this post was submitted on 22 Jun 2023
171 points (88.3% liked)

Lemmy

2172 readers
115 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to [email protected].

founded 4 years ago
MODERATORS
 

Here you can see 2 day old post warning about the danger of not using email/captcha verification: https://lemmy.ml/post/1345031

And here are stats of lemmy platform where it shows that we gained 200 000 lemmy users in 2 days: https://lemmy.fediverse.observer/dailystats

Another tracking site with the same explosion in users: https://the-federation.info/platform/73

What do you think? Is it some sort of a bug or do people run bot farms?

Edit2: It's been now 3 days and we went from 150 000 user accounts 3 days ago to 700 000 user accounts today making it 550 000+ bot accounts and counting. Almost 80% accounts on lemmy are now bots and it may end up being an very serious issue for lemmy platform once they become active.

Edit3: It's now 4th day of the attack and the amount of accounts on lemmy has almost reached 1 200 000. Almost 90% of total userbase are now bots.

Edit 3.1: my numbers are outdated, there are currently 1 700 000 accounts which makes it even worse: https://fedidb.org/software/lemmy

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 0 points 1 year ago (2 children)

It seems almost certain that there are farms creating these accounts - but why? The sheer volume of them is going to make them easy to identify and delete, and if the admins of the instances don't delete them the instances will be defederated in short order.
I fail to see any value to having 1 million+ bot accounts. What are we missing?

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

Testing, I'd guess. Experimenting with hardware configurations, software configurations, bot configurations. Testing rate limits, looking for exploits, etc.

We can tell when they pile 1 million bots onto 5 servers all at once. Will we tell when they pile 100,000 across 10 servers over the span of a month?

[–] [email protected] 0 points 1 year ago (2 children)

They've just spoon fed us the data to help us identify them, and given us incentive to do so too. It just seems counter productive.

[–] [email protected] 1 points 1 year ago

They've just spoon-fed us the data to help us identify a very particular type of attack. They don't need to use that type. They just need to know the ins and outs of the software.

[–] [email protected] 1 points 1 year ago (1 children)

Is it a benign "attack" to point out the weakness to get enough attention that it gets fixed?

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

The attack started after someone made a post waring about how easy it is to do so they are not losing anything here.

[–] [email protected] 2 points 1 year ago (1 children)

I dunno, between no rate limiting and no bot mitigation, you could create them pretty fast with a single machine running parallel requests.

[–] [email protected] 0 points 1 year ago (1 children)

But the question "why" strands. 200 upvotes will get you on the front page at the moment. Why not stop there, why make your bot accounts so conspicuous that they are basically garenteed to get deleted?

[–] [email protected] 2 points 1 year ago

Because it's easy. Someone is just testing some basic tools, to which they can add countermeasures later.