hackers They attacked federated social networks like Mastodon to carry out continuous spam attacks that were organized on Discord and carried out using their applications. But Discord has yet to remove the federated servers from which the attacks were facilitated, and Mastodon community leaders have not been able to contact anyone at the company.
“The attacks were coordinated through Discord and the software was distributed through them,” said Emelia Smith, a software engineer who regularly works on trust and security issues at fediverse, a network of decentralized social platforms built on the ActivityPub protocol. . "They used bots that integrated directly with Discord, so a user didn't even need to set up any servers or anything like that, because they could just run this bot directly from Discord to carry out the attack."
Smith attempted to contact Discord through official channels on February 17, but only received form responses. He commented that while Discord has mechanisms to report on individual users or messages, it lacks a clear way to report on entire servers.
“We have seen this cost Mastodon, Misskey and others server administrators hundreds or thousands of dollars in infrastructure costs and general denial of service,” Smith wrote to Discord Trust & Safety in an email. "The only common link seems to be this server."
In a statement, a Discord spokesperson said: "Discord's Terms of Service specifically prohibit platform abuse, which refers to activities that disrupt or alter the experience of Discord users, including spamming or sending messages." or massive unsolicited interactions. Although Discord says it is monitoring the situation, the server responsible for the spam attacks remains up and online.
Eugen Rochko, founder and CEO of Mastodon transmitted in a publication that these attacks are more difficult to moderate than previous ones, because they deliberately target smaller servers, which often have fewer moderation tools. Some of these servers offer open registration, allowing you to quickly start new accounts and post spam. And as Smith points out, these massive spam attacks can increase server costs, leaving administrators with unexpected bills.
According to the reports from Mastodon, this fully automated attack was caused by a conflict between teenagers on two different Japanese Discord servers.
"It's this kind of weird social behavior, where these kids are essentially acting like schoolyard bullies," Smith said. He believes that they carried out the attack simply to show that they can, not because they have any ill will towards these social networks.
"They have technological capabilities that are far above their emotional or psychological capabilities," he said.
Kevin Beaumont, a cybersecurity expert, posted on Mastodon that this incident is reminiscent of a similar, though much larger, attack from 2016, in which three college students created a botnet to make money with Minecraft. But what they built was so powerful which was able to take down large swaths of the Internet, including sites like Reddit and Spotify.
“I had to do a radio show on NPR (National Public Radio) about this and the host kept asking me if it was Putin, and I said, no, they're teenagers. Persistent advanced adolescents”, published Beaumont.
As a decentralized social network, the Mastodon team cannot intervene in moderation issues on servers they do not own, which is a vulnerability for fediverso. On servers that are actively maintained and moderated, Mastodon offers tools to prevent automated account registration, such as CAPTCHA.
While Mastodon's nonprofit, open source model gives users more ownership over their social media experiences, it also limits the company's ability to hire more developers. Most of the social network is run by volunteers, like Smith herself.
“I would estimate that the entire fediverso is developed from, perhaps, at best, 100 engineers,” he said. “All of them underpaid or unpaid, who are trying to create software while supporting the monthly active user base in the range of 1,1 million to 7,4 million.”
