πŸŽ“ Dr. Freemo :jpf: πŸ‡³πŸ‡±

@mkljczk@mstdn.io

On the one hand its Gargrons right to allow whatever services he wants to access his API. This is no different than blocking a fediverse server. That said I think its unfair to call this a DDOS or even a misuse of the API.. In fact I'd say this is the very purpose of an activity pub endpoint, so anyone can access the data and interoperate with the server as they see fit.

@xorowl@mastodon.technology @jimpjorps @Gargron

1+
Eugen Rochko

@freemo @mkljczk @xorowl @jimpjorps It's DDoS when their software is coded in such a way that many IPs hit the same endpoints over and over in frequent fashion when they could simply cache the results

1
πŸŽ“ Dr. Freemo :jpf: πŸ‡³πŸ‡±

@Gargron

Fair, if a single client is hitting it excessively then it should be cached and isnt good etiquette for sure. Not quite sure I'd call it a DDoS but still, its bad design.

@mkljczk@mstdn.io @xorowl@mastodon.technology @jimpjorps

1
Eugen Rochko

@freemo @mkljczk @xorowl @jimpjorps Again, it's distributed DoS because they release this software (a game mod) to end-users whose IPs are the ones hitting the endpoints. As far as I understand, anyway. I'm currently analyzing the log files to find out how many unique IPs the requests are coming from.

1+
RysiekΓΊr (old account)

@Gargron @freemo @mkljczk @xorowl @jimpjorps or, put differently:

Is it distributed? Yes.

Does it potentially lead to denial of service (through resource exhastion)? Yes.

Sounds about right.

1
πŸŽ“ Dr. Freemo :jpf: πŸ‡³πŸ‡±

@rysiek

I cant speak to Gargron's setup but I think most setups would be able to handle 3400 RPM on the outbox without even batting an eye.

Also by that logic if too many people start using mastodon clients on their phone or desktop then that is a DDoS since enough of them are distributed and would lead to resource depletion.

@Gargron @mkljczk@mstdn.io @xorowl@mastodon.technology @jimpjorps

1+
Two Teks in a trench coat

@freemo @rysiek @Gargron @mkljczk @xorowl @jimpjorps According to github.com/citizenfx/fivem/pul it was 4,000 requests *per second*. That would make most instances cry.

1
Eugen Rochko

@tek @freemo @rysiek @mkljczk @xorowl @jimpjorps Sorry, that's one zero too many from me. 400 req/s. Corrected.

1
Two Teks in a trench coat

@Gargron @freemo @rysiek @mkljczk @xorowl @jimpjorps Ah, OK. That's still nontrivial.

1
πŸŽ“ Dr. Freemo :jpf: πŸ‡³πŸ‡±

@tek

then I misread it, that is on the high side.. though depends how many users were doing it. I would imagine mastodon clients in general produce more requests per second than that collectively but we wouldnt call those a DDoS... I dunno we are arguing semantics though, does it even matter what we call it?

@Gargron @rysiek @mkljczk@mstdn.io @xorowl@mastodon.technology @jimpjorps

1+
Eugen Rochko

@freemo @tek @rysiek @mkljczk @xorowl @jimpjorps For comparison, average mastodon.social traffic is 200 req/s. I don't think it matters what we call it though. In my view it's a denial-of-service when it impacts performance due to unintended use, though maybe you could expand that to intended use as well. While the individual endpoints are intended to be used, it is the frequency with which they are retrieved that is unintended.

1+
πŸŽ“ Dr. Freemo :jpf: πŸ‡³πŸ‡±
Follow

@Gargron

Agreed. It seems to me this is just a poor implementation that is "rude" and pings the endpoint **way** too much and they were too lazy (or didnt know enough) to add the appropriate caching. Call that what you will, it isnt important. But either way they made a error.

@tek @rysiek @mkljczk@mstdn.io @xorowl@mastodon.technology @jimpjorps

Β· Β· 0 Β· 0 Β· 2
Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.

Trending now

Resources

Developers

What is Mastodon?

qoto.org

More…