We suspect that the fediverse is being leveraged for a C&C style DDoS attack against arbitrary domains.
[See the original thread](https://hachyderm.io/@firstname.lastname@example.org/109449246766819991)
Suspected malicious domains
Resource on [blocking server domains](https://medium.com/@theghostoftomjoad/how-to-block-server-domains-in-mastodon-899b24f8fb6e)
# Observations and Actions
### 1. Accounts created on hachyderm.io
### 2. Sidekiq observed queue
The URL above is random.
### 3. A user report came in
A user report came in from @Ghryphen at approximately 2:45 AM, indicating possible spam. I don't know where the user spotted the spam, it may make sense to reach out and ask.
Tani's guess is the message was seen in the federation stream.
### 4. Server defederated administratively
`activitypub-troll.cf` and all subdomains are defederated by hachyderm.
It appears that the pull queue still attempts to work through the pull queue.
### 5. New account creation administratevily disabled by hachyderm
### 6. Bot Accounts deleted
When the bots are deleted, they cause a significant quantity of traffic.
### 7. Main attack
1. A set of bot accounts were created on hachyderm.
1. An custom attack server was created on *.activitypub-troll.cf
1. Attack server placed behind cloudflare
1. Wildcard DNS was set to point to this attack server
1. Bot accounts would follow accounts on random *.activitypub-troll.cf servers
1. Messages pulled in are infinitely recursive, filling up database and queues
1. Attack server shut down
1. bot accounts deleted
1. queues fill up again with retries as cloudflare returns 521
1. failed messages end up on retry queue
# Possible actions
#### Let it run its course for one week
The load isn't high on our servers, and the failure timeout increases exponentially.
#### Purge all records in the redis PULL queue matching the target URL
We would likely have to write some code to do this, also risky since it is a destructive action.
#### Blackhole DNS through dnsmaq or resolv.conf
Easy to implement, need to validate ruby is respecting the settings.
Since we split the queues from the web server, we might be able to just redirect all traffic to these addresses to 127.0.0.1
### Source code from attacker
Attacker hosted the source of the attack.
Reach out if you want to review