Hello there!
It has been a while since our last update, but it’s about time to address the elephant in the room: downtimes. Lemmy.World has been having multiple downtimes a day for quite a while now. And we want to take the time to address some of the concerns and misconceptions that have been spread in chatrooms, memes and various comments in Lemmy communities.
So let’s go over some of these misconceptions together.
“Lemmy.World is too big and that is bad for the fediverse”.
While one thing is true, we are the biggest Lemmy instance, we are far from the biggest in the Fediverse. If you want actual numbers you can have a look here: https://fedidb.org/network
The entire Lemmy fediverse is still in its infancy and even though we don’t like to compare ourselves to Reddit it gives you something comparable. The entire amount of Lemmy users on all instances combined is currently 444,876 which is still nothing compared to a medium sized subreddit. There are some points that can be made that it is better to spread the load of users and communities across other instances, but let us make it clear that this is not a technical problem.
And even in a decentralised system, there will always be bigger and smaller blocks within; such would be the nature of any platform looking to be shaped by its members.
“Lemmy.World should close down registrations”
Lemmy.World is being linked in a number of Reddit subreddits and in Lemmy apps. Imagine if new users land here and they have no way to sign up. We have to assume that most new users have no information on how the Fediverse works and making them read a full page of what’s what would scare a lot of those people off. They probably wouldn’t even take the time to read why registrations would be closed, move on and not join the Fediverse at all. What we want to do, however, is inform the users before they sign up, without closing registrations. The option is already built into Lemmy but only available on Lemmy.ml - so a ticket was created with the development team to make these available to other instance Admins. Here is the post on Lemmy Github.
Which brings us to the third point:
“Lemmy.World can not handle the load, that’s why the server is down all the time”
This is simply not true. There are no financial issues to upgrade the hardware, should that be required; but that is not the solution to this problem.
The problem is that for a couple of hours every day we are under a DDOS attack. It’s a never-ending game of whack-a-mole where we close one attack vector and they’ll start using another one. Without going too much into detail and expose too much, there are some very ‘expensive’ sql queries in Lemmy - actions or features that take up seconds instead of milliseconds to execute. And by by executing them by the thousand a minute you can overload the database server.
So who is attacking us? One thing that is clear is that those responsible of these attacks know the ins and outs of Lemmy. They know which database requests are the most taxing and they are always quick to find another as soon as we close one off. That’s one of the only things we know for sure about our attackers. Being the biggest instance and having defederated with a couple of instances has made us a target.
“Why do they need another sysop who works for free”
Everyone involved with LW works as a volunteer. The money that is donated goes to operational costs only - so hardware and infrastructure. And while we understand that working as a volunteer is not for everyone, nobody is forcing anyone to do anything. As a volunteer you decide how much of your free time you are willing to spend on this project, a service that is also being provided for free.
We will leave this thread pinned locally for a while and we will try to reply to genuine questions or concerns as soon as we can.
Have you guys contacted law enforcement? It may surprise you. A startup I worked for had the same issue and contacted the FBI. They were able to quickly (within hours) find the person doing it despite him using VPNs and other tools for OpSec.
I’d imagine that there are a lot of users and communities on here that want law enforcement as far away from the Fediverse as possible…
And yet, and this will shock and amaze you, they’re probably here already. Lemmy isn’t a secret.
No doubt, but there’s a difference between a van trundling down the street and a welcome mat and a tray of tea cooling in the living room.
I get you. There’s good and bad in law enforcement, especially when it comes to tech and social media. On the one hand, there’s pretty serious crime happening online that needs to be stopped. On the other, wild invasions of privacy. There’s no easy answer at this point and governments obviously won’t police themselves.
aint no way
The risk that would create for vulnerable communities on here would deeply irresponsible.
Right. Because FBI doesn’t already monitor any suspicious activity.
Right. Because FBI doesn’t already monitor
any suspiciousactivity.FTFY
They fuck with left leaning groups and try to intentionally destabilize them 🤷♂️
I don’t understand.
As I said above, The FBI is known to infiltrate left leaning political organizations to fuck with them.
Oh no! Won’t anyone think of the criminals!?
First, they came for …
Sounds like you and lefty are concerned with protecting illegal activity here? Fuck that. I’m not okay with Lemmy being a hub for society’s most trash individuals.
I believe it’s a mistake to conflate law-abiding with morally correct. In fact, in some cases the morally correct thing to do is disobey the law.
I (foolishly) assumed we were talking about the obviously morally abhorrent stuff.
That’s not what we were implying remotely. The FBI is known to infiltrate left leaning political organizations to fuck with them. Obviously if someones hosting violence or CP or shit like that that’d awful and they need to be arrested, but I was specifying specifically about the FBIs history with fucking up political groups and forums
I jumped the gun then with assuming it was the latter. My b.
This isn’t 8chan, and I have no wish to see it emulate it. Revenge porn, CSAM, stalking and harassment: that absolutely should be kicked off and reported.
But if you can’t imagine a scenario where a left leaning, privacy focused userbase might look at willingly going to law enforcement without the above issues and balk, you need to review your history.
Have you guys contacted law enforcement?
Given that the goal of this instance is to serve as a reference of the Fediverse, it is expected that it will continue to grow, and in turn, attract more attention, which due to a game of numbers also involves more trolls and enemies. Thus, the fact that the instance is being DDOS’ed right now shouldn’t be seen as a conjunctural problem, but rather a challenge that is here to stay and sometimes be a problem.
While I think it’s a good idea for lemmy.world to do it this time, relying on a police force to routinely come to our call and do something means periods during which the instance will be out while we wait for them for work. The instance, and Lemmy in general, should have more robust defenses so that calling for external help is only required at exceptional times.
Did it result in charges for the person doing it?
For this, I want to see the motivation for DDOSing Lemmy lol.
There was a user who made hundreds of communities and got pissy when they were banned, there’s heavy speculation that it’s them.
Could be reddit , hiring people to kill the competition 😅 (jk)
You joke, but I wouldn’t be surprised in the least.
Happened to voat everytine Pao did something. Part of why it failed.
That, or it could be right-wing neo-nazi chuds from the detonating-craniums instance that are butthurt that nobody wants to federate with them.
Maybe a mix of both?
Could be the instance with the raving tankies that was defederated.
Someone creating heaps of communities just to be a mod and then getting pissy about it doesn’t sound like someone with the skills to run a DDOS attack.
They had nearly a thousand communities after joining, like an inhuman amount that wouldn’t have been possible without scripting.
DDoS isn’t a high skill attack by any means, they could have also hired somebody else to do it for them (there are some really big losers out there who will waste money on something like that).
Never underestimate the pettiness of the u/gallowboobs of the world.
gallowboobs
hahahaha!
They could pay for someone to do it. They also most likely created all those communities with a script, so they’re not your average user.
You don’t need motive to convict. Just the correct mental state (mens rea) and the commission of the relevant elements (actus reus). Motive helps, but it’s not necessary.
But a DDOS attack would probably fall under the CFAA, possibly some other criminal statutes depending on the facts.
I know, I just want to know what the motive is.
“Vengence is mine!” sayeth the gallowboob.
In all seriousness, we all appreciate your work. These are the growing pains that are to be expected, and your hard work and transparency (and writing it up at a level that even I can understand) is welcome.
What I find most ridiculous about people claiming lemmy.world is too big and therefore bad for the Fediverse is simply… Have you people wondered why it got so big?
During the crucial first weeks of the Reddit migration, the single time period with the most chance of bringing new users, pretty much all larger Lemmy instances closed their registrations - they couldn’t handle the influx. Other big ones decided to immediately defederate everybody, they were afraid of having to moderate content. And a few did remain open and federated, but they were also extremely niche and focused on their own political side of the spectrum.
Lemmy.world however remained open, remained with active admins that helped the first moderators, and kept upgrading the server at a very fast rate - you might forget it now, but Lemmy was massively slow and frustrating and then a new Lemmy.world update would drop and it would feel like a different website.
So yeah, “bad for the Fediverse” for being the only instance that kept up with the demand at the most necessary time.
Thanks Lemmy.world team.
And besides closing registrations, many others required that you request it, then wait for approval. Of course most went with the path of least resistance - I know I did (using an alt account now because of the DDOS attacks).
Thanks for the update and the hard work behind the scenes to keep things online!
I think you should take 5% of donations to pay yourselves personally. I appreciate your work!
Definitely need to pay themselves. Doing this for free is not sustainable over long periods.
I’m more than okay with the old Jimmy Wales treatment once or twice a year.
Thanks for all you guys do! While the lack of reliability can be frustrating your efforts do not go unnoticed. Thanks again.
Hopefully all the attacks you guys endure end up helping lemmy patch those attack vectors and make lemmy an overall safer and more robust place.
They are inadvertently helping Lemmy become more robust
I guess it’s that guy who said he was going to break the site. Remember that guy? Something about not being allowed to open loads of communities or something.
Another heartfelt thanks—both for the hard work, and for the transparency.
Thank you guys for the write up and for helping to keep things running.
Thanks for the update and all the hard work.
Imagine having the free time to engineer attacks on a site. Fucking loser.
Or, they have a commercial interest or are paid by someone who does. Fucking losers either way
There are quite a few InfoSec people here. While I have never held an official InfoSec job I do have a degree. However, my degree is debatable about whether it actually educates me as intended.
Point being there are a lot of people that have more knowledge than me as well as experience but I want to learn. As someone who is always listening to security podcasts like Hacking Humans or Darknet Diaries, naked hacking, or even InfoSec journalism around popular ongoing issues in the world like Click Here. I always want to learn and get experience.
I currently work in IT for a hospital. Is there any way to help with this kind of thing to learn and build on knowledge to help? To volunteer time to potentially see what is going on?
IF you were a bad actor, this is exactly the argument to use to get more inside information to use in the next attack.
Establishing trust is the first problem to be overcome.
Would it be possible to have the error page when you are being attacked/there is an outage point to some other lemmy instances to go to?
I think that could be a big help if there is an issue when a new user tries to check out .world for the first time. They will at least have a link to click on to check out what lemmy is like on another instance and maybe sign up there too.