Hello there!
It has been a while since our last update, but it’s about time to address the elephant in the room: downtimes. Lemmy.World has been having multiple downtimes a day for quite a while now. And we want to take the time to address some of the concerns and misconceptions that have been spread in chatrooms, memes and various comments in Lemmy communities.
So let’s go over some of these misconceptions together.
“Lemmy.World is too big and that is bad for the fediverse”.
While one thing is true, we are the biggest Lemmy instance, we are far from the biggest in the Fediverse. If you want actual numbers you can have a look here: https://fedidb.org/network
The entire Lemmy fediverse is still in its infancy and even though we don’t like to compare ourselves to Reddit it gives you something comparable. The entire amount of Lemmy users on all instances combined is currently 444,876 which is still nothing compared to a medium sized subreddit. There are some points that can be made that it is better to spread the load of users and communities across other instances, but let us make it clear that this is not a technical problem.
And even in a decentralised system, there will always be bigger and smaller blocks within; such would be the nature of any platform looking to be shaped by its members.
“Lemmy.World should close down registrations”
Lemmy.World is being linked in a number of Reddit subreddits and in Lemmy apps. Imagine if new users land here and they have no way to sign up. We have to assume that most new users have no information on how the Fediverse works and making them read a full page of what’s what would scare a lot of those people off. They probably wouldn’t even take the time to read why registrations would be closed, move on and not join the Fediverse at all. What we want to do, however, is inform the users before they sign up, without closing registrations. The option is already built into Lemmy but only available on Lemmy.ml - so a ticket was created with the development team to make these available to other instance Admins. Here is the post on Lemmy Github.
Which brings us to the third point:
“Lemmy.World can not handle the load, that’s why the server is down all the time”
This is simply not true. There are no financial issues to upgrade the hardware, should that be required; but that is not the solution to this problem.
The problem is that for a couple of hours every day we are under a DDOS attack. It’s a never-ending game of whack-a-mole where we close one attack vector and they’ll start using another one. Without going too much into detail and expose too much, there are some very ‘expensive’ sql queries in Lemmy - actions or features that take up seconds instead of milliseconds to execute. And by by executing them by the thousand a minute you can overload the database server.
So who is attacking us? One thing that is clear is that those responsible of these attacks know the ins and outs of Lemmy. They know which database requests are the most taxing and they are always quick to find another as soon as we close one off. That’s one of the only things we know for sure about our attackers. Being the biggest instance and having defederated with a couple of instances has made us a target.
“Why do they need another sysop who works for free”
Everyone involved with LW works as a volunteer. The money that is donated goes to operational costs only - so hardware and infrastructure. And while we understand that working as a volunteer is not for everyone, nobody is forcing anyone to do anything. As a volunteer you decide how much of your free time you are willing to spend on this project, a service that is also being provided for free.
We will leave this thread pinned locally for a while and we will try to reply to genuine questions or concerns as soon as we can.
Interesting your comparison with “imagine if a new user got to the page and couldn’t sign up” - honestly, that’s what they’re faced with now regardless of closing off sign ups.
You say being able to handle the load is not an issue - I understand that on a technical level, but at the same time, you can’t handle the load currently with the level of ddos attacks. That much is fact.
I know it’s hard to catch these fuckers and close exploits quickly, but let’s be honest here so far the methods have failed on LW’s part. These are 2010 levels of downtime.
Are you guys using a load balancer at all? How about a tool like CrowdSec?
I use that and the nginx Bad Bot Blocker to stop malicious shits on the sites I operate (medium-large e-commerce) to great success. We used to get scraped heavily by competitors but now they get the middle finger.
I presume you have fail2ban too?
Nam flashbacks to DALNet getting DDOSed to death for no reason
In terms of the “expensive” SQL queries - is this an issue that the lemmy devs are working on? I.e. is this a problem that might solve itself in time?
Nobody blaming thr Russian or Chinese hackers causing DDOS attacks? That’s like fresh air to me :-D
Thanks for the update and keep up the good work! It seems like reddit went down a few times a week regularly for years. I have to think that some state sponsored actors are responsible for some of this. I’m sure that some topics being discussed here are not in line with the values of many regimes.
While I agree that certain state sponsored actors and private interest groups are most definitely involved in discourse manipulation on reddit, Lemmy simply isn’t big enough for this yet.
If we go by the numbers stated in the original post, the whole of Lemmy has less than 500k users at this point, whom are overwhelmingly <40 years old tech affine early adopter nerds from the United States and Western Europe.
Too insignificant to spend resources on, and also largely sceptical of corporate interests and authoritarian governments (except the tankies of course); so by default critical of the two top potential manipulators.
The Feds had people on 100 user big BBSes.
If you followed the studies about so called “extremism” (which often ignores the extremism of the center) then lemmy played a role in that, so it is more unlikely than likely that Feds wouldn’t be on several lemmy servers.The Feds had people on 100 user big BBSes.
Yup, personally seen it. Happened on usenet from the beginning and they were all over regular web forums at least as early as 1999. They also monitored GeoCities / AngelFire sites as well.
The idea that multiple federal agencies from multiple countries aren’t paying attention to Lemmy because it’s “small” with only 500,000 users is simply wishful thinking. I promise that they are here.
Will these occur in the near-future?
I would love to see this grow to the point where a full time sysadmin could be hired! Would need a lot of subscribers though
There are some points that can be made that it is better to spread the load of users and communities across other instances
Out of curiosity, what’s the relative overhead of those two services (hosting user accounts vs hosting communities)? If the aim were to distribute the overhead over multiple instances (as a general goal, not just a solution to the DDS attacks), is it more important to distribute users or communities?
The fun thing about the Fediverse is that when this goes down the other instances stay up, so whoever is doing the attacks isn’t really doing much except promoting people to create accounts on multiple instances. Which makes the numbers look really big.
Is Lemmy not throttling requests to APIs based on how computationally expensive they are? Or is it that many IP addresses are hitting those APIs and are within the throttling limits?
The first D in DDOS means distributed, as in the requests are distributed across many different machines and IPs; so the second option.
I understand what DDOS is. It could be both options.
What I am curious about in the second case is why they aren’t throttling unauthenticated requests in a single bucket.
Thank you for your dedication and hard work.
I’m sure they don’t want to reveal to much but I’m curious if the attackers were authenticated. If not it seems reasonable to rate limit anonymous users.
removed by mod
keep fighting the good fight <3
