Mastodon has pushed back an update that may have addressed the issue of link previews creating accidental distributed denial of service (DDoS) attacks.

The problem with link previews hitting sites with a surge of traffic has been observed for over a year now, and although version 4.3.0 was slated to have a fix for the oversight, it no longer does after Mastodon CTO Renaud Chaput delayed the remedy to version 4.4.0, as seen on the project's GitHub page. 

Mastodon's penchant for inadvertently DDoSing websites stems from the decentralized nature of the social network.

Many websites and apps offer previews of their online content that usually each contain a headline, a subheadline, a small excerpt, and an image. When someone on Mastodon posts a link to that content, their Mastodon instance fetches the preview from the content's host server to display in people's Mastodon feeds.

Now remember that Mastodon is a fediverse made up of thousands of individual servers that are interconnected and propagate people's posts. As a post with a link spreads, each Mastodon server involved in bringing that post to users makes its own request to the link's host server to fetch and display the preview.

This can easily snowball one link preview into hundreds or thousands of fetches for the content's host server, which starts to look like a DDoS. In worst-case scenarios, sites can be overwhelmed and left unable to serve other visitors; in a lot of cases, we imagine sites are able to absorb the hit using a CDN or well-configured servers.

The impact of generating an excessive amount of link previews was detailed by the It's FOSS News blog, in a post entitled: "Please Don’t Share Our Links on Mastodon."

"I believe we have 15,000 followers, and that gives us a decent reach," the post reads. "And, as a result, we get affected for a couple of minutes in a day, for readers to encounter 504 Gateway Timeout error or the webpage being unresponsive for a few seconds, whenever a link is shared on mastodon.social instance (primarily)."

Link preview DDoS problems aren't the only drawback that comes with decentralization. When a Mastodon vulnerability rated 9.4 out of 10 on the CVSS severity scale was revealed in February, it meant every single instance needed to update. While the vast majority of servers are now running a patched version, there are still plenty of vulnerable Mastodon servers operating according to FediDB.

While the upcoming 4.3.0 patch is 53 percent done as of the time of writing, 4.4.0 has no progress, and seems to be in the early stages. We've asked the Mastodon project on what the timeline for version 4.4.0 and what its anti-DDoS fix looks like. ®

https://www.theregister.com//2024/05/06/mastodon_delays_fix_ddos/