Lemmy World outages
Hello there!
It has been a while since our last update, but it's about time to address the elephant in the room: downtimes. Lemmy.World has been having multiple downtimes a day for quite a while now. And we want to take the time to address some of the concerns and misconceptions that have been spread in chatrooms, memes and various comments in Lemmy communities.
So let's go over some of these misconceptions together.
"Lemmy.World is too big and that is bad for the fediverse".
While one thing is true, we are the biggest Lemmy instance, we are far from the biggest in the Fediverse. If you want actual numbers you can have a look here: https://fedidb.org/network
The entire Lemmy fediverse is still in its infancy and even though we don't like to compare ourselves to Reddit it gives you something comparable. The entire amount of Lemmy users on all instances combined is currently 444,876 which is still nothing compared to a medium sized subreddit. There are some points that can be made that it is better to spread the load of users and communities across other instances, but let us make it clear that this is not a technical problem.
And even in a decentralised system, there will always be bigger and smaller blocks within; such would be the nature of any platform looking to be shaped by its members.
"Lemmy.World should close down registrations"
Lemmy.World is being linked in a number of Reddit subreddits and in Lemmy apps. Imagine if new users land here and they have no way to sign up. We have to assume that most new users have no information on how the Fediverse works and making them read a full page of what's what would scare a lot of those people off. They probably wouldn't even take the time to read why registrations would be closed, move on and not join the Fediverse at all. What we want to do, however, is inform the users before they sign up, without closing registrations. The option is already built into Lemmy but only available on Lemmy.ml - so a ticket was created with the development team to make these available to other instance Admins. Here is the post on Lemmy Github.
Which brings us to the third point:
"Lemmy.World can not handle the load, that's why the server is down all the time"
This is simply not true. There are no financial issues to upgrade the hardware, should that be required; but that is not the solution to this problem.
The problem is that for a couple of hours every day we are under a DDOS attack. It's a never-ending game of whack-a-mole where we close one attack vector and they'll start using another one. Without going too much into detail and expose too much, there are some very 'expensive' sql queries in Lemmy - actions or features that take up seconds instead of milliseconds to execute. And by by executing them by the thousand a minute you can overload the database server.
So who is attacking us? One thing that is clear is that those responsible of these attacks know the ins and outs of Lemmy. They know which database requests are the most taxing and they are always quick to find another as soon as we close one off. That's one of the only things we know for sure about our attackers. Being the biggest instance and having defederated with a couple of instances has made us a target.
"Why do they need another sysop who works for free"
Everyone involved with LW works as a volunteer. The money that is donated goes to operational costs only - so hardware and infrastructure. And while we understand that working as a volunteer is not for everyone, nobody is forcing anyone to do anything. As a volunteer you decide how much of your free time you are willing to spend on this project, a service that is also being provided for free.
We will leave this thread pinned locally for a while and we will try to reply to genuine questions or concerns as soon as we can.
The DDOS attacks are still going on? Why is the server unstable?
What I find most ridiculous about people claiming lemmy.world is too big and therefore bad for the Fediverse is simply... Have you people wondered why it got so big?
During the crucial first weeks of the Reddit migration, the single time period with the most chance of bringing new users, pretty much all larger Lemmy instances closed their registrations - they couldn't handle the influx. Other big ones decided to immediately defederate everybody, they were afraid of having to moderate content. And a few did remain open and federated, but they were also extremely niche and focused on their own political side of the spectrum.
Lemmy.world however remained open, remained with active admins that helped the first moderators, and kept upgrading the server at a very fast rate - you might forget it now, but Lemmy was massively slow and frustrating and then a new Lemmy.world update would drop and it would feel like a different website.
So yeah, "bad for the Fediverse" for being the only instance that kept up with the demand at the most necessary time.
Thanks Lemmy.world team.
Have you guys contacted law enforcement? It may surprise you. A startup I worked for had the same issue and contacted the FBI. They were able to quickly (within hours) find the person doing it despite him using VPNs and other tools for OpSec.
I’d imagine that there are a lot of users and communities on here that want law enforcement as far away from the Fediverse as possible…
And yet, and this will shock and amaze you, they're probably here already. Lemmy isn't a secret.
Found the fed… ;)
No doubt, but there’s a difference between a van trundling down the street and a welcome mat and a tray of tea cooling in the living room.
I get you. There's good and bad in law enforcement, especially when it comes to tech and social media. On the one hand, there's pretty serious crime happening online that needs to be stopped. On the other, wild invasions of privacy. There's no easy answer at this point and governments obviously won't police themselves.
Illegal activity is actually easier to track on the Fediverse than close source websites. Easy to program bots to run through open source code looking for it.
I assure you that the FBI knew of lemmy and had watchers here before we hit 5 digit user numbers
Knowing someone in the FBI and how they talk about how antiquated it is, I have to vehemently disagree with you there.
I’m just curious, antiquated in what aspect?
In both technological and procedural advancement.
I hate to break the illusion but cybersecurity experts already know about every Fediverse instance and it gets scanned regularly. Just like they do discord, FB, twitter, etc.
Lemmy isn't a private space. It's less private than Reddit in many regards.
I don't see why when illegal things are happening the government's offered services shouldn't be made use of
We'll just have to nicely ask the ddos'ers to stop it then
The Feds are everywhere son
Well.. this is the fediverse after all.
The risk that would create for vulnerable communities on here would deeply irresponsible.
Right. Because FBI doesn't already monitor any suspicious activity.
They fuck with left leaning groups and try to intentionally destabilize them 🤷♂️
Fun fact: part of the goal of COINTELPRO is to make it so people accuse each other of being an agent provocateur
Other fun fact: another goal of it is to make it so people would accuse each other right back, completely destroying trust on all sides
Actually fun fact: this tactic is side agnostic and there are left wing plants under deep cover in right wing organizations from the fbi to the kkk specifically there to hinder their progress and damage their tactics
It's fascinating to me that there are people who deeply understand and can effectively apply techniques of sowing discord within and between groups and fanning the flames without also making themselves the obvious source of the strife. I wouldn't even know where to begin.
Stop living in 1955.
Black Lives Matter and racial justice protestors would like a word.
They barely interfered with the BLM protests.
It's mostly right wing groups today. Left wing groups are just carebears these days.
I’m left. But what the fuck is the deal with “tankies” though? All of the sudden there are revolutionary communists (with no sense of the historical irony of this label) everywhere. I hadn’t even heard the term 6 months ago, it’s then all over Reddit, and suddenly I’m seeing people talk about violent revolution elsewhere on the lemmyfedi. I know part of it is the nature of the ‘verse, but is part of it that these people are the black box anarchists of yesteryear and I’m just behind the times?
They're extremely online and outjerking each other in a feedback loop, and the moment you see one, chances are that you're in a space where they're overrepresented.
At the current place in time 15 people thought it was a good idea to downvote that post. That is also showing quite an obvious anti-left potential anti-liberal and US centric bias, which others for example BIPoCs would not share. Or whistleblowers.
The admins have access to that information btw. who upvotes and downvotes what. This means that closer connection to the FBI also makes it more easy for them to access the 100k+ users preferences, political leanings etc. as well as private messages. Other agencies wouldn't even need to be involved with warrants to get that data, since the servers are harboring enough international communication that you ought to act as if intelligence agencies might have access to what you write, post and how you vote.
You do understand that upvotes and downvotes are public information?
I don't understand.
As I said above, The FBI is known to infiltrate left leaning political organizations to fuck with them.
Are there any actual recent examples of this? Everything about lemmy is already completely open, so if they wanted to do anything, they would do it
https://theintercept.com/2023/08/01/fbi-infiltrate-activists-first-amendment/ & https://web.archive.org/web/20230809184748/https://www.nytimes.com/2021/12/22/us/portland-protests-fbi-surveillance.html
Well ok but they're not going to do that because you asked them to investigate an attack.
Hi, 1974 called, they think your living in the wrong decade.
Oh no! Won't anyone think of the criminals!?
First, they came for ...
... the ciminals?
🙄
Florida is literally using social media to persecute people seeking medical care. Pull your head out of your ass.
Sounds like you and lefty are concerned with protecting illegal activity here? Fuck that. I’m not okay with Lemmy being a hub for society’s most trash individuals.
I believe it's a mistake to conflate law-abiding with morally correct. In fact, in some cases the morally correct thing to do is disobey the law.
I (foolishly) assumed we were talking about the obviously morally abhorrent stuff.
When the world has people killing each other for the "obviously" morally abhorrent stuff like wearing the wrong clothes... I'm afraid you need to specify.
More and more every day.
This isn’t 8chan, and I have no wish to see it emulate it. Revenge porn, CSAM, stalking and harassment: that absolutely should be kicked off and reported.
But if you can’t imagine a scenario where a left leaning, privacy focused userbase might look at willingly going to law enforcement without the above issues and balk, you need to review your history.
That's not what we were implying remotely. The FBI is known to infiltrate left leaning political organizations to fuck with them. Obviously if someones hosting violence or CP or shit like that that'd awful and they need to be arrested, but I was specifying specifically about the FBIs history with fucking up political groups and forums
I jumped the gun then with assuming it was the latter. My b.
Given that the goal of this instance is to serve as a reference of the Fediverse, it is expected that it will continue to grow, and in turn, attract more attention, which due to a game of numbers also involves more trolls and enemies. Thus, the fact that the instance is being DDOS'ed right now shouldn't be seen as a conjunctural problem, but rather a challenge that is here to stay and sometimes be a problem.
While I think it's a good idea for lemmy.world to do it this time, relying on a police force to routinely come to our call and do something means periods during which the instance will be out while we wait for them for work. The instance, and Lemmy in general, should have more robust defenses so that calling for external help is only required at exceptional times.
Did it result in charges for the person doing it?
For this, I want to see the motivation for DDOSing Lemmy lol.
There was a user who made hundreds of communities and got pissy when they were banned, there's heavy speculation that it's them.
That, or it could be right-wing neo-nazi chuds from the detonating-craniums instance that are butthurt that nobody wants to federate with them.
Maybe a mix of both?
Or hexbear, the tankie equivalent of those chuds. Terminally online, and a lot of them have been on the fediverse for a while, ever since r/chapotraphouse got the banhammer on reddit. They got real mad when lemmy.world defederated from them the other day.
Could be reddit , hiring people to kill the competition 😅 (jk)
This was honestly my first thought. Highly unlikely I’m sure but they’re not winning any awards for good decisions lately
Happened to voat everytine Pao did something. Part of why it failed.
voat failed because it became full of literal Nazis and basically all the hateful refugees from all the subs that got shut down. Pao shutting down FPH was a trigger but it made the worst of the platform migrate.
The fact that there were active communities on voat that were just too toxic for reddit like coontown and other just straight up totally racist subs made the place immediately turn into a massive toxic waste repository - at best it served as a quarantine zone for those people, and at worst it served as a communications platform for spreading additional hate.
I remember my first experience with voat being a poll discussing whether they should ban child porn. The split was ~90% in favor of banning, 10% against. 10% is concerningly high.
they have freeze peaches
I was excited for voat at first and made an account but after interacting quickly saw what kind of people migrated there. I thought it was going to be like what lemmy is now, people sick of the corpos, boy oh boy was I wrong lol
China lady bad
Could be the instance with the raving tankies that was defederated.
Someone creating heaps of communities just to be a mod and then getting pissy about it doesn't sound like someone with the skills to run a DDOS attack.
They had nearly a thousand communities after joining, like an inhuman amount that wouldn't have been possible without scripting.
DDoS isn't a high skill attack by any means, they could have also hired somebody else to do it for them (there are some really big losers out there who will waste money on something like that).
Never underestimate the pettiness of the u/gallowboobs of the world.
gallowboobs
hahahaha!
You had to Digg deep to get that reference
They could pay for someone to do it. They also most likely created all those communities with a script, so they're not your average user.
You don't need motive to convict. Just the correct mental state (mens rea) and the commission of the relevant elements (actus reus). Motive helps, but it's not necessary.
But a DDOS attack would probably fall under the CFAA, possibly some other criminal statutes depending on the facts.
I know, I just want to know what the motive is.
"Vengence is mine!" sayeth the gallowboob.
Yes criminal charges were brought against them. I don’t know what happened beyond that, however. It got pretty quiet once evidence was collected and the attack stopped.
In all seriousness, we all appreciate your work. These are the growing pains that are to be expected, and your hard work and transparency (and writing it up at a level that even I can understand) is welcome.
Im a data engineer with 20+ years of experience in sql and various databases, I do performance tuning on daily basis. How can I help? Please message me if you think you can use me. Id be very happy to help where I can!
Besides the actual developers of lemmy, none has done more for the lemmiverse than the maintainers of lemmy.word. When the Reddit shitstorm started and other leading servers shut down user registration, you guys held the ship steady and didn’t flinch from the sudden flood of new users. Discovering new bottle-necks in lemmy code, helping to resolve them and deploying hot fixes. All in super fast reaction time. About “lemmy.world shouldn’t be largest server” crap - it’s good for lemmy that one server is the easy entry point to lemmy. This is where the “mainstream” communities could/should be and new users will have an easier landing. Having dedicated servers with their own communities (like start trek, piracy, etc) is great but it’s not mandatory for all communities.
Thanks for the hard work y'all. I wonder what point of badgering a free social server is?
There's always someone that gets joy from ruining things for others.
~10 ago i got all my coments and posts downvoted 25-50 points each, even one comment that was on a deleted thread. that didn't stop me for continue participating, but it shouldn'tbe that easy for someone to do that
I don't see it in your history? If you want contact me via PM - send me the posts and comments and I'll have a look.
All my comments and posts dated July 31 and before got downvoted in matter of minutes, the quantity each got varied but it was proportional to the upvotes it already had, up to -32 (not 50), my total comments points became -540 and post -70 . I don't care getting all my comments and posts downvoted like that, so I never complained, but I thought I would let you know since it is related to the topic of the this thread.
Hey. I checked and well, you were right. There was actually a user following you around with over 40 (!) alts from various instances. I banned all of them
Great work!
Thank you! I just hope is not too easy automate the creation of 40+ new accounts and have those follow someone around like it happened to me, or to easily manipulate what reaches or drops from top day/hour etc.
Accounts can always be created on other instances, there are many to choose from. But if you notice anything strange let me know and I'll have a look.
Damn, expatriado, did you piss off 2.5 Mormon families or something?
Also apparently I have no idea how to mention users goddang.
@[email protected] just start with an @ and you will see! And if you want to link a community you start with an ! - mind you this doesn't work in all the non-default UI's like Alexandrite or Photon atm.
If we’re talking downvote groups, this seems to be one. This comment was instantly set from +15/-1 to +15/-15 the other day.
https://lemmy.world/comment/2225613
There’s someone who downvotes every post and comment on cat pictures. It’s like clockwork. It’s kind of funny.
Everyone, check your dog's smartphone!
My dog only has a flip phone. Does that make me an animal abuser? In my defense, she's only 10 months old. In my opinion, a little too young for internet access.
The dog bot
I know that fucking person
::: spoiler spoiler its me :::
My first guess: it's someone who complained on GitHub about unoptimized queries and didn't get the response they wanted. Of course I would expect them to be attacking lemmy.ml in that case
My conspiracy theory: it's someone paid by a marketing firm on Reddit's payroll, while probably not under direction from Reddit, they're working to further Reddit's goals
Most likely: it's some kiddie who got banned from .world and wants to show everyone how mad he is
What if it's all three lol
Probably, this is the standalone complex clusterfuck the internet has become.
Feeling like an internet tough guy.
I hear it's the only way they can get hard.
I don’t know the details but wasn’t one of the instances that Lemmy World defederated recently one that contained lots of toxic shit (racism, trolling and other not cool content)? So it’s not unlikely someone from there decided to just destroy things for others. Maybe even an operator since the person(s) obviously has knowledge of how Lemmy works.
Definitely Hexbear; they have their own fork of Lemmy's code, so they have the technical expertise, and they hate anyone who doesn't subscribe to their color of fascism.
Yeah that's my guess too. The timing lines up perfectly
This is just going by random speculation as to who might have been defederated from and decided to attack a high-profile target in response... but if my speculation is accurate, they also seem fine with all kinds of real-world violence against their enemies. The purpose is to "punish", and the innocence of the target isn't a factor.
Some group calling themselves communist but acting like narcicists. hexbear i think. Harradsing a general instance because we felt they were incompatable. I randomly had someone on hexbear attempt to derail the conversation
Yes, most likely. Cheers 😄 !
::: spoiler typo ... Harradsing - - - >>> Harassing :::
If I had to guess, I'd say that I doubt the people who defaced lemmy.world gave up once control was wrested back.
If the material they defaced the site with is any indication, it's bigots and fascists.
Y'all are motherfucking gangsters. Appreciate the work you're putting in. I don't do your kind of code or I'd pitch in. Much love. ♥️
Imagine having the free time to engineer attacks on a site. Fucking loser.
I couldnt care less. You provide a great forum at no charge to me. I thank yoy for your contribution to discourse, communication with the community, and look forward to the growth of lemmy.world
Thanks for being so transparent with us. Lemmy really does feel like home now to me. I wish the maintainers all the best as they continue to fight the forces of evil.
usually my reaction when a website I visit daily goes down is to probably visit that website less or think the backend team behind it is lazy. but when lemmy.world goes down or is under attack, I sympathize and just open it when it's back up. y'all prove that you're hardworking by providing clear communication and explanation on what's happening everytime. shout out lemmy team, you deserve the world!!
Thank you for your work 🫡
Definitely need to pay themselves. Doing this for free is not sustainable over long periods.
I’m more than okay with the old Jimmy Wales treatment once or twice a year.
They should take the Kennedy package at their local dive bar every Friday.
I would be happy to support a special fundraiser to get the admins some beers.
Great stuff, thank you for all the good work.
btw, as a tip: please resize https://lemmy.world/pictrs/image/14f857e5-703a-4513-9c1a-f23031675be1.png in an image editor. It's on the homepage, and it's a frikking 4.5 megabyte image file.
Have you guys tried NOT getting attacked? Might work.
Seriously, thanks for all your effort!
Have you heard of something called The Cloud? It sounds possible this will solve all of our issues!
(/s in case it's not terribly obvious.)
Thanks for the update and the hard work behind the scenes to keep things online!
What else can we do to help Lemmy.world besides donate?
Cheers for the good work guys
If you think it might help I've got a bit of a hack I've used in the past to cache a sql database in a compressed ramdisk using zram and bcache. Imagine stuffing a 50G DB into 20G of memory.
It won't fix the inefficient SQL queries but it would make it so frequently accessed tables get cached in a ram disk cutting query time significantly.
This might be enough to reduce the impact of these attacks until queries can be optimized.
This assumes your database isn't running on something like RDS though.
Love this transparency post and info, much appreciated
I'm sure they don't want to reveal to much but I'm curious if the attackers were authenticated. If not it seems reasonable to rate limit anonymous users.
Ah so the Lemmy World server isn’t a Raspberry Pie? Nice.
I have to wonder why expensive SQL queries in Lemmy operations even exist. As Lemmy scales, won't those queries get executed more often just as part of normal operation? That would say to me that the Lemmy software needs optimization. Otherwise there will be scaling issues even if the attacks stop.
I found that LMAO/Angled (guy who was angry about being banned for community name squatting) has a YouTube that does techy stuff, he's always in the back of my mind as someone who could be contributing to the DDoS, total speculation though but the threat of "ruining your site" and then coming back to spam the trending communities with spam makes me suspicious lol
Thanks for all you guys do! While the lack of reliability can be frustrating your efforts do not go unnoticed. Thanks again.
Cmon half the users here are tech nerds, get to work you lazy bastards, I'll be there as soon as I close this sprint--
They are inadvertently helping Lemmy become more robust
Yes! Same goes for those saying "Lemmy.world is too big". Having a large instance is good real world case for addressing scaling issues that might impact more and more instances as the overall Fediverse grows.
In the future a small Lemmy instance may be the size of today's Lemmy.world.
I was just thinking it could be someone with that goal in mind. Better to fix this stuff now.
Hopefully all the attacks you guys endure end up helping lemmy patch those attack vectors and make lemmy an overall safer and more robust place.
A fantastic job is being done by you folks - obviously in the face of adversity. Given the amount of users on the instance is at a critical point, would it not be possible to 'move' accounts off it onto other less populated instances ?
Keep up the great work folks - I sympathise for ya.
Thank you for the update. Good work.
Take your time bros I don't need this shit 24/7 the downtime is fine and expected
I was wondering why the CloudFlare protection doesn't work, this makes sense. Does CF have any point then? Lots of people don't like it.
It's weird someone would spend so much time to target LW. Ah well.
I guess it's that guy who said he was going to break the site. Remember that guy? Something about not being allowed to open loads of communities or something.
Lemmy getting "one guy"-d is such a story, and I do believe it. Petty assholes doing shit has hapenned a couple times, hell, just this week, Valve had to basically nuke half their Dota 2 Arcade because one guy started filing GDPR complaints after he *checks notes* didn't get a stupid discord icon. It's always like this. The "one guy" always has the dumbest, pathetic motivation.
I’m imagining spez is sending his flying monkeys and they’ve been trying to shut it all down. Doesn’t matter that you’re smaller than Reddit, Egos like spez’s can’t take even a minor rumble. Just look at how he has to ‘win’ against all his own users. Should tell you all you need to know on his motives.
Thank you for everything you do. You guys are doing a fantastic job, and a lot of us sincerely appreciate all your efforts!
Thanks for the transparency and the update! Downtime to me is useful, it prevents me from using Lemmy too much.
Glad you guys resisted the call to close signups. I think that's what they want in the end, to harm lemmy.world by killing it's growth.
Thank you for your time & efforts in maintaining this platform. I (and many others I'm sure) have great respect for the work you do in trying to combat this menace. The community is completely behind you and appreciates the value of this resource.
I wonder if reddit, the company, are the ones ddosing.
You guys are trying your best, and that's what matters. Thank you LW Team.
Thank you for your hard work
Very grateful for your focus and dedication. Bummer about the DDOS bullshit. Your efforts mean a lot to the communities.
You're managing this well. Good work folks.
Come on ddosers, we can always solve our differences with dialogue
Another heartfelt thanks—both for the hard work, and for the transparency.
In a way, the ddos attacks are helping highlight the slow parts of the system causing a reason to optimise them? It's kind of a double edged sword
Well thanks for the update and your hard work. I am currently using lemm.ee as a backup account so that I can at least have my fix.
Hope the bastard(s) who are ddossing the server get some nice tropical diseases.
Lemmy.world also was my first step into the fediverse.
In terms of the "expensive" SQL queries - is this an issue that the lemmy devs are working on? I.e. is this a problem that might solve itself in time?
Endless DDOS attacks. Sigh.
Thank you guys for the write up and for helping to keep things running.
The downtime is causing an issue with posting content from other instances - I've seen this a handful of times from kbin. I post something to a lemmy.world community, and kbin thinks it's there, but lemmy.world doesn't see it. But, the delete request seems to need to go through lemmy.world, which doesn't agree that the content exists. So my profile is filled with posts people on kbin can see, but no one else can, and I can't delete them. Is there any kind of catch-up mechanic for instances to try to agree on what content should be present if content was altered during downtime? I can see this becoming a lot more confusing as people look at a community from multiple different instances and see different content, not realizing this is unintended behavior.
The biggest misconception I've seen on Reddit and elsewhere is that you need an account on every single instance if you want to interact with content on that instance, and it's not supposed to be true but while this bug continues, it kind of is true.
appreciate the transparency!
It's really annoying that it's down but I've found another instance to use when I'm not able to use this one. I hope you're able to stop these losers at some point. It's very frustrating what's happening but at the same time Lemmy is young and I think and hope it will be optimised so that it won't be a issue in the future.
Stay strong fellow lemmies, we're going to get trough this. For those of you that is very annoyed now: make a new account at some other instance. I've already got 3 accounts across 3 different instances already. Check what instance to join here: https://join-lemmy.org/instances
How do I as a developer:
I’m an SRE by trade and would be happy to contribute my time in some way
There are quite a few InfoSec people here. While I have never held an official InfoSec job I do have a degree. However, my degree is debatable about whether it actually educates me as intended.
Point being there are a lot of people that have more knowledge than me as well as experience but I want to learn. As someone who is always listening to security podcasts like Hacking Humans or Darknet Diaries, naked hacking, or even InfoSec journalism around popular ongoing issues in the world like Click Here. I always want to learn and get experience.
I currently work in IT for a hospital. Is there any way to help with this kind of thing to learn and build on knowledge to help? To volunteer time to potentially see what is going on?
IF you were a bad actor, this is exactly the argument to use to get more inside information to use in the next attack.
Establishing trust is the first problem to be overcome.
So there should be a test as there is no proper way for most to prove they aren't a bad actor. That is the unfortunate bit. I know I am not a bad actor and would genuinely like to help. Insider threat is a real issue and I can understand the lack of trust but how would I prove my trust?
A resume? Work experience? All of those could mean nothing if you intend to harm the system anyways.
I would personally like to devote time to learning this kind of thing to assist.
So what's going on is the adversaries continuously hitting the lemmy.world server. On its own, a DDOS like that would be manageable - they're much more defeatable these days
But they found request paths that run expensive db functions, giving them enough bang for their buck to make an impact, even tucked behind cloudflare.
As for mitigation, cloudflare and a larger server help, but ultimately lemmy needs some refactoring - right now it's very liberal with the database calls. It needs to divide those up and get more granular with API calls, look at what can be optimized on the DB side, maybe do some caching/memoization... Basically, it needs to become a more mature piece of software in a hurry
Going further, there's things like horizontal scaling - there's even thoughts of how we could leverage the nature of the fediverse to share the load through federation.
I'm a dev, I don't know much about administration so I'm not sure how you could help, but there's plenty of work to go around. I think a database expert would be the most useful right now.
There's messing with configs to tune everything for better performance - that's out of my expertise, but I'm under the impression that there's some significant gains to be had there
If it's in your wheelhouse, you could look at different technologies that might give better performance - the current stack seems like it was chosen mostly with ease of development in mind, if you could make a strong argument for changing some of it out it might get traction.
As far as cyber security in general, if you want to get started - step 1 is basically locking things down, and then setting up monitoring tools and getting experience with them. Basically reading logs taken to the next level. I'm pretty sure they have that handled here, but this problem will never go away
When will /u/spez just accept that he lost?
Would it be possible to have the error page when you are being attacked/there is an outage point to some other lemmy instances to go to?
I think that could be a big help if there is an issue when a new user tries to check out .world for the first time. They will at least have a link to click on to check out what lemmy is like on another instance and maybe sign up there too.
keep fighting the good fight <3
Ironic that they're effectively proving that you were right to not trust them...
Great explanation! And thanks for the many many hours you guys put in.
Ive been waiting for this response from you guys. You have been a fantastic admin team so far. I still don't agree with some of the de-federating, but overall you guys truly show you care about this instance and the lemmy fediverse as a whole.
I know I wont be wavering because of butt hurt idiots in other instances. I will hold my ground and stick to Lemmy.World.
Keep it up and i hope that in due time, you guys can keep the DDOS attacks under control.
keep up the good work team; you're the linchpin to this renaissance
Great work guys! Keep going!
Are DDoS protection services like those from Akamai, Arbor Networks, Link22 etc an option? Those are tested as ok by the German Federal Office for Information Security.
Is Lemmy not throttling requests to APIs based on how computationally expensive they are? Or is it that many IP addresses are hitting those APIs and are within the throttling limits?
The first D in DDOS means distributed, as in the requests are distributed across many different machines and IPs; so the second option.
I understand what DDOS is. It could be both options.
What I am curious about in the second case is why they aren't throttling unauthenticated requests in a single bucket.
keep up the good work
Question, can we configure the nginx to return cached responses for all non-logged in queries for predetermined periods of time? (1min for example?)
Sounds like you are the victims of a hackathon more so than a single person upset about drama. defcon is tomorrow, maybe some group/feds/soon-to-be-fed will have a demonstration and talks about ActivityPub
The conversation gets a bit scrambled/broken up by disruptive/toxic people but this is a comment chain on lemmy.ml two weeks ago about SQL issues and challenges in getting the Lemmy Dev team to address them that might be worth reading:
https://lemmy.ml/comment/2100093
People should stick with the instance otherwise you're just encouraging those tankies and nazis to use DDOS attacks again to bring down instances that defederate with them, don't let them know that they're successful. This opportunistic concern trolling around lemmy.world's downtime needs to stop. As the admins said, sooner or later "small" instances would have 100k users and would start having these issues all at once if it weren't for lemmy.world experiencing them first hand. Some DB optimizations were pushed to Lemmy thanks to lemmy.world.
I wonder what motivated any DOS attacks.
These malicious volunteers are helping to identify problem queries so they can be fixed. In the long term, it makes lemmy stronger.
Would be nice if they could just post an issue report, though.
Once again, thank you for the transparency and for keeping us (the users) informed, as well as for all the work you do to keep lemmy.world going.
For my part, I wish to offer a sincere thanks to the Lemmy.world admins for their efforts up to now and as they continue to deal with the targeted DDOS attacks. You are Lemmy heroes who are helping to create this promising future. Sometimes it's a fight against those who are struggling with their internal daemons and taking it out on others. Bright days are ahead for the Fediverse. Keep marching forward!
I think it would be good to not close registration and if once a month or something there could be a post by admins about migrating to smaller instances (this is made easy with the LASIM tool) so new users can easily sign up with no hurdle but we also prevent too much centralization.
Would it be possible to ratelimit connections/requests? Some sort of AI-based blocking? What are current technologies to battle such DDOS attacks?
Thank you for your dedication and hard work.
The fun thing about the Fediverse is that when this goes down the other instances stay up, so whoever is doing the attacks isn't really doing much except promoting people to create accounts on multiple instances. Which makes the numbers look really big.
Thank you for your dedication! 🤓
Appreciate it
This has been pinned a few days now. Site health was pretty dire with several long outages.
But subjectively in the last 48 hours things seem to be great. Noticeably responsive and login and activities haven't missed a beat.
StatusPage.io still looks very red though... Is the worst now mitigated?
Thanks to the stirling admins (and friends) for their work on this. Vive la Lemmy.World!
I just want to know why someone or someones are taking so much time and effort to DDOS lemmy.world. Is it a grudge? What is driving it?
No way to know for sure but someone(s) is either big mad at being de-federated or they are uptight at LW becoming the biggest Lemmy instance. I'd guess that the first one is the most likely.
I bet it's the person mentioned before who had been making thousands of junk communities and got banned. We already know they do troll stuff and have the technical aptitude for scripting.
Wouldn't be surprised if there wasn't any real reason behind it. Especially script kiddies attack any service they can cause harm to just because it makes them feel powerful.
Thank you for all the works you do!
Thank you to the admins for all of your hard work maintaining Lemmy.World through the downtime. A lot of us are already so comfortable here that we rush to the Discord server to check in when it's down.
Point being, the members of Lemmy.World are really grateful to the admins, the mods, and fellow Lemmings who have been posting interesting content and participating in deep discussions!
Nam flashbacks to DALNet getting DDOSed to death for no reason
I would love to see this grow to the point where a full time sysadmin could be hired! Would need a lot of subscribers though
I think I initially signed up on your instance and then figured it out, signed up for a more local instance but then figured I made a mistake and ended up where I am.
Thank you again for being available to let me through the door. Once I figured out that there's lots of doors, it was much better.
Lemmy.world will always be a special place and you and anyone who volunteers for work hare is fuckin awesome. Thanks again ♥️
All support to Y'all, Keep Going!
To my understanding Datadog is not FOSS. Would you guys consider using a FOSS alternative for motoring the status of lemmy.world such as Uptime Kuma? That way your who stack is closer to being FOSS.
https://uptime.kuma.pet/
The ship of "Lemmy must be entirely FOSS" has sailed. You can either invest time or money and even then there are some tradeoffs of things that can't be swapped out. Datadog and Cloudflare are two of those such things.
Lemmy (including lemmy.world) are at a critical junction to continue to grow or lose momentum. These DDOSs are one such thing that caused it and everyone going "FOSS, FOSS, FOSS!" are another. If they have time in the future there may be a possibility, but when playing the growth game sometimes you have to go with the best tool available even if it doesn't meet your ideals.
Sync for Reddit is another such tool. I've seen so much hate for it because it's not pure FOSS, pay no mind to the sheer number of people that have downloaded it, are using it and have helped drive traffic to Lemmy and the Fediverse in general.
Nothing is stopping you from using a fully FOSS front end with your own server, that's the beauty of the Fediverse, you can choose what you want and still interact with others, but don't get on their case when they select something you don't like.
When I learned about the whole fediverse thing, I want to join but was hesitant due to many instances. But I realized that lemmy.world is the largest Lemmy instance with a HUGE margin so I just signed up. Thank you for keeping this place alive and kicking!
Thank you so much for explaining the reason for the downtimes. I just thought it was some temporary issue caused by unforseen popularity. Knowing it was malicious does make me more understanding of how difficult this must be. I will continue to be patient. I am sadly not good enough with anything other than basic powershell scripts and learning proprietary software configurations.. 10 years of software support does that to a guy. I'll still check if there is anything I can do to help. I do want this project to succeed.
Thanks for the update and keep up the good work! It seems like reddit went down a few times a week regularly for years. I have to think that some state sponsored actors are responsible for some of this. I’m sure that some topics being discussed here are not in line with the values of many regimes.
While I agree that certain state sponsored actors and private interest groups are most definitely involved in discourse manipulation on reddit, Lemmy simply isn’t big enough for this yet.
If we go by the numbers stated in the original post, the whole of Lemmy has less than 500k users at this point, whom are overwhelmingly <40 years old tech affine early adopter nerds from the United States and Western Europe.
Too insignificant to spend resources on, and also largely sceptical of corporate interests and authoritarian governments (except the tankies of course); so by default critical of the two top potential manipulators.
The Feds had people on 100 user big BBSes.
If you followed the studies about so called "extremism" (which often ignores the extremism of the center) then lemmy played a role in that, so it is more unlikely than likely that Feds wouldn't be on several lemmy servers.
Yup, personally seen it. Happened on usenet from the beginning and they were all over regular web forums at least as early as 1999. They also monitored GeoCities / AngelFire sites as well.
The idea that multiple federal agencies from multiple countries aren't paying attention to Lemmy because it's "small" with only 500,000 users is simply wishful thinking. I promise that they are here.
🙏 🙌
@lwadmin Lemmy developers have features hardcoded for their own instance? WTF?
They're likely running beta or unmerged patches rather than 'exclusive' features.
It's a check if the hostname is 'lemmy.ml' and if yes then it will display a box with information about federation and link to Join-Lemmy.org on the signup page - so yes it is hardcoded for their instance. I'm not shaming the devs here I'm sure they would at one point make this an option for all instances since half the work is done. And it's something we at LW could use but I'm sure it's not interesting to everyone running an instance.
Lemmy.ml says they are running BE 0.18.4 which is the same as lemmy.world which mostly eliminates it as a beta version. It really can't be an unmerged patch either since its in the Lemmy source code.
I doubt it's nefarious though, probably just a leftover from when lemmy.ml was the primary lemmy instance.
Guess it's time to create an alt account on a different instance
It's difficult to fix and not without changes in the code. Most solutions involve fixing those heavy SQL. Tuning them, caching them in redis or memcached or refactor the whole process from scratch.
Thinking on the DDoS part, implement short circuits so reaching those queries must follow a session pattern. It doesn't stop it but you force those script kiddies to make real connections. If they are anonymous then all the heavy queries should be cached due to lack of custom vars. If not, it's a matter of identifying users and banning them automatically.
Thanks for your service 🫡
It's a shame you are having to go through this but it was bound to happen to an instance sooner or later. It's better that it happen to a large instance with the time, talent, and money to work through the challenges because this kind of consistent attack would bury any smaller instance pretty quickly.
With that said is there anything that users can do to help?
keep doing what you're doing. If it makes any difference, I'm with you guys and I appreciate what you do to keep this place running
Are you guys using a load balancer at all? How about a tool like CrowdSec?
I use that and the nginx Bad Bot Blocker to stop malicious shits on the sites I operate (medium-large e-commerce) to great success. We used to get scraped heavily by competitors but now they get the middle finger.
I presume you have fail2ban too?
Thanks for all your amazing work! I know just enough about SQL to know I know next nothing, but could someone intelligent explain how databases are publicly accessible for anyone to be able to make queries?
Thanks for the update and the work you do! Lemmy.world introduced me to the Fediverse and it’s been awesome watching the site grow.
The Great Lemmy Wars
Thank you for addressing the registration issue. Informing new users to consider alternatives due to the size relieves the issue I had. And it is a valid counterpoint.
Is there any update on the instances that were unintentionally defederated from lemmy.world? I know that one of the fanaticus.social admins was trying to get that sorted out.
Thanks for the hard work!
I wonder if it's possible to migrate our accounts and communities to other instances. I think that should implemented globally.
Ah this is much needed response ! I switched servers but lemmy.world is still my go to server , it was down so much that I had to try alternative ones ! Good it know its not a load issue !
Thanks for keeping us in the loop!
Out of curiosity, what’s the relative overhead of those two services (hosting user accounts vs hosting communities)? If the aim were to distribute the overhead over multiple instances (as a general goal, not just a solution to the DDS attacks), is it more important to distribute users or communities?
Thanks for the update! Sorry this is happening, but appreciate the detail and transparency. I hope things get resolved as best they can.
What about that "show context" button in our inboxes? It's super annoying getting replies and not being able to see what the context was, all I get is that 'bad gateway' error or whatever.
Thanks for the update, if there's ways we can help please mention them. Be it about know-how, be it financial, be it about our behaviour when interacting with the server, be it about general knowledge we could provide.
Thank you for the information. We appreciate your work very much.
As always, great job! It's great having an admin team so dedicated to creating a welcoming community.
I have nothing bad to say about Lemmy.world, but I do recommend that people move away from it in order to better decentralize Lemmy. Here is some useful information for people wanting to move instances.
For a list of instances, along with with stats for those instances:
https://fedidb.org/software/lemmy or https://lemmyverse.net/
Also, tools for migrating instances:
https://github.com/CMahaff/lasim (easy) - Latest Version Download (just select your OS type and run the program)
https://github.com/wescode/lemmy_migrate
https://github.com/Ac5000/lemmy_account_sync
So if we were to point fingers to anyone, who would it be?
Hope you are logging the DDOS ips. The first step in tracing those responsible.
Have you considered putting Cloudflare in front? I'm sure their team would be happy to help out.
Will these occur in the near-future?
I'm actually curious as IDK why no CF or DDOS-Guard is used to block massive DDoS? Additionally, I'm not that knowledgeable but having some Cache that serves a bit of stable data for SQL queries might be better than the server being overloaded and having downtime.
It's not the size of your hard drive that counts, it's the speed of your RAM.
M'lady
Any de-federated instance doesn't have the money or resources to start DDOS attacks. You know who does? Large corporations who feel attacked at the very existence of large platforms such as lemmy.world.
Who do we know with those resources, funding, knowledge of software (in general, as well as able to place specific people to learn about certain FOSS projects that have their code available), and the desire to spend such resources?
You know it's Reddit Co, we know it's Reddit Co. They know they're doing it too.
Fuck Spez and his bullshit army. I hope they can sleep well in their suburban McMansions while they sell out their future.
Conspiracy is one thing, this is just obvious.
You just answered your own question? Lmao
Because it seems in this system it’s better to login through server with lower amount of users.
Answered your own question before you even asked it 🤦
Can I just say I'm kind of annoyed I've had to turn off NSFW. It's pure porn here.
Interesting your comparison with "imagine if a new user got to the page and couldn't sign up" - honestly, that's what they're faced with now regardless of closing off sign ups.
You say being able to handle the load is not an issue - I understand that on a technical level, but at the same time, you can't handle the load currently with the level of ddos attacks. That much is fact.
I know it's hard to catch these fuckers and close exploits quickly, but let's be honest here so far the methods have failed on LW's part. These are 2010 levels of downtime.
r/foundthemobileuser
Nobody blaming thr Russian or Chinese hackers causing DDOS attacks? That's like fresh air to me :-D
If you'd stop banning users over nonsense, probably have less enemies ddossing you.
a better solution is to decouple the query from individual api requests by adding a caching layer. we’ll get there eventually
You want to give all the script kiddies an easy attack?
they already are
Why are you asking us for them then if they're already publicly available? We're not going to help you start an attack against instances.
To what benefit? They are going to the devs and fixing them.
Why is there a Lemmy instance that you want to attack? That's the only reason that anybody who's not a developer or an instance operator would want to know that. You're neither of these things so you have no reason to know that information unless you're planning an attack.
Ah no, sorry, while I sympathise with your technical issues, the rest of your post is disingenuous at best.
Lemmy.world being too big is bad for Lemmy as a product/software/"brand" etc - your downtime, being the instance most people link to, is a LOT of people's first impression and when it spends time being down, people associate THAT downtime with Lemmy, and not the hundreds of other instances that don't have downtime.
The issue isn't even about you being the biggest instance, its the absolute imbalance in both users and communities on one instance and you willingly allowing it continue. If you genuinely cared about Lemmy, you would close registrations now.
You have enough "technical" people to build your own instance from the source code with that change for the banner built in (and you could go ahead and submit the PR/Issue anyway), but you haven't - instead placing the blame on the developers. Hell, you only made the PR 5 hours ago after weeks of other admins asking you to close the instance.
You could even make the simple change to the sign up link instead lead to join-lemmy, but for whatever reason you want to continue to be the biggest instance and don't care about the wider lemmy ecosystem and the effect that it has.
While I appreciate that, the issues caused by lemmy.world to many other admins can be monumental. If the instance goes down, it causes many people to wonder why federation has stopped working, despite the fact the home server is fine. All that content in one place is not only against the point of federation, its a risk to the existence of lemmy if the owner just decided to walk away tomorrow. While im sure he wont, and im sure many users would try to recreate or move communities elsewhere if he did, a large core percentage of lemmy wouldnt come back, and that is the risk.
As I said, I sympathise with their technical issues, hell this instance has had hours of downtime because of SQL queries, but claiming they aren't too big is not a valid response. Just because imbalanced instances happens elsewhere doesn't mean it isn't an issue here, especially because of the problems with the back end.
Their refusal to acknowledge the complete imbalance, or to do anything about it, is IMO an actual problem for lemmy.
Ps it's OK to disagree with me, but I'd rather people explain why than just downvote. Can't have a proper discussion with a downvote.
I made an account on lemmy.world because as I understand it you only see posts from communities on other instances if you or someone else on your instance has subscribed to them. So it seems like if you want the best lemmy experience you should join the largest instance, perhaps if that wasn't the case more people would be willing to move to smaller instances.
This issue can be solved using this tool: https://github.com/Fmstrat/lcs
I don't see how their number of users is a legitimate problem. If it was causing issues due to day-to-day usage causing problematic queries that would be one thing, but it's been made clear that this is not a day-to-day issue with numbers, it's an active attack issue that's exploiting those heavy queries. It's not like the number of users are causing a hug-of-death style DDOS by calling the aforementioned queries.
If the users are a problem, it's only due to people being basically jealous of the user count on .world and picking it as the chief instance to fuck with, like picking the biggest guy in the jail lunchroom to prove you're a badass.
I downvoted your other post because while yes, in an ideal situation people migrating from Reddit would join local instances that fit their individual values the best, I don't agree that forcing people to join other instances than .world is the right or that it will make Lemmy better.
It doesn't matter if the reason is because they read about in a guide, it has most of the communities they liked, or even because it's the biggest instance currently, people's freedom of choice should be respected. How do you think complete newcomers would see Lemmy if even the most recommended instance turns them away? Probably that the whole thing is very exclusive.
The general sentiment around here seems to be that people like how the admins are handling things so far and that they feel inclined to be more active because there is enough users to generate discussions on smaller topics as well, so your claim that this instance is somehow damaging Lemmy's image seems a bit disingenuous to be honest.
Sorry, but I'm not going to listen to anybody who actively and purposely registers a .zip TLD.
What genius decided to even allow .zip TLDs? It's such an easy and open attack vector. We don't need all these stupid gimmick TLDs.
IIRC, someone at Google did 🤦♂️
Should they just forward their signup page to your instance lemmy.zip then sir?
Thanks for your comment. However that it sits in the high negative numbers (with 3 times the downvotes) shows that this instance is actually a problem. It is quite actively destroying principles of decentralized federated networks. Some very online super posters seem to participate in that.
Again it would be interesting to see who was it that downvoted your post.