Follow

There seems to be a GTA 5 game mod, or something, that seems to make HTTP requests directly to mastodon.social, with insane frequency. Intentional or not, it's basically a DDoS. The requests used to come with HTTP referrer "nui-game-internal" but I just found they switched their user agent to mask as a browser.

The accounts it makes requests to are gtaliferp, gungame, arabepic, royalcity, and a bunch of others but in a similar vein... GTA or roleplay-related. Peculiarly, it's not making REST API requests, it's going straight to the ActivityPub outbox and, for some reason, WebFinger.

@Gargron @mkljczk I like how it's somehow your responsibility to do a bunch of sleuthing and ask them nicely to knock it off instead of theirs not to misuse it

@mkljczk

On the one hand its Gargrons right to allow whatever services he wants to access his API. This is no different than blocking a fediverse server. That said I think its unfair to call this a DDOS or even a misuse of the API.. In fact I'd say this is the very purpose of an activity pub endpoint, so anyone can access the data and interoperate with the server as they see fit.

@xorowl @jimpjorps @Gargron

@freemo @mkljczk @xorowl @jimpjorps It's DDoS when their software is coded in such a way that many IPs hit the same endpoints over and over in frequent fashion when they could simply cache the results

@Gargron

Fair, if a single client is hitting it excessively then it should be cached and isnt good etiquette for sure. Not quite sure I'd call it a DDoS but still, its bad design.

@mkljczk @xorowl @jimpjorps

@freemo @mkljczk @xorowl @jimpjorps Again, it's distributed DoS because they release this software (a game mod) to end-users whose IPs are the ones hitting the endpoints. As far as I understand, anyway. I'm currently analyzing the log files to find out how many unique IPs the requests are coming from.

@Gargron

Honestly you dont have to justify yourself to me. I dont think your decision was bad per se. Just criticizing the harsh language which didnt seem fitting to me. Even if we agreed it isnt a DDoS you'd be justified in blocking them, all good.

@mkljczk @xorowl @jimpjorps

@Gargron @freemo @xorowl @jimpjorps itʼs for the 'community tabʼ like this and the requests are done client-side, custom server owners using FiveM can select an ap account they want to use

@Gargron @freemo @xorowl @jimpjorps I guess server-side caching of this stuff would not be that hard

@mkljczk

Looks like the only real "crime" here is they didnt implement reasonable cacheing.

@Gargron @xorowl @jimpjorps

@mkljczk @Gargron @freemo @xorowl @jimpjorps

So they added a community forum by giving everyone mastodon.social accounts?

Ha. 😃

How rude.

Without even asking.

That's a run-your-own-fediverse-server situation there for sure.

The cheek of it.

@Gargron @freemo @mkljczk @xorowl @jimpjorps or, put differently:

Is it distributed? Yes.

Does it potentially lead to denial of service (through resource exhastion)? Yes.

Sounds about right.

@rysiek

I cant speak to Gargron's setup but I think most setups would be able to handle 3400 RPM on the outbox without even batting an eye.

Also by that logic if too many people start using mastodon clients on their phone or desktop then that is a DDoS since enough of them are distributed and would lead to resource depletion.

@Gargron @mkljczk @xorowl @jimpjorps

@tek

then I misread it, that is on the high side.. though depends how many users were doing it. I would imagine mastodon clients in general produce more requests per second than that collectively but we wouldnt call those a DDoS... I dunno we are arguing semantics though, does it even matter what we call it?

@Gargron @rysiek @mkljczk @xorowl @jimpjorps

@freemo @tek @Gargron @mkljczk @xorowl @jimpjorps probably not all that much. You were the one who started debating the language used, though. :blobcatcoffee:

@rysiek

I mentioned that DDoS was a bit harsh.. I didnt actually expect anyone to debate it and turn it into a huge thing. I guess I forgot I was on the internet :)

@tek @Gargron @mkljczk @xorowl @jimpjorps

@freemo @tek @rysiek @mkljczk @xorowl @jimpjorps For comparison, average mastodon.social traffic is 200 req/s. I don't think it matters what we call it though. In my view it's a denial-of-service when it impacts performance due to unintended use, though maybe you could expand that to intended use as well. While the individual endpoints are intended to be used, it is the frequency with which they are retrieved that is unintended.

@Gargron

Agreed. It seems to me this is just a poor implementation that is "rude" and pings the endpoint **way** too much and they were too lazy (or didnt know enough) to add the appropriate caching. Call that what you will, it isnt important. But either way they made a error.

@tek @rysiek @mkljczk @xorowl @jimpjorps

@Gargron @freemo@qoto.org @tek @rysiek @mkljczk @jimpjorps
Linus Tech Tips' latest video on water cooling an SSD is a good illustration of this. Just because you can do it, doesn't mean it was intended use.

@xorowl @Gargron @tek @rysiek @mkljczk @jimpjorps
Like hairspray and a lighter? Just because you can, doesn't mean you should. And even if you know you can- it can still lead to painful user error.

@freemo @Gargron @mkljczk @xorowl @jimpjorps he did mention 24000rpm (400rps) before.

Also, it's not 3400rpm, it's 3400rpm from a single small group of users. With all other requests being handled, that might be enough to create issues.

And finally, if the admin of an instance says this is too much, it's too much. If they want they can run their own servers, instead of getting high on their entitlement.

@rysiek

I already said in my first response he is entierly justified in blocking whoever he wants, for any reason, and this is as good as any. So we are in agreement.

@Gargron @mkljczk @xorowl @jimpjorps

@rysiek @freemo @Gargron @mkljczk @xorowl @jimpjorps Question: Why use AP if you're just reading anyway? Why not use the RSS feed provided by each account and then (through caching) respect the TTL (rssboard.org/rss-specification) value?

@freemo @xorowl @jimpjorps @Gargron Technically, as it uses the ActivityPub S2S routes for this, itʼs just an incompliant, incomplete implementation of AP and thatʼs a good enough reason for blocking this mod

@mkljczk

Yea that is an explanation that I think is more accurate. Also, frankly, he doesnt need a reason to block it, but yea I'd say his reasonings are fine. I just wanted to pointed out I think DDoS is just a bit harsh and im not sure the author really had any ill intent.

@xorowl @jimpjorps @Gargron

@freemo @mkljczk @xorowl @jimpjorps @Gargron He's been an order of magnitude politer to them than I would've.

@Gargron @mkljczk absolute lmao

How DARE you block our hardcoded logic that is DDoSing your free service that we happen to be re-appropriating for our own purpose without your consent or knowledge. And yet you claim to participate in society! Curious!!!

@Gargron _maybe don't pretend to support some open protocol if you block anyone using the API on your federated instance_ lol

@Gargron oh shit… I bet this explains our dramatic server usage the past time!

Any way we can block this?

@stux I used to block by referrer in nginx, and I'm now also blocking by user agent

Requests don't come from servers but from players' IPs (I believe) which is why it's a distributed-DoS and not just a DoS.

@Gargron Could you maybe share this extra addition with us so we can also protect ourselves?♥️😸 These days we have tons and tons of ‘RP Gameserver’ acvounts.. mostly using FiveM :sad_dog:

@stux @gargron

I don't even understand why they are doing this and misusing Fediverse infrastructure when this code seems to be for running dedicated servers; what even are they hoping to gain from this?

if they wanted to show toots in a GTA in game browser, surely there are better ways of going about it (like asking people on the Fedi to help as many on here enjoy the game?)

@vfrmedia @Gargron I'm not even sure how they would intergrate it..

Some users did told me they need to signup here to get access to some servers or something when we had signup restrictions

@stux @gargron

hmm, so it looks like they are trying to use Fedi servers to store part of their userbase (maybe to get round the responsibilities of GDPR or their countries laws about storing the userdata?) TBH anything like that is certainly best yeeted out of the Fediverse until or unless they can behave better...

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!