this post was submitted on 24 Mar 2024
102 points (98.1% liked)
Lemmy
12524 readers
100 users here now
Everything about Lemmy; bugs, gripes, praises, and advocacy.
For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
A per-user rate limit of some sort could have reduced the attack surface I think? Something like that would be quite a bit of dev work to implement though...
At least the situation was promptly resolved and users nuked, although R.I.P. to any smaller Lemmy servers that went down due to the massive spam wave
I'm not sure how extensive the spam wave was, nor how quickly the user was able to create an account, make the comments.
I doubt that the quantity in that I came across would be enough to take down a server, but that may be the point: To test lemmy's collective defenses and response without drawing too much attention.
A common IP address or address range ban file that's frequently updated and downloaded by each instance might be another way to boost security.
If this is actually an org attack, I'm guessing that we'll see botnet DDOS comment and post attacks next.
I highly doubt it's an org attack, Lemmy just isn't popular enough to see something like that.
I don't know if Lemmy has the ability to shadow ban, but those can be pretty effective for cases like this. It obviously wouldn't help with a botnet attack, but it would help with your average, run of the mill pranksters.
It's part of the ol' Big Tech playbook:
If a promising emerging competitor emerges:
I mean it's possible, but lemmy only has ~50k monthly active users. Reddit, on the other hand, is in the millions (>400M monthly active users last year, and >50M daily active users). Lemmy just isn't anywhere in the ballpark of being a threat to anyone.
I also think Lemmy has some architectural issues that will make it very difficult to scale to anywhere near Reddit size, even if it somehow gets the users.
It's a cool service, I just highly doubt it's the target of any big campaign. And that's a big part of why I'm here, it's big enough to have interesting communities, but small enough to avoid most of the spam.