this post was submitted on 09 Aug 2023
1460 points (96.6% liked)

Lemmy.World Announcements

29084 readers
341 users here now

This Community is intended for posts about the Lemmy.world server by the admins.

Follow us for server news 🐘

Outages 🔥

https://status.lemmy.world/

For support with issues at Lemmy.world, go to the Lemmy.world Support community.

Support e-mail

Any support requests are best sent to info@lemmy.world e-mail.

Report contact

Donations 💗

If you would like to make a donation to support the cost of running this platform, please do so at the following donation URLs.

If you can, please use / switch to Ko-Fi, it has the lowest fees for us

Ko-Fi (Donate)

Bunq (Donate)

Open Collective backers and sponsors

Patreon

Join the team

founded 2 years ago
MODERATORS
1460
Lemmy World outages (lemmy.world)
submitted 1 year ago* (last edited 1 year ago) by lwadmin@lemmy.world to c/lemmyworld@lemmy.world
 

Hello there!

It has been a while since our last update, but it's about time to address the elephant in the room: downtimes. Lemmy.World has been having multiple downtimes a day for quite a while now. And we want to take the time to address some of the concerns and misconceptions that have been spread in chatrooms, memes and various comments in Lemmy communities.

So let's go over some of these misconceptions together.

"Lemmy.World is too big and that is bad for the fediverse".

While one thing is true, we are the biggest Lemmy instance, we are far from the biggest in the Fediverse. If you want actual numbers you can have a look here: https://fedidb.org/network

The entire Lemmy fediverse is still in its infancy and even though we don't like to compare ourselves to Reddit it gives you something comparable. The entire amount of Lemmy users on all instances combined is currently 444,876 which is still nothing compared to a medium sized subreddit. There are some points that can be made that it is better to spread the load of users and communities across other instances, but let us make it clear that this is not a technical problem.

And even in a decentralised system, there will always be bigger and smaller blocks within; such would be the nature of any platform looking to be shaped by its members. 

"Lemmy.World should close down registrations"

Lemmy.World is being linked in a number of Reddit subreddits and in Lemmy apps. Imagine if new users land here and they have no way to sign up. We have to assume that most new users have no information on how the Fediverse works and making them read a full page of what's what would scare a lot of those people off. They probably wouldn't even take the time to read why registrations would be closed, move on and not join the Fediverse at all. What we want to do, however, is inform the users before they sign up, without closing registrations. The option is already built into Lemmy but only available on Lemmy.ml - so a ticket was created with the development team to make these available to other instance Admins. Here is the post on Lemmy Github.

Which brings us to the third point:

"Lemmy.World can not handle the load, that's why the server is down all the time"

This is simply not true. There are no financial issues to upgrade the hardware, should that be required; but that is not the solution to this problem.

The problem is that for a couple of hours every day we are under a DDOS attack. It's a never-ending game of whack-a-mole where we close one attack vector and they'll start using another one. Without going too much into detail and expose too much, there are some very 'expensive' sql queries in Lemmy - actions or features that take up seconds instead of milliseconds to execute. And by by executing them by the thousand a minute you can overload the database server.

So who is attacking us? One thing that is clear is that those responsible of these attacks know the ins and outs of Lemmy. They know which database requests are the most taxing and they are always quick to find another as soon as we close one off. That's one of the only things we know for sure about our attackers. Being the biggest instance and having defederated with a couple of instances has made us a target.  

"Why do they need another sysop who works for free"

Everyone involved with LW works as a volunteer. The money that is donated goes to operational costs only - so hardware and infrastructure. And while we understand that working as a volunteer is not for everyone, nobody is forcing anyone to do anything. As a volunteer you decide how much of your free time you are willing to spend on this project, a service that is also being provided for free.

We will leave this thread pinned locally for a while and we will try to reply to genuine questions or concerns as soon as we can.

top 50 comments
sorted by: hot top controversial new old
[–] Octavio@lemmy.world 72 points 1 year ago (2 children)

Reddit was down a lot too, and they stuck ads in my face. It’s not like I have a pacemaker that needs Lenny.world to be up in order to function. Keep up the good work and I hope whoever is behind the attacks steps on a Lego.

load more comments (2 replies)
[–] gndagreborn@lemmy.world 66 points 1 year ago

Thanks for being so transparent with us. Lemmy really does feel like home now to me. I wish the maintainers all the best as they continue to fight the forces of evil.

[–] Ton@lemmy.world 43 points 1 year ago

Great stuff, thank you for all the good work.

btw, as a tip: please resize https://lemmy.world/pictrs/image/14f857e5-703a-4513-9c1a-f23031675be1.png in an image editor. It's on the homepage, and it's a frikking 4.5 megabyte image file.

[–] Jimmycakes@lemmy.world 32 points 1 year ago

Take your time bros I don't need this shit 24/7 the downtime is fine and expected

[–] Smoogs@lemmy.world 32 points 1 year ago

I’m imagining spez is sending his flying monkeys and they’ve been trying to shut it all down. Doesn’t matter that you’re smaller than Reddit, Egos like spez’s can’t take even a minor rumble. Just look at how he has to ‘win’ against all his own users. Should tell you all you need to know on his motives.

[–] Rambler@lemm.ee 31 points 1 year ago (1 children)

A fantastic job is being done by you folks - obviously in the face of adversity. Given the amount of users on the instance is at a critical point, would it not be possible to 'move' accounts off it onto other less populated instances ?

Keep up the great work folks - I sympathise for ya.

[–] AlmightySnoo@lemmy.world 5 points 1 year ago (1 children)

the amount of users on the instance is at a critical point

The thing is, it's not. The admins are literally saying that lemmy.world is not down because "it can't handle the load", it can, the hardware is pretty badass and it has the most resources out of all instances currently thanks to the donations. It's down because of one guy or group DDOSing this instance.

[–] Rambler@lemm.ee 4 points 1 year ago

Thanks for making it clear - I misunderstood the problem.

[–] cyborganickname@lemmy.world 29 points 1 year ago

Thank you for your time & efforts in maintaining this platform. I (and many others I'm sure) have great respect for the work you do in trying to combat this menace. The community is completely behind you and appreciates the value of this resource.

[–] bennysp@lemmy.world 29 points 1 year ago

Thank you for the update. Good work.

[–] ThePowerOfGeek@lemmy.world 28 points 1 year ago

Thank you for everything you do. You guys are doing a fantastic job, and a lot of us sincerely appreciate all your efforts!

[–] WhoRoger@lemmy.world 24 points 1 year ago (1 children)

I was wondering why the CloudFlare protection doesn't work, this makes sense. Does CF have any point then? Lots of people don't like it.

It's weird someone would spend so much time to target LW. Ah well.

load more comments (1 replies)
[–] cpo@lemmy.world 24 points 1 year ago

Well thanks for the update and your hard work. I am currently using lemm.ee as a backup account so that I can at least have my fix.

Hope the bastard(s) who are ddossing the server get some nice tropical diseases.

Lemmy.world also was my first step into the fediverse.

[–] Mercury1337@lemmy.world 24 points 1 year ago

Thank you for your hard work

[–] merthyr1831@lemmy.world 22 points 1 year ago

You're managing this well. Good work folks.

[–] md5crypto@lemmy.world 21 points 1 year ago

Endless DDOS attacks. Sigh.

[–] joklhops@lemmy.world 18 points 1 year ago

keep fighting the good fight <3

[–] tallwookie@lemmy.world 16 points 1 year ago

appreciate the transparency!

[–] desmosthenes@lemmy.world 15 points 1 year ago

keep up the good work team; you're the linchpin to this renaissance

[–] erza@lemmy.world 12 points 1 year ago

keep up the good work

[–] kadu@lemmy.world 12 points 1 year ago

What I find most ridiculous about people claiming lemmy.world is too big and therefore bad for the Fediverse is simply... Have you people wondered why it got so big?

During the crucial first weeks of the Reddit migration, the single time period with the most chance of bringing new users, pretty much all larger Lemmy instances closed their registrations - they couldn't handle the influx. Other big ones decided to immediately defederate everybody, they were afraid of having to moderate content. And a few did remain open and federated, but they were also extremely niche and focused on their own political side of the spectrum.

Lemmy.world however remained open, remained with active admins that helped the first moderators, and kept upgrading the server at a very fast rate - you might forget it now, but Lemmy was massively slow and frustrating and then a new Lemmy.world update would drop and it would feel like a different website.

So yeah, "bad for the Fediverse" for being the only instance that kept up with the demand at the most necessary time.

Thanks Lemmy.world team.

[–] Lugh@futurology.today 10 points 1 year ago (5 children)

I wonder what motivated any DOS attacks.

[–] Sharkictus@lemmy.world 5 points 1 year ago

Cyber-jackasses or cyber terrorists, likely the first.

A cyberpirate wants money.

A cyber terrorist has ideology or want to watch the world burn

Most actually successful cyber attacks globally are just trolls who want to have fun. This is why many, with their automated attack patterns, try to avoid children's hospitals and critical infrastructure, but cyber terrorist with ideaology or want the world to burn attack those.

Giving lemmy is not that important yet, and theirs a ton of alternatives outside fediverse, it's all volunteer, it would be cyber-jackasses, or want to watch the world burn cyber terrorists. Not pirates, not governments, not corpos.

load more comments (4 replies)
[–] sverit@feddit.de 10 points 1 year ago (1 children)

Are DDoS protection services like those from Akamai, Arbor Networks, Link22 etc an option? Those are tested as ok by the German Federal Office for Information Security.

[–] ComplacentGoat@sh.itjust.works 6 points 1 year ago (2 children)

I don't believe it would work for this case. Typical DDoS is just sending a ton of junk packets at a server at the max bandwidth of the network of bots an attacker has at their disposal. Very easy to block for a large cloud provider with multi-terabit connections and multiple redundant data centers. This is different, they're asking the server to send them large amounts of information on repeat, or process massive amounts of data. The attacker is targeting the servers hardware itself through legitimate processes, so a third party wouldn't really be able to do much.

[–] Photographer@lemmy.world 4 points 1 year ago

Surely there is a way to rate limit clients so that normal users are rarely effected but a DDOS would need thousands of clients to be effective?

load more comments (1 replies)
[–] Piers@lemmy.world 8 points 1 year ago (1 children)

The conversation gets a bit scrambled/broken up by disruptive/toxic people but this is a comment chain on lemmy.ml two weeks ago about SQL issues and challenges in getting the Lemmy Dev team to address them that might be worth reading:

https://lemmy.ml/comment/2100093

[–] jarfil@lemmy.world 8 points 1 year ago

The Lemmy Dev team have long ago stated they're no experts in PostgreSQL tuning, and that any help is welcome.

In the thread you linked, a guy is just accusing them of what they themselves admitted, then refusing to help. Meanwhile, others have been submitting SQL related PRs all the time, which have been merged.

[–] computabloke@lemmy.world 8 points 1 year ago

This has been pinned a few days now. Site health was pretty dire with several long outages.

But subjectively in the last 48 hours things seem to be great. Noticeably responsive and login and activities haven't missed a beat.

StatusPage.io still looks very red though... Is the worst now mitigated?

Thanks to the stirling admins (and friends) for their work on this. Vive la Lemmy.World!

[–] enshu@lemmy.world 7 points 1 year ago

Thank you for all the works you do!

[–] Jodio_Joestar@lemmy.world 7 points 1 year ago

All support to Y'all, Keep Going!

[–] wolfcatreader@lemmy.world 6 points 1 year ago
[–] fox2263@lemmy.world 5 points 1 year ago (1 children)

Are you guys using a load balancer at all? How about a tool like CrowdSec?

I use that and the nginx Bad Bot Blocker to stop malicious shits on the sites I operate (medium-large e-commerce) to great success. We used to get scraped heavily by competitors but now they get the middle finger.

I presume you have fail2ban too?

[–] just_another_person@lemmy.world 12 points 1 year ago (1 children)
  • crowdsec can only monitor and execute ban actions, which doesnt't help with SQL execution attacks. Same with f2b.
  • blocklists only work for known bad actors, and usually pretty old or stale. You need to be able to catch and stoo new attacks quickly
  • Looks like lemmy.world is using Cloudflare, so need to block entrance at the network there. Crowdsec could do this, but only after a successful attack was identified, which would have already executed, so doesnt help.
  • SQL attacks in parallel only need a few good clients to get off a number of parallel requests at a time to lock up a DB. Block them, and the attacker can just get a new source IP and repeat. The fix is to not let those kinds of executions happen.
[–] fox2263@lemmy.world 4 points 1 year ago (1 children)

Are bad actors able to access the database to execute queries or is it through the main front end site and accessing API endpoints over and over? Then surely they can be blocked at this point?

[–] just_another_person@lemmy.world 4 points 1 year ago (5 children)

These attacks are just through the public API, not malicious SQL-injection attacks. They are just non-optimized queries regular users can execute thag will bog down the system enougg to make it crawl, at which point, intervention is needed to either kill the runnimg slow queries, or just restart the db.

[–] SmoochPooch@lemmy.world 5 points 1 year ago

Lemmy.world should just start charging to use the API. That'll stop them /s

load more comments (4 replies)
[–] z500@startrek.website 5 points 1 year ago

Nam flashbacks to DALNet getting DDOSed to death for no reason

[–] orangeNgreen@lemmy.world 5 points 1 year ago

Is there any update on the instances that were unintentionally defederated from lemmy.world? I know that one of the fanaticus.social admins was trying to get that sorted out.

[–] andrewth09@lemmy.world 5 points 1 year ago

The Great Lemmy Wars

[–] Imkeen@sh.itjust.works 4 points 1 year ago

Appreciate it

[–] solstice@lemmy.world 3 points 1 year ago (2 children)

What about that "show context" button in our inboxes? It's super annoying getting replies and not being able to see what the context was, all I get is that 'bad gateway' error or whatever.

load more comments (2 replies)
load more comments
view more: next ›