May 6, 2024 at 03:55PM
Mastodon has delayed an update to address link preview DDoS issues. The decentralized nature of the network causes link previews to trigger overwhelming fetch requests, impacting host servers. The update, now deferred to version 4.4.0, aims to resolve this. Additionally, the decentralized model poses challenges, as evidenced by a critical vulnerability in February.
Key takeaways from the meeting notes:
1. Mastodon has postponed an update to version 4.4.0 that was intended to address the issue of link previews leading to unintended distributed denial of service (DDoS) attacks.
2. The link preview DDoS issue has been observed for over a year, and the fix scheduled for version 4.3.0 has now been delayed.
3. The decentralized nature of Mastodon, with its interconnected servers in the fediverse, contributes to the inadvertent DDoS problem when link previews are fetched from content’s host servers.
4. The impact of generating excessive link previews was highlighted by several websites, such as the It’s FOSS News blog, which experienced periodic unresponsiveness due to link sharing on Mastodon.
5. Decentralization also poses challenges, such as the need for every Mastodon instance to update in response to vulnerabilities, as mentioned in the discussion about a February vulnerability rated 9.4 out of 10 on the CVSS severity scale.
6. The progress of the upcoming 4.3.0 patch is at 53%, while version 4.4.0 is in the early stages. Additional information has been requested from the Mastodon project regarding the timeline for version 4.4.0 and its anti-DDoS fix.