow 🏳️‍🌈  

@neekz0r @snarfed When federating toots, Mastodon always goes back to verify the toot contents with the source instance for this exact reason.

0
Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either! We adhere to an adapted version of the TootCat Code of Conduct and have documented a list of blocked instances. Ash is the admin and is supported by Fuzzface, Brian!, and Daniel Glus as moderators. Hosting costs are largely covered by our generous supporters on Patreon – thanks for all the help!

Resources

Developers

What is Mastodon?

mastodon.technology

More…