[PSA] Watch for the antiyanks troll and consider adjusting your rate limits

Submitted ⁨⁨8⁩ ⁨months⁩ ago⁩ by ⁨admiralpatrick@lemmy.world⁩ to ⁨fediverse@lemmy.world⁩

"Antiyanks’ is back at it again and has switched tactics to spamming a massive number of comments in a short period of time. In addition to being annoying, it’s having a deleterious effect on performance and drowns out any discussions happening in those posts.

Looking at the site config for the home instance of the latest two alts, the rate limits were all 99999999. 🤦‍♂️

Rate limits are a bit confusing, but they mean: X number of requests per Y seconds per IP address.

The comment API endpoint has its own, dedicated bucket. I don’t recall the defaults, but they’re probably higher than you need unless you’re catering to VPN users who would share an IP.

20 calls to the /create_comment endpoint per minute (60 seconds) should be sufficient for most cases, though feel free to adjust.

source

Comments

Sort:hotnew top

MelonYellow@lemmy.ca ⁨8⁩ ⁨months⁩ ago
Really bad thread-breaking comment spam under this post: lemmy.world/post/34824537

source
- salacious_coaster@infosec.pub ⁨8⁩ ⁨months⁩ ago
  I was wondering about that. The same comment got spammed like 800 times.
  
  source
  - sunzu2@thebrainbin.org ⁨8⁩ ⁨months⁩ ago
    Looks like it got cleaned but yeah I saw another one with 2k comments. Once eypu blocked the offending accounts, down to 20.
    
    Threat actor behaviour.
    
    source
    -> View More Comments
Sal@mander.xyz ⁨8⁩ ⁨months⁩ ago
Thanks for the heads up. I don’t know what ‘Antiyanks’ is, but I already had to ban one comment spammer.

The rate limits are indeed a bit confusing. The settings are:

Rate Limit: X Per Second: Y

I understand this to be ‘X for every Y seconds’

So, a ‘Comments’ Rate limit: 10, Per second: 60, means a maximum of 10 comments per minute, correct?

Maybe the reason you see 99999999 is due to troubleshooting. I have increased my instance’s limits multiple times while troubleshooting server issues, because the meaning of the settings was not clear to me. These limits are usually not the reason for the sever issue, but I put some high number and did not bring them back down after the issues were resolved.

I have lowered them now to more reasonable numbers. I will also be more strict with new applications for the time being.

source
- Sal@mander.xyz ⁨8⁩ ⁨months⁩ ago
  Hmmm - after changing these settings to what I think are reasonable settings, the server crashed and I am now getting ‘Too many requests’ messages… So, perhaps there is something is not working so well with these rate limits, or I am still misunderstanding their meaning.
  
  source
  - BlueEther@lemmy.nz ⁨8⁩ ⁨months⁩ ago
    how did you fix?
    
    source
  - admiralpatrick@lemmy.world ⁨8⁩ ⁨months⁩ ago
    Not sure. I had mine set to 20 per 60 for a long time without issue.
    
    Most likely cause would be the Lemmy API service not getting the correct client IP and seeing all API requests come from the reverse proxy’s IP.
    
    Are you sending the client IP in the X-Forwarded-For header? Depending on how your inbound requests are routed, you may have to do that for every reverse proxy in the path.
    
    source
- admiralpatrick@lemmy.world ⁨8⁩ ⁨months⁩ ago
  
  So, a ‘Comments’ Rate limit: 10, Per second: 60, means a maximum of 10 comments per minute, correct?
  
  Correct, per client IP.
  
  Maybe the reason you see 99999999 is due to troubleshooting
  
  Could be. I try not to speculate on “why” when I don’t have access to the answer lol.
  
  I don’t recall any of them being from mander (unless they were dealt with before I started testing?), but thanks for taking preventative measures :)
  
  source
  - Sal@mander.xyz ⁨8⁩ ⁨months⁩ ago
    
    I don’t recall any of them being from mander (unless they were dealt with before I started testing?), but thanks for taking preventative measures :)
    
    I don’t know what ‘Antiyanks’ is
    
    It’s the codename for a particular long-term troll and is based off of their original username pattern (which they still use sometimes). I have reason to believe it’s also the same troll that used to spam the racist stuff in Science Memes.
    
    These are most of today’s batch (minus the JON333 which was just a garden-variety spammer that made it into the last screenshot).
    
    No, they were not in mander.xyz. But I am generally quite relaxed when it comes to accepting applications. I mostly reject an applicant if it is very clear it is not an actual user, and then actively follow up on recent accounts for a short time. So the possibility of silent spammer accounts accumulating over time is always a concern.
    
    source
    -> View More Comments
  - Sal@mander.xyz ⁨8⁩ ⁨months⁩ ago
    
    So, a ‘Comments’ Rate limit: 10, Per second: 60, means a maximum of 10 comments per minute, correct?
    
    Correct, per client IP.
    
    Setting the limits to more reasonable values, like ‘20 posts per minute’, causes the server to stop serving posts. My front page goes blank.
    
    So, I am starting to think that ‘20 pots per minute’ means ‘requesting 20 posts per minute’ and not ‘creating 20 posts per minute’.
    
    I am still having doubts about what these limits mean, but setting reasonable numbers seems to break things, unfortunately.
    
    source
    -> View More Comments
Blaze@lemmy.zip ⁨8⁩ ⁨months⁩ ago
Thanks for sharing

source
sunzu2@thebrainbin.org ⁨8⁩ ⁨months⁩ ago
I rarely block anyone and never a proper shitposter but holly shit I had to do like half dozen accounts today.

source
- SatansMaggotyCumFart@piefed.world ⁨8⁩ ⁨months⁩ ago
  What is a shitposter?
  
  source
  - Quadhammer@lemmy.world ⁨8⁩ ⁨months⁩ ago
    You know.
    
    source
  - RickyRigatoni@retrolemmy.com ⁨8⁩ ⁨months⁩ ago
    mmmmmmmeeeeeeeeeeeeeeeeeee :3
    
    source
  - toomanypancakes@piefed.world ⁨8⁩ ⁨months⁩ ago
    Wall decor of a glistening turd
    
    source
  - sunzu2@thebrainbin.org ⁨8⁩ ⁨months⁩ ago
    An artisté
    
    But you already knew that, good sir.
    
    source
Jeffdude@piefed.social ⁨8⁩ ⁨months⁩ ago
I don’t operate a fed server, but just curious. Couldn’t/shouldn’t rate limits be on a per-user/per-session-token basis to avoid the vpn issue you mentioned?

source
- jaybone@lemmy.zip ⁨8⁩ ⁨months⁩ ago
  And that would solve issues with the reverse proxy not forwarding the ip correctly right?
  
  source
- sunzu2@thebrainbin.org ⁨8⁩ ⁨months⁩ ago
  I would hope you are not running a honeypot 👀
  
  source
- admiralpatrick@lemmy.world ⁨8⁩ ⁨months⁩ ago
  You’ll have to talk to the lemmy devs about that. I’m a retired admin, but last I was aware, they’re based on client IP.
  
  source
  - NoMoreTwat@thebrainbin.org ⁨8⁩ ⁨months⁩ ago
    Isn't the lemmy main dev that tankie guy you guys hate? Rich coming from you asking labour from them lmao
    
    source
    -> View More Comments