Regarding the recent spam waves coming from Misskey, I have identified this as a security gap in Misskey's defenses, as their rate limiting is only per-account and endpoint not per IP address at a global level.
-
Regarding the recent spam waves coming from Misskey, I have identified this as a security gap in Misskey's defenses, as their rate limiting is only per-account and endpoint not per IP address at a global level.
https://github.com/misskey-dev/misskey/issues/14951
Hopefully the #misskey developers will take steps to mitigate service abuse using their software in the future.
-
Samir Al-Battranreplied to Emelia πΈπ» last edited by
@thisismissem
oh please no!Many services host thousands of users and access from the same IP.
This rate limit has a crippling effect (Currently we are not launching a major Bluesky release exactly for that reason)
Bad actors can easily overcome per-IP rate limits so this only hurts good actorsIf you want to gate access then by all means, one way is to not allow account creation through apps, but don't do global per-ip rate limits
-
Emelia πΈπ»replied to Samir Al-Battran last edited by
@samir you have to have some limits somewhere. Currently they create these accounts over a period of time, then grab access tokens for each, pop them in a file, and then hammer the absolute shit out of the server launching as many requests as possible at the target servers
A global rate-limit does help reduce this sort of behavior because then you do need to get more sophisticated with your attack and fan it out across multiple IP addresses, which isn't something script kiddies are likely to do
-
@samir you can't just rely on per account limits, because this is explicitly side stepping that by using multiple accounts
-
@samir another option would be some sort of flood detection and prevention β e.g., take the server offline/read-only if it sees a sudden spike in API requests to create content.
