Jerry on PieFed

Just a techie guy running feddit.online to allow people to communicate, make friends and acquaintances. Odd coming from a happy introvert, right? (https://jerry.hear-me.blog/about)

I also own these publicly available applications:
Mastodon: https://hear-me.social/
Alternative Mastodon UI: https://phanpy.hear-me.social/
Peertube: https://my-sunshine.video/
Friendica: https://my-place.social/
Matrix: https://element.secure-channel.net/
XMPP/Jabber: https://between-us.online/
Bluesky PDS: https://blue-ocean.social/ (jerry.blue-ocean.social) Mobilizon (Facebook Events Alt): https://my-group.events/
and more…

  • 27 Posts
  • 169 Comments
Joined 2 years ago
cake
Cake day: September 29th, 2024

help-circle


  • I’ve always believed, until this week, that if I posted something and it got upvotes, it was because people liked that I posted it. I’ve learned this week that because of some, it’s become a much less meaningful indicator. It’s been co-opted for unrelated purposes. I no longer trust it has any meaning. This is a letdown. Let’s add it then to the list of meaningless metrics like lines of code, story points, and StatCounter statistics.

    If it remains an admin choice, I will keep it enabled for the two reasons that the behavior makes vote counts meaningless, which is unfair to the community, and that these empty votes add a ton of unnecessary traffic for every instance. I wonder what percentage of my server is used just to process meaningless votes. Each vote sends me a request to update the database. Each meaningless vote here requires me to send out a ton of requests to other servers. Why should I pay for this? Why should users see lower performance because of this behavior?

    Please leave the setting, Rimu.

    And I completely like the proposal.


  • There are two answers to this depending on what the reason is for asking.

    If you are asking because you are concerned about scrapers reading your posts and violating your privacy and your rights, then understand that even if an instance is 100% effective at blocking them, the post is sent all over the place in clear text anyway. It doesn’t matter for them which of the federated servers your post is read from. They will read your post many times over. For this case, then, there is little incentive for a server owner to block bots if it’s just to protect your posts from ingestion.

    If you are asking because you are concerned about scrapers sucking the life out of a server because there are multiple different AI companies trying to read every single post in the database multiple times over for training, which ends up causing gateway timeout errors and poor performance, then admins, for this reason, should take action.

    On my PieFed server, feddit.online, as of yesterday, the firewall discarded 99K requests it deemed were for AI scraping while processing the remaining 300K requests. Those 99K requests would have been expensive requests, not just upvotes and such, but requests asking for huge amounts of text, and so the impact on the server and infrastructure would have been much more than a 25% tax on the system.

    And if the bots realize your server is not well protected, it gets worse. 3 months ago I peaked at 1.2 million requests in one day, of which over 700K were AI bots. Now it’s down to consistently under 100K from bots because many of them have given up, I like to believe.















  • Things like this that play games scare me. This itself opens a wider attack vector on your server. I’m thinking of possibilities:

    1. In Linux, each TCP connection is a file descriptor. PortTripper holds connections to waste scanner threads, which means it’s holding file descriptors. This could be a good DDOS attack vector. Hit every port with connection requests, requiring a slew of file descriptor creations, and boom, you cause the server to hit the server ulimit cap. New connections cannot be made. The server is half dead.

    2. Memory and CPU consumption. Maintaining thousands of open TCP states takes RAM and CPU. A massive flood can consume all memory. And for what? To annoy a hacker?

    Interestingly enough, just these 2 things can make PortTripper a hacker’s tool.

    1. If a service crashes or reboots, is down for maintenance, or is slow to come up, PortTripper might grab the port before the application comes back up. And then it can’t come back up.

    2. Who’s to say there won’t be vulnerabilities in PortTripper that can cause a buffer overflow, memory leak, or parsing vulnerability in PortTripper’s code or a library it uses? Playing this game opens another attack vector into your server.

    3. If PortTripper can bind to ports 1 through 1023, then it’s running as root or has elevated capabilities. If an attacker exploits a bug in PortTripper or a library it uses, they can get high-level control of the server.

    4. While PortTripper “discards datagrams without replying” in a reflected DDOS attack, millions of discarded packets come in, which means millions of CPU interrupts at the kernel level. This can choke the NIC.

    I think PortTripper is too risky to run just to become a nuisance to someone, IMHO.