Interesting unintended consequence of federation: when you post a link, >1k mastodon nodes all fetch it at the same time to render a link preview, which results in a small DDoS.
@snarfed oh snap, that would mean it can be used as an amplifcation attack.
nice find! But also troubling for the internets at large.
@neekz0r @snarfed huh! That’s really interesting – and a bit troubling.
@ashfurrow @snarfed One of the ways I think that could prevent it would be to pass the link preview along with the link. That way only one server fetches.
@neekz0r @snarfed there’s a vulnerability there, though: how does the receiving server know the link preview it got is correct? Malicious instances could modify it, or maybe the link preview could have changed since the lag fetch.
@ashfurrow @snarfed I would argue a malicious instance can do that anyway; or outright rewrite the link to a phishing site regardless of the link preview showing up or not.
@neekz0r @snarfed When federating toots, Mastodon always goes back to verify the toot contents with the source instance for this exact reason.