"Antiyanks’ is back at it again and has switched tactics to spamming a massive number of comments in a short period of time. In addition to being annoying, it’s having a deleterious effect on performance and drowns out any discussions happening in those posts.
Looking at the site config for the home instance of the latest two alts, the rate limits were all 99999999. 🤦♂️
Rate limits are a bit confusing, but they mean: X number of requests per Y seconds per IP address.
The comment API endpoint has its own, dedicated bucket. I don’t recall the defaults, but they’re probably higher than you need unless you’re catering to VPN users who would share an IP.
20 calls to the /create_comment endpoint per minute (60 seconds) should be sufficient for most cases, though feel free to adjust.
Sal@mander.xyz 2 days ago
Thanks for the heads up. I don’t know what ‘Antiyanks’ is, but I already had to ban one comment spammer.
The rate limits are indeed a bit confusing. The settings are:
Rate Limit: X Per Second: Y
I understand this to be ‘X for every Y seconds’
So, a ‘Comments’ Rate limit: 10, Per second: 60, means a maximum of 10 comments per minute, correct?
Maybe the reason you see 99999999 is due to troubleshooting. I have increased my instance’s limits multiple times while troubleshooting server issues, because the meaning of the settings was not clear to me. These limits are usually not the reason for the sever issue, but I put some high number and did not bring them back down after the issues were resolved.
I have lowered them now to more reasonable numbers. I will also be more strict with new applications for the time being.
Sal@mander.xyz 2 days ago
Hmmm - after changing these settings to what I think are reasonable settings, the server crashed and I am now getting ‘Too many requests’ messages… So, perhaps there is something is not working so well with these rate limits, or I am still misunderstanding their meaning.
admiralpatrick@lemmy.world 2 days ago
Not sure. I had mine set to 20 per 60 for a long time without issue.
Most likely cause would be the Lemmy API service not getting the correct client IP and seeing all API requests come from the reverse proxy’s IP.
Are you sending the client IP in the X-Forwarded-For header? Depending on how your inbound requests are routed, you may have to do that for every reverse proxy in the path.
BlueEther@lemmy.nz 2 days ago
how did you fix?
admiralpatrick@lemmy.world 2 days ago
Correct, per client IP.
Could be. I try not to speculate on “why” when I don’t have access to the answer lol.
I don’t recall any of them being from mander (unless they were dealt with before I started testing?), but thanks for taking preventative measures :)
Sal@mander.xyz 2 days ago
No, they were not in mander.xyz. But I am generally quite relaxed when it comes to accepting applications. I mostly reject an applicant if it is very clear it is not an actual user, and then actively follow up on recent accounts for a short time. So the possibility of silent spammer accounts accumulating over time is always a concern.
Sal@mander.xyz 2 days ago
Setting the limits to more reasonable values, like ‘20 posts per minute’, causes the server to stop serving posts. My front page goes blank.
So, I am starting to think that ‘20 pots per minute’ means ‘requesting 20 posts per minute’ and not ‘creating 20 posts per minute’.
I am still having doubts about what these limits mean, but setting reasonable numbers seems to break things, unfortunately.