Ryan Barrett
Follow

Interesting unintended consequence of federation: when you post a link, >1k mastodon nodes all fetch it at the same time to render a link preview, which results in a small DDoS.

· Web · 0 · 1 · 6
neekz0r  

@snarfed oh snap, that would mean it can be used as an amplifcation attack.

nice find! But also troubling for the internets at large.

@ashfurrow thoughts?

0
Autumnal Ash  

@neekz0r @snarfed huh! That’s really interesting – and a bit troubling.

0
neekz0r  

@ashfurrow @snarfed One of the ways I think that could prevent it would be to pass the link preview along with the link. That way only one server fetches.

0
Autumnal Ash  

@neekz0r @snarfed there’s a vulnerability there, though: how does the receiving server know the link preview it got is correct? Malicious instances could modify it, or maybe the link preview could have changed since the lag fetch.

0
neekz0r  

@ashfurrow @snarfed I would argue a malicious instance can do that anyway; or outright rewrite the link to a phishing site regardless of the link preview showing up or not.

0
Autumnal Ash  

@neekz0r @snarfed When federating toots, Mastodon always goes back to verify the toot contents with the source instance for this exact reason.

0
Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!

Resources

Developers

What is Mastodon?

mastodon.technology

More…