@blockbot You run dnsmasq for the local network? You'll wanna. And by default it only caches 150 entries, you'll want it way bigger, especially for a fedi server.

One kind that I've never seen is a flood of "POST /inbox" with a signature for a pile of servers that don't exist but that do have DNS entries pointing somewhere slow; Revolver accepts provisionally and flags the entry, Mastodon and I *think* Pleroma hold the request open and don't respond until they have actually fetched the key. I haven't looked at how they behave if it's a blocked server, but since most Masto admins don't know what they are doing, I think they wouldn't know what was going on, and maybe it tries to fetch the key even for blocked instances; they go through some pageantry to stop your instance from automatically detecting that it is blocked. Like, if you block an instance on Masto, even if you've never seen it, it will start showing up in your peers (which is how fedilist found a bunch of non-fedi sites).

On the bugout zone, I pretty heavily rate-limit /inbox but I think if you were clever about it, even that wouldn't solve it. Pleroma doesn't bottleneck outbound HTTP requests under most circumstances.

You might actually even have a reflection attack if you were to make a DNS wildcard pointing at your target and then flooding all of fedi with "POST /inbox" and a key URL pointed at the DNS wildcard. Like, it's not super efficient but say you point it at a time-consuming endpoint for the other server (like /api/v1/streaming or the search endpoint or a hashtag; something that returns JSON, though, because a lot of the servers probably close the connection once they get back a header that says it's a video file or whatever without reading the body).

This seems like a big enough problem that someone must have thought of it so either there's something I'm missing or we'll find out when someone decides to make a PoC.