Looks like there has been a fair bit of discussion about the architecture of Mastodon previews and “DDoS-ing” web sites:
-
Zach Leatherman :11ty:replied to Zach Leatherman :11ty: last edited by
For those managing servers: what kind of concurrent request count spikes do y’all prepare for?
Looks like the Locust load testing tool’s “first test” starts with 100 concurrent users: https://docs.locust.io/en/stable/quickstart.html
-
Dave 🧱 :cursor_pointer:replied to Zach Leatherman :11ty: last edited by
@zachleat I think a vast part of my career is about making things someone else's problem
-
Zach Leatherman :11ty:replied to Dave 🧱 :cursor_pointer: last edited by
@DavidDarnes for the right things, it makes sense!
-
Sara Joy :happy_pepper:replied to Zach Leatherman :11ty: last edited by
@zachleat yeah I haven't noticed this with Netlify but then I also don't pay attention haha, I just post and scoot
-
Zach Leatherman :11ty:replied to Zach Leatherman :11ty: last edited by
Found a pretty hefty blog post about concurrency benchmarks using the Nginx web server.
Looks like the slowest metric (1 CPU, HTTPS) handled 428 connections per second.
-
Zach Leatherman :11ty:replied to Sara Joy :happy_pepper: last edited by
@sarajw post and scoot
-
Noah Liebmanreplied to Zach Leatherman :11ty: last edited by
-
Zach Leatherman :11ty:replied to Noah Liebman last edited by
-
Sara Joy :happy_pepper:replied to Zach Leatherman :11ty: last edited by
Who's that tootin' in the feeds?
It's two devrels and they're on fleek
Blogs and demos and typin' hands
What's your language? JS I am!Instances come to play, the server's not fast enough
They'd best stay away when the websites get a shoveToot, scoot, riot (riot!)
Leave a link and run away
Toot, scoot, riot (riot!)
No one visits my site anyway... -
William O'Connellreplied to Zach Leatherman :11ty: last edited by
@zachleat Yeah, even if all ~30,000 mastodon instances hit the server within 60 seconds (unlikely), that's still only 500 requests per second. That seems pretty manageable? At least for public content that's identical for every user. A real DDoS by an attacker can be *millions* of requests per second.
-
Noah Liebmanreplied to Sara Joy :happy_pepper: last edited by
-
Sara Joy :happy_pepper:replied to Noah Liebman last edited by
-
Zach Leatherman :11ty:replied to Sara Joy :happy_pepper: last edited by
-
Zach Leatherman :11ty:replied to William O'Connell last edited by
@williamoconnell yeah, that third blog post notes a hypothetical of 6.7k simultaneous requests—which seems like a lot!
-
Dustin Ruereplied to Zach Leatherman :11ty: last edited by
@zachleat this is _easily_ solved with a caching strategy which I have mentioned a few times to people who metion this issue. You can read about it at https://dustinrue.com/2023/02/avoiding-stampeding-mastodons/. It is not necessarily something only Cloudflare can solve, but can be used to inform people on how to fix the issue using any caching solution and some effort.
-
Zach Leatherman :11ty:replied to Dustin Rue last edited by
@dustinrue WordPress always needs one more thing to work like it should by default
-
Dustin Ruereplied to Zach Leatherman :11ty: last edited by
@zachleat Generally speaking I disagree. If the site was Next.js, Drupal or any other countless number of systems that generate content on the fly and isn't a static site will fall victim to this same issue.
-
Zach Leatherman :11ty:replied to Dustin Rue last edited by
@dustinrue the nuance I’d contribute is that (in my opinion) static sites are a better default for most web sites and dynamism should be an additive architectural layer.
Removes an entire class of problems for most folks
-
William O'Connellreplied to Zach Leatherman :11ty: last edited by
@zachleat It says they're supposed to be spread over 60 seconds though. In practice probably more, since it should take some time for all the instances to pick up the post in the first place. The author says "I'm yet to see that work for me" but I'm unclear of that means they have evidence that it isn't happening or their site is just still crashing regardless. The lack of specific data makes it hard to draw conclusions.
-
Emelia 👸🏻replied to Zach Leatherman :11ty: last edited by
@zachleat there's ongoing work to improve the situation