Fediverse Open to Cyberattacks Too!

This was an attack that, some would say, brought a smile to Elon Musk’s face. When open source rivals to his X (formerly Twitter) platform such as Mastodon and Misskey were hit by a spam attack, the question of securing smaller servers that form the network on which decentralized social platforms operate. 

However, now that this so-called Fediverse also appears to be prone to abuse, the question that surfaces is how would some of their ardent supporters react. For starters, Mastodon founder and CEO Eugen Rochko not only admitted to the attack but also committed to switching over to an approval mode for server admins who can then block disposal email providers. 

What was the attack all about?

Just so that readers are up to speed, open source social web apps such as Mastodon and Misskey faced attacks on their smaller servers over the past several days. Cyber criminals took advantage of their open registrations to automate the spam accounts creation process, which led Rochko to point out that only large servers of theirs had been targeted previously. 

However, since these large servers were run by Mastodon’s own teams, they were able to deflect those attacks internally. However, when the spammers set their sights on smaller and, in some cases, even abandoned servers that provided open registrations, things went out of hand – quite literally as hackers quickly created accounts to generate spam. 

The attack in question was reported to be fully automated as the attackers found it easy to script when they recognized an opportunity caused by a dispute between two sides of a Discord server where one was seeking to get the other banned (you could read the full narrative here). Several users were grumpy over this incident and highlighted the weakness of the Fediverse. 

Mastodon wasn’t the only target

Ironically, some of the spammers weren’t only going after Mastodon. They also targeted Misskey, which is an open source, decentralized blogging platform using ActivityPub protocol (the same as Mastodon). The idea behind this flexibility is to allow users to interact with others on similar federated social platforms, where a single entity doesn’t turn data guzzler. 

Most of the attacks originated on a Japanese forum and targeted folks in that country, which highlighted a major Fediverse challenge whereby anyone can install Mastodon on their own server to set up a personal instance or node and connect with other federated social networking servers that are powered by ActivityPub protocol. 

What were the major challenges?

And the smaller players using Mastodon servers are probably doing so as a hobby, the level of vulnerability goes up manifold in case server admins weren’t attending to their servers daily having first offered open registrations. Users pointed out that while some of them got reminders of a server instance, they also learnt of abandoned ones that left the doors ajar for spam. 

However, having seen the challenges, several server admins have since gotten together to create lists of abandoned instances that the entire admin community can use to blocklist and protect their own users. In fact, there were reports of server admins simply shutting down in order to wait out the attack, while a few even bid adieu to Mastodon.

A quick and collaborated recovery 

At another level, third-party Mastodon app Ivory also released an update that offered a custom filter called “potential spam” that allows users to mute spam mentions. All that impacted users need to do in such an instance is to turn on this filter and catch most of the spam. However, they did face a challenge when it came to stopping spam push notifications.  

While posting this blog, we are told that the attack itself was slowing down or may have already stopped. Having said so, Mastodon also revealed the presence of a reactive moderation team equipped with multiple tools to prevent automated account registration. This includes approval modes, CAPTCHAs and other blocking mechanisms. 

Of course, the entire episode served to bring up the debate around the advantages and the pitfalls of a decentralized system. Yay sayers found the positive and collective approach towards problem solving when a challenge was thrown to be a great way forward, some others were ready to call it quits as they found managing servers hard work. 

Which thankfully has prompted Mastodon to announce that they will do what it takes to improve the software. With competitors such as Threads (Instagram) also planning to federate, it looks like 2024 will be the year when this federated approach really kicks in. To put things in perspective, Mastodon currently has 2.9 million monthly active users.