Mastodon delays firm fix for link previews DDoSing sites

Decentralization is great until everyone wants to grab data from your web server

Updated Mastodon has pushed back an update that's expected to fully address the issue of link previews sparking accidental distributed denial of service (DDoS) attacks.

The problem with link previews hitting sites with bursts of traffic has been observed for over a year now, and although version 4.3.0 was slated to have a formal fix for the oversight, it no longer does after Mastodon CTO Renaud Chaput delayed the remedy to version 4.4.0, as seen on the project's GitHub page.

We understand a mitigation short of a full fix is in place in the meantime that should reduce the link preview load on sites.

Mastodon's penchant for inadvertently DDoSing websites stems from the decentralized nature of the social network.

Many websites and apps offer previews of their online content that usually each contain a headline, a subheadline, a small excerpt, and an image. When someone on Mastodon posts a link to that content, their Mastodon instance fetches the preview from the content's host server to display in people's Mastodon feeds.

Now remember that Mastodon is a fediverse made up of thousands of individual servers that are interconnected and propagate people's posts. As a post with a link spreads, each Mastodon server involved in bringing that post to users makes its own request to the link's host server to fetch and display the preview.

This can easily snowball one link preview into hundreds or thousands of fetches for the content's host server, which starts to look like a DDoS. In worst-case scenarios, sites can be overwhelmed and left unable to serve other visitors; in a lot of cases, we imagine sites are able to absorb the hit using a CDN or well-configured servers.

The impact of generating an excessive amount of link previews was detailed by the It's FOSS News blog, in a post last week titled: "Please Don’t Share Our Links on Mastodon."

"I believe we have 15,000 followers, and that gives us a decent reach," the post reads. "And, as a result, we get affected for a couple of minutes in a day, for readers to encounter 504 Gateway Timeout error or the webpage being unresponsive for a few seconds, whenever a link is shared on instance (primarily)."

Link preview DDoS problems aren't the only drawback that comes with decentralization. When a Mastodon vulnerability rated 9.4 out of 10 on the CVSS severity scale was revealed in February, it meant every single instance needed to update. While the vast majority of servers are now running a patched version, there are still plenty of vulnerable Mastodon servers operating according to FediDB.

While the upcoming 4.3.0 patch nearly done, according to Chaput, to us it appears 4.4.0 is in an early stage of development. We've asked the Mastodon project on what the timeline for version 4.4.0 and what its anti-DDoS fix looks like. ®

Updated to add

Chaput told us a full fix for the DDoS issue was pushed back to 4.4 due to the work involved. He told us: "There is currently nothing to federate link previews in the ActivityPub protocol, on which Mastodon is based. We need to find a way to do it, write a specification for it, get approval of other implementers, and implement it. This requires significant work and our core development team is 1.5 developers right now."

Nonetheless, the CTO assured us a stop-gap fix has been developed and distributed, which basically should address the problem for most people:

We have a mitigation in place as servers are waiting a random time between zero and 60 seconds before generating the preview to avoid sending all the requests at the same time, but a proper fix would be to have the link preview information shared between servers (federated) so each server does not need to fetch it. We have several ideas on how this could work, but we also need to ensure that this will not cause other issues, like allowing those to be spoofed.

We do not consider this as a critical issue because you need accounts on thousand of servers to follow an account for this to generate a non-trivial amount of requests, especially now that they are spread over 60 seconds, and there are much easier ways available to achieve the same result than using the Fediverse.

"In any case, this is on our 4.4 roadmap, and I hope we will have found both a working solution and the time to implement it by then," he added. Chaput also argued this issue isn't specific to Mastodon and instead affects "every Fediverse implementation."

More about


Send us news

Other stories you might like