Conversation

Notices

1. Embed this notice
   Kris Nóva (nova@hachyderm.io)'s status on Monday, 05-Dec-2022 21:44:16 JST Kris Nóva

   We are currently investigating DDoS attacks which involve #Hachyderm. I will continue to post in the thread below.

   • Embed this notice
     Kris Nóva (nova@hachyderm.io)'s status on Monday, 05-Dec-2022 22:08:49 JST Kris Nóva

     in reply to

     • Ian Coldwater 📦💥
     • Tani Aura

     @ian @Taniwha

     Our notes from incident response.

     https://hackmd.io/rD9nsTz1QeuPT-erxqjY-A?view

   • Embed this notice
     Kris Nóva (nova@hachyderm.io)'s status on Monday, 05-Dec-2022 22:08:50 JST Kris Nóva

     in reply to

     • Ian Coldwater 📦💥
     • Tani Aura

     @ian @Taniwha

     We have scraped the JavaScript ActivityPub source code and have retained a copy of it.

     At this time we are not publishing the source code, however we have it on file if needed for historical purposes.

     REDACTED

   • Embed this notice
     Kris Nóva (nova@hachyderm.io)'s status on Monday, 05-Dec-2022 22:08:51 JST Kris Nóva

     in reply to

     • Ian Coldwater 📦💥
     • Tani Aura

     @ian @Taniwha

     Also suggested to block subdomains with dnsmasq.

   • Embed this notice
     Kris Nóva (nova@hachyderm.io)'s status on Monday, 05-Dec-2022 22:08:52 JST Kris Nóva

     in reply to

     • Ian Coldwater 📦💥
     • Tani Aura

     @ian @Taniwha

     Immediate suggested actions to block the following domains and close registrations.

     *.activitypub-troll.cf
     *.misskey-forkbomb.cf
     *.repl.co

     Mastodon domain blocks are confirmed to extend to subdomains. Please block the domain.

     https://github.com/mastodon/mastodon/issues/11558

   • Embed this notice
     Kris Nóva (nova@hachyderm.io)'s status on Monday, 05-Dec-2022 22:08:53 JST Kris Nóva

     in reply to

     • Ian Coldwater 📦💥
     • Tani Aura

     @ian @Taniwha We believe the attacker could point the DNS records they control to an arbitrary target. We are unsure how advanced they are and unsure if federated servers will be successfully in pulling data from the targets.

   • Embed this notice
     Kris Nóva (nova@hachyderm.io)'s status on Monday, 05-Dec-2022 22:08:54 JST Kris Nóva

     in reply to

     • Ian Coldwater 📦💥

     @ian

     We believe that they are creating spoofed activity and forcing ActivityPub servers to spam arbitrary targets. They are funneling the attacks through man-in-the-middle subdomains which they control DNS records for.

   • Embed this notice
     Kris Nóva (nova@hachyderm.io)'s status on Monday, 05-Dec-2022 22:08:55 JST Kris Nóva

     in reply to

     • Ian Coldwater 📦💥

     Original thread about the attacks (Thanks to @ian for sharing) is here:

     https://hachyderm.io/@dwarf@borg.social/109449246766819991

     Again - We currently suspect that the fediverse is being leveraged for a C&C style DDoS attack against arbitrary domains. We believe they are using wildcart certs to change DNS to point to their victims, and the fediverse is their new fleet of compute to do their dirty work.

   • Embed this notice
     Kris Nóva (nova@hachyderm.io)'s status on Monday, 05-Dec-2022 22:08:56 JST Kris Nóva

     in reply to

     Capturing a timestamped graph of what I believe is the beginning of the attack on our primary queue processing server.

     We believe the attack is leveraging federated ActivityPub workers as a way of attacking arbitrary domains.