Programming

3347 readers

1 users here now

All things programming and coding related. Subcommunity of Technology.

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 1 year ago

MODERATORS

[email protected]

Could a malicious user bring down small lemmy instances by over-subscribing? (sh.itjust.works)

submitted 1 year ago by [email protected] to c/[email protected]

8 comments fedilink hide all child comments

I just read how the federation works, but I'm worried about a growing pain. Say I was a malicious user, could I bring down a smaller Lemmy instance by subscribing to as many communities as possible? Or maybe even subscribing to a malicuous Lemmy instance that keeps spamming thousands of posts every second?

Couldn't that easily fill up a server's storage and effectively bring a server down? I guess you could block the malicious Lemmy instance (although wouldn't it be easy to create another?) and ban a user that subscribes to too many instances, however, it feels to me like a very hard problem to solve

top 7 comments

sorted by: hot top controversial new old

[–] [email protected] 16 points 1 year ago (1 children)

You generally configure download limits and once reached the activity pub will start dropping oldest items. So as a malicious actor you might make other user’s experience slightly slower if they browse older posts but not horrible. And by that point an admin should notice such activity and kick you.

[–] [email protected] 0 points 1 year ago* (last edited 1 year ago) (1 children)

I wonder if such an activity can be automated (the fix you suggested, not the malicious activity)

[–] [email protected] 1 points 1 year ago

You mean the blocking of malicious accounts/IPs creating high traffic right?

[–] [email protected] 10 points 1 year ago

I'm sure hackers will find some way to cause denial of service at the very least, but that's only good.. Let's learn about the weaknesses and fix them.

[–] linearchaos 10 points 1 year ago

DDOSing a Lemmy node would be trivial. The real traffic has takes down a few already. If it starts to happen maliciously, there are mitigations.

It's a lot easier just to screw with the network than it is to try to overload it outright.

[–] [email protected] 3 points 1 year ago

Only one way to find out!

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago)

I'd put money that a large number of Lemmy instances are hosted on low end hardware that people have laying around. The bigger ones are dedicated hardware or cloud instances, but also the default rate limits are pretty high. As another user said, it would be trivial even before considering actual storage limits

load more comments