Ryan Barrett
Follow

Interesting unintended consequence of federation: when you post a link, >1k mastodon nodes all fetch it at the same time to render a link preview, which results in a small DDoS.

· Web · 0 · 1 · 6
neekz0r  

@snarfed oh snap, that would mean it can be used as an amplifcation attack.

nice find! But also troubling for the internets at large.

@ashfurrow thoughts?

0
Ash Furrow :honk:  

@neekz0r @snarfed huh! That’s really interesting – and a bit troubling.

0
neekz0r  

@ashfurrow @snarfed One of the ways I think that could prevent it would be to pass the link preview along with the link. That way only one server fetches.

0
Ash Furrow :honk:  

@neekz0r @snarfed there’s a vulnerability there, though: how does the receiving server know the link preview it got is correct? Malicious instances could modify it, or maybe the link preview could have changed since the lag fetch.

0
neekz0r  

@ashfurrow @snarfed I would argue a malicious instance can do that anyway; or outright rewrite the link to a phishing site regardless of the link preview showing up or not.

0
Ash Furrow :honk:  

@neekz0r @snarfed When federating toots, Mastodon always goes back to verify the toot contents with the source instance for this exact reason.

0
Sign in to participate in the conversation
Mastodon for Tech Folks

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!

Trending now

Resources

Developers

What is Mastodon?

mastodon.technology

More…