this post was submitted on 11 Jun 2023
22 points (100.0% liked)

Programming

13345 readers
1 users here now

All things programming and coding related. Subcommunity of Technology.

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 1 year ago
MODERATORS
alyaza@beehaw.org
Hexorg@beehaw.org
remington@beehaw.org
22
Could a malicious user bring down small lemmy instances by over-subscribing? (sh.itjust.works)
submitted 1 year ago by Gerald@sh.itjust.works to c/programming@beehaw.org
8 comments fedilink hide all child comments
 

I just read how the federation works, but I'm worried about a growing pain. Say I was a malicious user, could I bring down a smaller Lemmy instance by subscribing to as many communities as possible? Or maybe even subscribing to a malicuous Lemmy instance that keeps spamming thousands of posts every second?

Couldn't that easily fill up a server's storage and effectively bring a server down? I guess you could block the malicious Lemmy instance (although wouldn't it be easy to create another?) and ban a user that subscribes to too many instances, however, it feels to me like a very hard problem to solve

top 7 comments
sorted by: hot top controversial new old
[–] Hexorg@beehaw.org 12 points 1 year ago (1 children)

You generally configure download limits and once reached the activity pub will start dropping oldest items. So as a malicious actor you might make other user’s experience slightly slower if they browse older posts but not horrible. And by that point an admin should notice such activity and kick you.

[–] Subito@beehaw.org 0 points 1 year ago* (last edited 1 year ago) (1 children)

I wonder if such an activity can be automated (the fix you suggested, not the malicious activity)

[–] ShadowAether@sh.itjust.works 1 points 1 year ago

You mean the blocking of malicious accounts/IPs creating high traffic right?

[–] linearchaos@lemmy.world 10 points 1 year ago

DDOSing a Lemmy node would be trivial. The real traffic has takes down a few already. If it starts to happen maliciously, there are mitigations.

It's a lot easier just to screw with the network than it is to try to overload it outright.

[–] mrmanager@lemmy.today 7 points 1 year ago

I'm sure hackers will find some way to cause denial of service at the very least, but that's only good.. Let's learn about the weaknesses and fix them.

[–] deedasmi@lemmy.timdn.com 4 points 1 year ago* (last edited 1 year ago)

I'd put money that a large number of Lemmy instances are hosted on low end hardware that people have laying around. The bigger ones are dedicated hardware or cloud instances, but also the default rate limits are pretty high. As another user said, it would be trivial even before considering actual storage limits

[–] SomethingBurger@beehaw.org 3 points 1 year ago

Only one way to find out!

load more comments
view more: next ›