Skip links

Mastodon delays fix for link previews DDoSing websites

Mastodon has pushed back an update that would have addressed the issue of link previews creating accidental distributed denial of service (DDoS) attacks.

The problem with link previews knocking over sites has been observed for over a year now, and although version 4.3.0 was slated to have a fix for the DDoS bug, it no longer does after Mastodon CTO Renaud Chaput delayed it to version 4.4.0, as seen on the project’s GitHub page. 

Mastodon’s penchant for inadvertently DDoSing websites stems from the decentralized nature of the social network.

Many websites and apps offer previews of their online content that usually each contain a headline, a subheadline, a small excerpt, and an image. When someone on Mastodon posts a link to that content, their Mastodon instance fetches the preview from the content’s host server to display in people’s Mastodon feeds.

Now remember that Mastodon is a fediverse made up of thousands of individual servers that are interconnected and propagate people’s posts. As a post with a link spreads, each Mastodon server involved in bringing that post to users makes its own request to the link’s host server to fetch and display the preview.

This can easily snowball one link preview into hundreds or thousands of fetches for the content’s host server, which starts to look like an overwhelming DDoS, knocking the system offline or leaving it unable to serve other visitors. The impact of generating an excessive amount of link previews was detailed by the It’s FOSS News blog, in a post entitled: “Please Don’t Share Our Links on Mastodon.”

“I believe we have 15,000 followers, and that gives us a decent reach,” the post says. “And, as a result, we get affected for a couple of minutes in a day, for readers to encounter 504 Gateway Timeout error or the webpage being unresponsive for a few seconds, whenever a link is shared on instance (primarily).”

Link preview DDoS problems aren’t the only drawback that comes with decentralization. When a Mastodon vulnerability rated 9.4 out of 10 on the CVSS severity scale was revealed in February, it meant every single instance needed to update. While the vast majority of servers are now running a patched version, there are still plenty of vulnerable Mastodon servers operating according to FediDB.

While the upcoming 4.3.0 patch is 53 percent done as of the time of writing, 4.4.0 has no progress, and seems to be in the early stages. We’ve asked the Mastodon project on what the timeline for version 4.4.0 and what its anti-DDoS fix looks like. ®