EDIT: TBC, here’s the current message seen when refreshing a PF stream:
“Piefed.social is having a denial of service attack. They are being kept at bay for now but could return with a more effective method. Download your community subscriptions so if you need to move to another server it’ll be painless - with a few clicks you’ll be seeing all the same content as before. See list of alternate servers at here or here.”
Possible causes?
- Fellow instance that got PO’d somehow? (seems like a major stretch)
- Just random hackers havin’ fun?
- Reddit or similar, targeting one of the top growing instance softwares in ActivityPub / FV? EDIT2 : the timing certainly seems to fit for the recent influx of users coming from Reddit. (see comments)
- Some right-wing entity, not happy about the general rational / left bias to the instance?
- Other…?
In any case, much thanks to our instance runner and dev for fending off the first wave(!) Hope everything is backed up and possible to be restored if the worst happens.
(seriously, what a shitty way to be repaid for doing a great, ongoing job for the community and FOSS)
Just an update on this front, server load is stable right now as I type this after rimu did some stuff on the server to help. It’s pretty clear this was a DDOS and not a rogue AI scraper because it was hitting the same url many times a second instead of crawling tons of urls like a scraper bot would.
We’ll keep an eye on things. Thanks for your patience.
AI bots will sometimes get stuck requesting the same URL over and over again for no reason. Make sure you check the user agent of the requests.
Most scrapers pretend to be normal browser agents
It happened shortly after that rather strange guy I had to pacify earlier lol
Where was that? 👀
In television@piefed.social
I was discussing/debating with a user. Suddenly he thought i blocked him as he couldn’t reply (I assume) and he reported me to myself and started changing all of his comments to "skavau is a clown, despite me telling him I had not blocked him
He was a local account so I yeeted him, shortly after Piefed goes down
If that’s the case, there’s a good chance this individual is of a low IQ, and decided to DDoS PS as a result of that. Yikes.
Oh wow
Thanks to everyone for all your hard work!
I realized that I replied from the wrong browser tab. I can confirm that this is not some impersonator wjs018 🕵️
Have you done any geolocation checking on the IPs? That might start to paint a better picture of the actor(s) behind the attack.
It’s a good question…for rimu. I have ssh access to do things like restart the server or roll out a critical bugfix or something like that, but my sysadmin skills are not the best.
I’ll ask him later when, hopefully, things will have had some time to cool down.
All you need is to have the IP addresses. If you can extract them, then the rest can be done by saying
whois ip.ad.re.ss(where you put some numbers between 0 and 255 instead of ip, ad, re and ss.)Unless they’re on a VPN…
A whois will likely not do much. It’ll turn out to be some large ISP, which rents out virtual servers and all kind of stuff to private people, companies and VPN providers. And that’s regularly how far you’ll get, a name if a large company. And you can then decide if it’s worth to take someone to court, somewhere abroad… (But sometimes an email to their abuse contact helps a bit. Judging by my experience they won’t ever answer. But sometimes it’ll miraculously stop. And most of the time nobody cares about a single complaint.)
Would the Network Security Toolkit have anything that could help?
I would imagine if they’re on a VPN, which they honestly probably are, then there’s not really a way to track them down at all…
Well, I guess if they’re still online and do silly stuff, like not use a VPN, not have a Firewall installed on their computer… Or they re-use the VPS which also has their personal blog on it… There would be ways to do something. But that’s all very unlikely.
I mean the
whoisis a good idea. Admins will usually want to know what they’re dealing with, and where it’s coming from. But the rest of the steps really depend on how bored an admin is. The best course of action regularly is to block it and move on. There’s so much bad stuff hammering the average webserver anyway. Launching a counterattack is a bit illegal, so that might not be an option. And if some admin has a few hours to pass until it’s 5pm and time to head home, or do it as a hobby and have time to spare they might investigate. I’ve found some hacked servers that way, wrote a few emails. But in practice, 99% of the time there isn’t anything to accomplish.