This issue has been noted since mastodon was initially release > 7 years ago. It has also been filed multiple times over the years, indicating that previous small "fixes" for it haven't fully fixed the issue.
There's no reason why 114MB of static content over 5 minutes should be an issue for a public facing website. Hell, I probably could serve that and the images with a Raspberry Pi over my home Internet and still have bandwidth to spare.
I think they are throwing stones at the wrong glass house/software stack.
It is not, but a write amplification of 36704:1 is one hell of an exploitable surface.
With that same Raspberry Pi and a single 1gbit connection you could also do 333333 post requests of 3 KB in a single second made on fake accounts with preferably a fake follower on a lot of fediverse instances. That would result in those fediverse servers theoretically requesting 333333 * 114MB = ~38Gigabyte/s. At least for as long as you can keep posting new posts for a few minutes and the servers hosting still have bandwidth. DDosing with a 'botnet' of fediverse servers/accounts made easy!
I'm actually surprised it hasn't been tried yet now that I think about it...
That would result in those fediverse servers theoretically requesting 333333 * 114MB = ~38Gigabyte/s.
On the other hand, if the site linked would not serve garbage, and would fit like 1Mb like a normal site, then this would be only ~325mb/s, and while that's still high, it's not the end of the world. If it's a site that actually puts effort into being optimized, and a request fits in ~300kb (still a lot, in my book, for what is essentially a preview, with only tiny parts of the actual content loaded), then we're looking at 95mb/s.
If said site puts effort into making their previews reasonable, and serve ~30kb, then that's 9mb/s. It's 3190 in the Year of Our Lady Discord. A potato can serve that.
ok so like I don't know if I've ever seen a more confusing use of units . at least you haven't used the p infix instead of the / in bandwith units .
like you used both upper case and lowercase in units but like I can't say if it was intentional or not ? especially as the letter that is uppercased should be uppercased ?
anyway
1Mb
is theoretically correct but you likely ment either one megabyte (1 MB) or one megibyte (MiB) rather than one megabit (1 Mb)
~325mb/s
95mb/s
and
9mb/s
I will presume you did not intend to write ~325 milibits per second , but ~325 megabits per seconds , though if you have used the 333 333 request count as in the segment you quoted , though to be fair op also made a mistake I think , the number they gave should be 3 exabits per second (3 Eb/s) or 380 terabytes per seconds (TB/s) , but that's because they calculated the number of requests you can make from a 1 gigabit (which is what I assume they ment by gbit) wrong , forgetting to account that a byte is 8 bits , you can only make 416 666 of 4 kB (sorry I'm not checking what would happen if they ment kibibytes sorry I underestimated how demanding this would be but I'm to deep in it now so I'm gonna take that cop-out) requests a second , giving 380 terabits per second (380 Tb/s) or 3.04 terabytes per second (3.04 TB/s) , assuming the entire packet is exactly 114 megabytes (114 MB) which is about 108.7 megibytes (108.7 MiB) . so anyway
packet size
theoretical bandwidth
1 Mb
416.7 Gb/s
52.1 GB/s
1 MB
3.3 Tb/s
416.7 GB/s
1 MiB
3.3 Tb/s
416.7 GB/s
300 kb
125.0 Gb/s
15.6 GB/s
300 kB
1000.0 Gb/s
125.0 GB/s
300 kiB
1000.0 Gb/s
125.0 GB/s
30 kb
12.5 Gb/s
1.6 GB/s
30 kB
100.0 Gb/s
12.5 GB/s
30 kiB
100.0 Gb/s
12.5 GB/s
hope that table is ok and all cause im in a rush yeah bye
...and here I am, running a blog that if it gets 15k hits a second, it won't even bat an eye, and I could run it on a potato. Probably because I don't serve hundreds of megabytes of garbage to visitors. (The preview image is also controllable iirc, so just, like, set it to something reasonably sized.)
map $http_user_agent $badagent {
default 0;
# list of AI crawler user agents in "~crawler 1" format
}
if ($badagent) {
rewrite ^ /gpt;
}
location /gpt {
proxy_pass https://courses.cs.washington.edu/courses/cse163/20wi/files/lectures/L04/bee-movie.txt;
}
...is a wonderful thing to put in my nginx config. (you can try curl -Is -H "User-Agent: GPTBot" https://chronicles.mad-scientist.club/robots.txt | grep content-length: to see it in action ;))
It's not. It just doesn't get enough hits for that 86k to matter. Fun fact: most AI crawlers hit /robots.txt first, they get served a bee movie script, fail to interpret it, and leave, without crawling further. If I'd let them crawl the entire site, that'd result in about two megabytes of traffic. By serving a 86kb file that doesn't pass as robots.txt and has no links, I actually save bandwidth. Not on a single request, but by preventing a hundred others.
Proxying to a remote server every time is pretty inconsiderate. You can save yourself (and washington.edu) a lot of bandwidth by downloading a copy of your own and compressing it (using gz, brotli, or zstd). Bonus points for picking the least decompression friendly compression algorithm to make decompressing their problem!
Depends on what compression options the client supports. gzip isn't great for setting up a bomb, and neither is brotli in most cases. zstd is relatively new on the web stage, but zstd support lacks the higher decompression levels in browsers.
Using existing bombs, you'll be able to make the scraper use more RAM than normal, but probably not much more than they already have available for fetching + rendering a modern Javascript based web page.
I've seen a video where the guy installed steam on Ubuntu 24.04. Of course it was the snap.
The guy usually tests distro to see of it's easy to game on it. If the drivers are easy to install, etc...
He usually launches steam, then tests Valheim, Overwatch, Tomb Raider and cyberpunk.
Overwatch didn't launch, cyberpunk neither. Valheim reported that a service didn't launch. Tomb raider was OK.
Then he uninstalled the steam snap and installed the .deb one. Everything worked.
Enforcing packages is already something that people don't appreciate on Linux, enforcing packages that don't work is surprisingly hated.
Ubuntu is supposed to be a distro for beginners, how am I supposed to recommand a distro when I have no confidence the applications will work ?
"I understand that Canonical has every right to make the decision about their product."
That seems fair. There are loads of distros available so why not try something else if you don't like Ubuntu?
Linux and other mainstream Unices such as FreeBSD or OpenBSD int al (that's not something I ever thought I'd be able to say a few decades back) are not Windows or Apples or whatevs. You do you and not them!
If Ubuntu fails to scratch your itch then move on. Debian is the upstream for Ubuntu so you'll probably be fine with that instead. There is loads of documentation for Debian via the wiki etc and of course most Ubuntu docs will apply as well.
However, a thing I try to remember and wish others would as well is simply this: Canonical is a company. Their goal is to make money. They are not out to create the ultimate free as in freedom Linux distribution.
This does (to my mind) not make them evil, and ESPECIALLY doesn't make the folks who work there evil. It makes them participants in the great horrible game that is Capitalism, and expecting anything else from them is going to lead to heartache, as you've seen.
If you want a Linux distro that shares your preferences and won't try to jam snaps down your throat, you might consider giving Debian a whirl as many others have.
Continuing to ride the Ubuntu train and raging against the dying of the light when it continues chugging in the direction it's been headed for YEARS seems ... futile :)
Nice to see that KDE is so well supported! I'd been running Manjaro KDE the last time I had Linux installed on my desktop but I may give Debian a try this time around.
Idk, I probably haven't used Debian derivatives long enough, but isn't installing random .deb-s somewhat of a bad practice? I mean, repos exist for a reason (ignoring the fact they usually have like 3 packages in the official repos)
Ubuntu is just getting worse and worse. I was pretty happy running Ubuntu server for years after moving from Gentoo; I jag lost interest in spending time taking care for that server and wanted something easy.
I went to Debian half a year ago and it's been great. Should've done it earlier.
What are you talking about? It is not even "for free", they get a lot value from the community.
They're nothing without the users, it's not that they would be making it if nobody uses it anyways. Users used to love them, they trusted them, they went on spreading their system, reported issues, created tutorials, flavors, videos, tools, and so on, they helped Cannonical become what it is now.
I don't think they're giving us anything "for free."
No. It based on Ubuntu but without all the bullshit. .deb ist standard and flatpak is also built in. Whenever both are available, you get a choice right from the software manager. Mint is very much its own thing and great if you want to ditch Ubuntu.
Fedora introduced a whole new distro where you can't install anything with dnf anymore and people love it. People love using flatpaks instead (yes I know of all the shortcomings, but you can always choose another install method for that broken package). And ubuntu users just hate ubuntu for what they do. The difference may also be that fedora gives a choice to the user and does not directly force it
news.itsfoss.com
Newest