Comments (10)
mirabilos
commented on June 1, 2024
1
tobi dixit:
> Is there any way to see which domain they use?
Hmm, no, not currently.
Hmmh. Might be useful to have that in logs.
So they're running an implementation somewhere that can provide valid
signatures in response to requests, but seemingly disguising their
user-agent to try to scrape posts under the radar? That's annoying.
That, and hammering instances.
Probably a good idea to check what `51.89.179.74` actually is, and just
chuck it in the bin if it's not legit.
It presents as some kind of VPS control panel.
If it’s hosted at OVH, chances are it’s not legit ☻ @Natureshadow once
calculated that OVH is a worse spammer than all of China, and I have
long blocked all of OVH’s netblocks on my eMail server with a few
manual exceptions (of people who told me their IP on IRC). Seems like
this extends to the Fediverse ☹
I’ll block them, and do something with fail2ban, but I was wanting to
see if there’s something that could be done to make their lives harder
as I suspect they’re doing that to many instances.
Unfortunately beyond that -- and perhaps adding some heuristics to give
admins a warning when this kind of thing seems to be occurring --
there's not too much we can do about it. Trying to parse user agents
and check IP addresses would introduce an impossible amount of
headaches and likely a lot of false positives.
Yeah, definitely. Ad-hōc clients also tend to not set user agents.
I think the high 429 rate is good enough of a heuristic. If they’re
going to scrape they’ve got to do it at a normal rate, at least ;-)
It’s been only a handful of IPs so far, so I’ll manage.
(I wonder whether there are people running legit instances out of
OVH, but probably, given how cheap they are… so a /16 block isn’t
possible here, but fail2ban will probably do.)
Alternatively, you could run in [allowlist mode](…
That’s like shooting with cannons at birds… overkill in this scenario.
Thanks,
//mirabilos
from gotosocial.
tsmethurst
commented on June 1, 2024
1
Mmm. For now I'll make a separate issue for showing which domain signed a request. We can put that information right next to the user-agent. That will at least help people spot this kind of silliness more easily in their logs.
from gotosocial.
mirabilos
commented on June 1, 2024
1
Thanks, subscribed.
I think we can close this one?
If I work out fail2ban rules, I could do a documentation submission with that (though someone would then need to do an nginx adaption as I use Apache httpd), if you’re interested?
from gotosocial.
tsmethurst
commented on June 1, 2024
1
Yes, interested! Thanks!
from gotosocial.
tsmethurst
commented on June 1, 2024
Hmmm. Well we already validate HTTP signatures. If those requests aren't signed with a valid signature, with a key we can fetch from the domain the request is signed from, they will get a 401 back. That's sort of the fedi equivalent of what you're describing, right? I think the other functionality you're describing -- putting the requester in "jail" for 24hrs -- could also be handled by dedicated software like fail2ban, if you tune it just right.
EDIT: Oh sorry my brain totally skipped over the last part of your message. Indeed I think fail2ban is probably the way to go here, so we don't reinvent the wheel in GtS. We should probably write a little bit in the docs for how to tune fail2ban for such cases though.
from gotosocial.
mirabilos
commented on June 1, 2024
tobi dixit:
Hmmm. Well we already validate HTTP signatures. If those requests
aren't signed with a valid signature, with a key we can fetch from the
domain the request is signed from, they will get a 401 back.
Hmmhmmhmm. So then perhaps they sign with a domain they have control
over but put Universeodon etc. into the User-Agent to fool the casual
sysadmin?
Oh, or perhaps the 429 overrides the 401.
Oh or hmm…
51.89.179.74 - - [05/Jan/2024:22:26:13 +0000] TLSv1.3:TLS_AES_256_GCM_SHA384:IPv4"toot.mirbsd.org" "GET /users/mirabilos/statuses/01HKDVBTZRB8YGSTPGJCKDCX6T/replies HTTP/1.1" 200 216 "-" "http.rb/5.1.1 (Mastodon/4.1.8; +https://mastodonapp.uk/)"
timestamp="2024-01-05T22:26:13.860Z" func=server.glob..func1.Logger.func13.1 level=INFO latency="430.402µs" userAgent="http.rb/5.1.1 (Mastodon/4.1.8; +https://mastodonapp.uk/)" method=GET statusCode=200 path=/users/mirabilos/statuses/01HKDVBTZRB8YGSTPGJCKDCX6T/replies requestID=wfkbqpwc04000skw60gg msg="OK: wrote 216B"
… from the IP in question. (I think I need to re-enable IP logging
in GtS, for a while; I have now put them both on tmpfs anyway.)
Is there any way to see which domain they use?
I think the other functionality you're describing -- putting the
requester in "jail" for 24hrs -- could also be handled by dedicated
software like fail2ban, if you tune it just right.
OK, thanks.
bye,
//mirabilos
from gotosocial.
tsmethurst
commented on June 1, 2024
Is there any way to see which domain they use?
Hmm, no, not currently. I mean, GtS knows, but it's not exposed. It would be good to add that to the logging!
So they're running an implementation somewhere that can provide valid signatures in response to requests, but seemingly disguising their user-agent to try to scrape posts under the radar? That's annoying. Probably a good idea to check what 51.89.179.74 actually is, and just chuck it in the bin if it's not legit.
Unfortunately beyond that -- and perhaps adding some heuristics to give admins a warning when this kind of thing seems to be occurring -- there's not too much we can do about it. Trying to parse user agents and check IP addresses would introduce an impossible amount of headaches and likely a lot of false positives.
Alternatively, you could run in allowlist mode and only add instances you trust; then requests from unknown instances (no matter what they set their user-agent to) will be denied.
from gotosocial.
tsmethurst
commented on June 1, 2024
Oh, just to add a note here in case anyone reading this gets the wrong idea: blocklist mode (the default federation mode) will always permit requests to Public and Unlisted posts provided they're correctly signed by an unblocked domain; that's the nature of blocklist / open federation. It's similar to how you can always see someone's Public posts on the web view.
It's annoying behavior for someone to disguise their user-agent and make signatures from a different domain, but as long as they're valid signatures, GtS will serve a response. The same is true of every other fedi software running in blocklist mode (the default for the vast majority (all?) of them). The only way to prevent this behavior is to use allowlist mode, or block the domain or IP address they're actually signing requests from. In any case, your followers-only and direct visibility posts will not be exposed by this trick.
from gotosocial.
tsmethurst
commented on June 1, 2024
I looked some more and I think this is a false positive. I've got mastodonapp.uk domain blocked from my instance for a while now, and if I grep IP address 51.89.179.74 in my logs, I see those requests from mastodonapp.uk being blocked correctly, while the ones from universeodon go through correctly.
If you look at the about page for each of those sites, they're hosted in the same data center. So apparently it's "normal" (albeit slightly wonky) that they share the same IP address.
The rate limiting they run into may be explained by the fact that they're both quite big instances, hence push out a lot of traffic, and they get put in the same rate limit bucket due to the shared IP address.
from gotosocial.
mirabilos
commented on June 1, 2024
tobi dixit:
If you look at the about page for each of those sites, they're hosted
in the same data center. So apparently it's "normal" (albeit slightly
wonky) that they share the same IP address.
Maybe, but:
$ host mastodonapp.uk
mastodonapp.uk has address 104.21.73.178
mastodonapp.uk has address 172.67.147.92
mastodonapp.uk has IPv6 address 2606:4700:3030::ac43:935c
mastodonapp.uk has IPv6 address 2606:4700:3036::6815:49b2
mastodonapp.uk mail is handled by 0 mastodonapp-uk.mail.protection.outlook.com.
$ host universeodon.com
universeodon.com has address 188.114.97.3
universeodon.com has address 188.114.96.3
universeodon.com has IPv6 address 2a06:98c1:3121::3
universeodon.com has IPv6 address 2a06:98c1:3120::3
universeodon.com mail is handled by 5 universeodon-com.mail.protection.outlook.com.
Neither of these match that, and the IP address used for these requests
smells fishy in multiple ways.
Oh well, if you manage to squeeze in key/domain logging somewhen, we’ll
know, and until then, I can hold out. All we can now is speculate.
Plus I got the bigger VM now, so it isn’t a problem in operation
as it was some days ago.
The rate limiting they run into may be explained by the fact that
they're both quite big instances, hence push out a lot of traffic, and
they get put in the same rate limit bucket due to the shared IP
address.
Perhaps, if it is legit traffic.
Some days ago I saw them request /users/mirabilos about two dozen times
a second, and when I wrote this issue, I saw them request consecutive
statūs I posted, also at a rate of about two dozen per second. I would
hesitate calling that legit traffic.
They also don’t back off when served 429.
bye,
//mirabilos
from gotosocial.
Related Issues (20)
- [bug] Delivery goroutines experienced a panic with "not yet initialized" while executing CLI commands HOT 1
- [bug] fedilab shows error after boosting post HOT 7
- [bug] twblue and possibly software based around mastodon.pi doesn't work HOT 6
- [bug] Remote edits of media descriptions are not applied HOT 1
- [bug] Unable to interact with ktistec users HOT 2
- [bug] Duplicate boost notifications HOT 6
- [feature] Remove the `quote-inline` class from statuses HOT 5
- [bug/frontend] Custom emoji shortcode is not changed after addition/changed input file HOT 1
- [feature] Expose Mastodon API compatible version and identify platform as GotoSocial in the version string HOT 7
- [bug] "sql: no rows in result set" when attempting to accept an incoming follow request HOT 1
- [bug] External Users can still see followings/followers of a follow-hiddened account HOT 4
- [bug] Posting undo of a "like" to the inbox may result in 500 internal server error HOT 1
- [chore/frontend] Refactor layout + styling for consistency
- We're on holiday from May 8th up to and including May 26th
- [bug] filters don’t seem to always work HOT 7
- [feature] Search within bookmarks (and possibly own likes/boosts) HOT 2
- [bug] Can't find @[email protected] to follow HOT 1
- [bug] Refused to load the stylesheet ... because it violates the following Content Security Policy directive: "default-src 'self'". HOT 1
- [bug] Followed Owncast Stream but GTS seems to randomly not get updates HOT 1
- [feature] Better content warning handling in RSS feeds
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gotosocial.