logo The MastoDDoS Effect


What happens when someone includes a link to your web site in a Mastodon post?

This site is set up to show exactly that. I've been logging the Mastodon bot requests, you can see a summary of what happened over here.

The link to the Mastodon post, in a thread, is here. In the first 5 minutes I had about 800 website requests from about 400 unique Mastodon instances. Which my little server handled just fine.

UPDATE: after about 30 minutes we're up to about 1500 requests from 750 unique instances. Server CPU hasn't gone much above 10%, so I'm not worried any more.

What's special about this web page?

If you saw this linked from a Mastodon thread, and assuming my code works, and the server holds up to the load(!), you should have seen a customised "card" unique to your Mastodon instance. This should have a random (appallingly bad) AI-generated image and a random herd of pachyderms.

Only members of your server instance will have seen exactly this card, everyone else will have seen something slightly different.

This is possible because each server fetches its own copy of the card. You can even identify the exact server from the user-agent string in the request. A "clever" page like this one can, in theory, adapt the og:description and og:image meta tags uniquely for each request.

What's the problem?

When I submit a Mastodon post with this link in it, it will, like every new post, be pushed immediately by my Mastodon server to all the other Mastodon server instances that my followers are on. You may know this already, it's how ActivityPub works, the federated network that Mastodon is a part of, also sometimes called The Fediverse.

But did you know that each of those Mastodon servers will immediately follow the link that's embedded in the post, and request the page? Each instance then checks for any Open Graph (og) metadata in the page header, and will also fetch the related og:image if there is one.

This is great, because your linked site now shows up with a lovely graphic card and description in everyone's feed.

But wait! If you only have a small site and a lot of followers (or if someone with a lot of followers posts or boosts your link) then this can result in a rapid storm of traffic directed at your site from Mastodon (and other Fediverse) servers around the world.

Isn't this just the "Slashdot Effect"?

Any time your link gets boosted and seen by a lot of people, then what we used to call the Slashdot effect may happen. Plenty of people may click on the link, so your site could get a lot of extra load.

However, this type of load tends to be a bit more organic - distributed across a few minutes, or hours. Also, let's face it, this doesn't happen to most links, they get ignored by the majority of people who see them. Hey, we all do it, don't judge.

The difference with the Mastodon requests is that they are guaranteed to happen because it's all automated. They will happen really fast, and concurrently. This is the worst-case scenario for a complex site on a small server. Worse, you'll get a new burst every time someone else boosts the post.

In practice there's very little difference between this and an orchestrated Distributed Denial of Service attack, or DDoS, usually carried out by a malicious botnet.

What should we do?

Look, I'm a fan of Mastodon in general (both the social network and the metal band!) and I don't claim to have any easy answers to this. Some of the obvious options have already been considered but discarded as they produce other unwelcome side-effects. There's some more discussion in these threads here and here.

I'm just helping bring attention to the issue. I think it's important for people to know about, as it could be a bit of a shock if someone with followers across 10,000 instances boosts a post with your site linked. May your servers cope well!

With the recent mass migration of people from Twitter to Mastodon, there are a lot more Mastodon instances around already than there were this time last month. If the current rate of expansion continues, this MastoDDoS effect will get markedly worse over time.