To all Mastodon-admins: seems like there's an attack on all instances by troll accounts. Servers get slow because of it.
They use thousands of subdomains of activitypub-troll.cf. My 'pull' queues skyrocketed.
I now blocked the domain activitypub-troll.cf and all is back to normal. Please check if you're hit too.
#mastoadmin #fediblock
@ruud I'm running Misskey so I was targeted. The domains I've seen in the attack are:
Voline
Ruud
@Dwarf :borg_logo:*.activitypub-troll.cf
*.misskey-forkbomb.cf
*.repl.co@dwarf @ruud Well, I just ended up using a CSV import method that I found for Mastodon to block all domains listed here the troll accounts are using on my end just to be on the safe side.
https://medium.com/@theghostoftomjoad/how-to-block-server-domains-in-mastodon-899b24f8fb6e
repl.co is a mistake (it seems that an attack server was standing on the subdomain. The instance block configuration does not support wildcards, so it is not necessary to configure it). repl.co は間違いです(サブドメインに攻撃用サーバーが立っていたようです。インスタンスブロック設定はワイルドカードに対応していないため、設定は不要です。) RE: **【Security Notice】** **"Forkbomb" vulnerability was found and fixed in Misskey v12.119.1.** Forkbombと呼ばれる脆弱性が発見され、v12.119.1で修正されています。 Each instance administrator must update Misskey and block the next instances. インスタンス管理者はMisskeyをアップデートし、インスタンスブロック設定で次のインスタンスを追加してください。 ``` activitypub-troll.cf misskey-forkbomb.cf repl.co ``` The joinmisskey instances list does not show instances of vulnerable versions. joinmisskeyインスタンスリストにおいて、脆弱性のあるバージョンは表示されません。
@ij @roelfrenkema @ruud @Steeph
Like some people already mentioned, AP is email-like enough to end up with same problems (modulo ones that are fixed in email by DKIM, because an equivalent thereof is already here).
@robryk @roelfrenkema @ruud @Steeph Basically I could imagine similar methods like with email spammers, something like rspamd or spamassassin for AP and maybe a DNSBL with some kind of rating where every server can decide how high/low the blocking score is.
If a domain is reported by repubtable servers their spam score will get higher, etc...
@roelfrenkema @robryk @ruud @Steeph Therefor it is better that we implement something before the big commercial servers will do that.
When we can come up with a working and fair way of preventing this kind of spam/trolling it is very likely that large commercial servers will use that as well.
@Natanael_L @ij @roelfrenkema @ruud @Steeph
But they do! It's a semi-common practice to send one's outgoing email via e.g. gmail to circumvent issues where either your ISP doesn't want you to open connections to SMTP, or if your target doesn't even want to listen to you over SMTP.
That's why most providers offer relay. Fact is it's all in corporate hands or blocked by clearinghouses. Freedom on the internet has died a long time ago.
Have been thinking about it and it seems to me that the only thing to guarantee survival and freedom of smaller servers is a cap on the growth of larger servers.
@roelfrenkema Then the question is: what is a reasonable max size for an instance?
According to a recent poll between my users, most voters would like to see a limit of 20-50k per instance, some see the limit at 100k.
In fact I also see that instances shouldn't be grow that big. Therefor I've written a small script to close registration when the limit is reached:
Well I favor small instances. Like family, neighborhoods, schools open none-profit organisation, closed for all others like government and commercial organisation's etc. I hope we can limit oppressive influence that way without setting a cap on the amount of users. Any commercial server who runs a mastodon server on commercials to facilitate users should be defederated on sight.
@roelfrenkema What do you mean with "commercial"? Is a service that is paid by the users already commercial? That would mean digitalcourage.social would be defederated as they take €1.-/month from their users and I think that is a viable model for operation.
But I agree: server that blast out commercials (spam) should be defederated. But this is another story than preventing too-big-to-fail servers
I don't think 1€ month can be called commercial. Anyway my first thought is a server set up maybe even integrated by f.i. Microsoft or Google or one that indeed blasts its users with 'free access' but showing commercials in the sidebar or God forbid selling userdata.
@roelfrenkema @ij @Natanael_L @ruud @Steeph
You mean that 1€ is too little or too much for it to be considered commercial? The rest of your comment suggests that instances operated by for-profit entities that charge _too little_ are likely to match your intuitive meaning of commercial.
1€ a month can hardly be considered for profit. You would need quite some users before you break even. Profit does not start until that point. But I think that's not the problem ahead. I fear the 'sponsors'. In my proposal f.i a nike.social should be considered a cooperate server that should be closed for subscription.
@roelfrenkema @ij @Natanael_L @ruud @Steeph
So we should be distrustful of instances being operated by for-profit entities (which host users other than representation of that entity) in general, right?
I wonder whether them requiring (non-token?) payment from users should be counted in their benefit: on one hand, this means that there is a business model for them that doesn't rely on deception; on the other, it incentivizes them to acquire more users (because their profit scales with usercount) by means that are potentially harmful for the environment.
Exact. That's why I favor small instances. They are less likely to gain such power that they become harmful.
Shingo Mouse 🌳
aqz/tamaina :nnii::futatsume:
Ruarí Ødegaard
恵真 
猫猫 
calc.exe
daebb
愛知 philo
Moiz
Jarno
Fons Goudsmit
TransitBiker
Götz Kluge
Frankie Saxx
Simon Palmer-Billing
Tobias Migge
@ordnung
ninavizz
Andy Baio
Aral Balkan
Roelf Renkema 
ij
robryk
Natanael ⚠️
RadicalWoman111
Bart 
Pink 🏳️🌈
halcy 🔜 
Webfeline Sou 
Woozle Hypertwin
Mizmar
Fribygdas Natteravn 