this post was submitted on 06 Feb 2026
84 points (100.0% liked)

PieFed Meta

3531 readers
56 users here now

Discuss PieFed project direction, provide feedback, ask questions, suggest improvements, and engage in conversations related to the platform organization, policies, features, and community dynamics.

Wiki

founded 2 years ago
MODERATORS
rimu@piefed.social
84
Who or what exactly might be conducting the current DDOS attack against PieFed.Social? (media.piefed.social)
submitted 3 days ago* (last edited 3 days ago) by JohnnyEnzyme@piefed.social to c/piefed_meta@piefed.social
51 comments fedilink hide all child comments
 

EDIT: TBC, here's the current message seen when refreshing a PF stream:

"Piefed.social is having a denial of service attack. They are being kept at bay for now but could return with a more effective method. Download your community subscriptions so if you need to move to another server it’ll be painless - with a few clicks you’ll be seeing all the same content as before. See list of alternate servers at here or here."

Possible causes?

  • Fellow instance that got PO'd somehow? (seems like a major stretch)
  • Just random hackers havin' fun?
  • Reddit or similar, targeting one of the top growing instance softwares in ActivityPub / FV? EDIT2 : the timing certainly seems to fit for the recent influx of users coming from Reddit. (see comments)
  • Some right-wing entity, not happy about the general rational / left bias to the instance?
  • Other..?

In any case, much thanks to our instance runner and dev for fending off the first wave(!) Hope everything is backed up and possible to be restored if the worst happens.

(seriously, what a shitty way to be repaid for doing a great, ongoing job for the community and FOSS)

top 50 comments
sorted by: hot top controversial new old
[–] tomiant@piefed.social 1 points 1 day ago

Is it ever anyone but the Russians? Like, when you have serial offenders and shit goes down you round up the usual suspects first, no?

[–] wjs018@piefed.wjs018.xyz 43 points 3 days ago (5 children)

Just an update on this front, server load is stable right now as I type this after rimu did some stuff on the server to help. It's pretty clear this was a DDOS and not a rogue AI scraper because it was hitting the same url many times a second instead of crawling tons of urls like a scraper bot would.

We'll keep an eye on things. Thanks for your patience.

[–] wjs018@piefed.social 22 points 3 days ago

I realized that I replied from the wrong browser tab. I can confirm that this is not some impersonator wjs018 🕵️

[–] snowe@programming.dev 8 points 3 days ago (1 children)

AI bots will sometimes get stuck requesting the same URL over and over again for no reason. Make sure you check the user agent of the requests.

[–] db0@lemmy.dbzer0.com 3 points 2 days ago

Most scrapers pretend to be normal browser agents

[–] mesamunefire@piefed.social 9 points 3 days ago

Thanks to everyone for all your hard work!

[–] Skavau@piefed.social 6 points 3 days ago (1 children)

It happened shortly after that rather strange guy I had to pacify earlier lol

[–] Blaze@piefed.zip 3 points 3 days ago (1 children)

Where was that? 👀

[–] Skavau@piefed.social 10 points 3 days ago (2 children)

In television@piefed.social

I was discussing/debating with a user. Suddenly he thought i blocked him as he couldn't reply (I assume) and he reported me to myself and started changing all of his comments to "skavau is a clown, despite me telling him I had not blocked him

He was a local account so I yeeted him, shortly after Piefed goes down

[–] Blaze@piefed.zip 4 points 3 days ago

Oh wow

load more comments (1 replies)
[–] Unattributed@feddit.online 2 points 3 days ago (1 children)

Have you done any geolocation checking on the IPs? That might start to paint a better picture of the actor(s) behind the attack.

[–] wjs018@piefed.social 4 points 3 days ago (2 children)

It's a good question...for rimu. I have ssh access to do things like restart the server or roll out a critical bugfix or something like that, but my sysadmin skills are not the best.

[–] Tuuktuuk@anarchist.nexus 3 points 3 days ago (2 children)

All you need is to have the IP addresses. If you can extract them, then the rest can be done by saying whois ip.ad.re.ss (where you put some numbers between 0 and 255 instead of ip, ad, re and ss.)

[–] hendrik@palaver.p3x.de 3 points 3 days ago* (last edited 3 days ago) (1 children)

A whois will likely not do much. It'll turn out to be some large ISP, which rents out virtual servers and all kind of stuff to private people, companies and VPN providers. And that's regularly how far you'll get, a name if a large company. And you can then decide if it's worth to take someone to court, somewhere abroad... (But sometimes an email to their abuse contact helps a bit. Judging by my experience they won't ever answer. But sometimes it'll miraculously stop. And most of the time nobody cares about a single complaint.)

[–] wonderingwanderer@sopuli.xyz 2 points 2 days ago (1 children)

Would the Network Security Toolkit have anything that could help?

I would imagine if they're on a VPN, which they honestly probably are, then there's not really a way to track them down at all...

[–] hendrik@palaver.p3x.de 1 points 2 days ago* (last edited 2 days ago)

Well, I guess if they're still online and do silly stuff, like not use a VPN, not have a Firewall installed on their computer... Or they re-use the VPS which also has their personal blog on it... There would be ways to do something. But that's all very unlikely.

I mean the whois is a good idea. Admins will usually want to know what they're dealing with, and where it's coming from. But the rest of the steps really depend on how bored an admin is. The best course of action regularly is to block it and move on. There's so much bad stuff hammering the average webserver anyway. Launching a counterattack is a bit illegal, so that might not be an option. And if some admin has a few hours to pass until it's 5pm and time to head home, or do it as a hobby and have time to spare they might investigate. I've found some hacked servers that way, wrote a few emails. But in practice, 99% of the time there isn't anything to accomplish.

[–] wonderingwanderer@sopuli.xyz 1 points 2 days ago

Unless they're on a VPN...

[–] Unattributed@feddit.online 2 points 3 days ago

I'll ask him later when, hopefully, things will have had some time to cool down.

[–] fubarx@lemmy.world 5 points 3 days ago

Is putting a Web Application Firewall (WAF) in front of it not an option? Cloudflare offers it for free for static sites: https://www.cloudflare.com/lp/dg/product/ddos/

There are other hosting providers that offer it as a basic service. This way, the flooding packets are filtered before they even reach the server.

KrebsOnSecurity has been hit a few times with massive DDOS attacks: https://krebsonsecurity.com/2025/05/krebsonsecurity-hit-with-near-record-6-3-tbps-ddos/

[–] Blaze@piefed.zip 4 points 3 days ago (2 children)

Seems accessible to me (Europe)

[–] JohnnyEnzyme@piefed.social 5 points 3 days ago

Top of the PF.S stream:

Piefed.social is having a denial of service attack. They are being kept at bay for now but could return with a more effective method. Download your community subscriptions so if you need to move to another server it’ll be painless - with a few clicks you’ll be seeing all the same content as before. See list of alternate servers at here or here.

Sounds a bit concerning to me.

[–] Ash@piefed.social 3 points 3 days ago (1 children)

very intermittent for me. I think swell of new users like me + corporate interference to a new competitor

[–] JohnnyEnzyme@piefed.social 9 points 3 days ago (1 children)

DDOS is a very specific kind of attack, as I understand it, involving overwhelming a server with rubbish packets.

[–] Ash@piefed.social 6 points 3 days ago (1 children)

Its a type of attack. Use malware infected computers (botnet) to flood servers woth fake requests. Its a networking traffic jam, where each car has been mind controlled into blocking the route by a nefarious actor. Could be a company paying someone, could be a lone hacker, could be north korea, russia, a wayward child genius, some MIT students making a point. Who knows? Not me. But ddos doesnt just happen randomly, someone has to hit the button. So could be a ddos or just loads of new users creating the jam or ai scrapers. I dont know. I wouldnt be surprised if a few unscrupulous companies want to nip this decentralised threat to their business model in the bud. But then I wouldnt be surprised if a relatively small "site" is just suffering because its user base has doubled in 3 days.

[–] JohnnyEnzyme@piefed.social 4 points 3 days ago (2 children)

"Yup" to just about all that, altho note that the dev / instance runner himself ID'd it as a DDOS attack.

...its user base has doubled in 3 days.

Really? That might explain why my communities' subscriber base took off this week. Do you know what happened to double the base?

[–] Skavau@piefed.social 9 points 3 days ago (1 children)

Effective reddit advertising

[–] JohnnyEnzyme@piefed.social 2 points 3 days ago (3 children)

Beautiful. Know where that happened?

[–] tomiant@piefed.social 1 points 1 day ago

On reddit.

[–] Skavau@piefed.social 7 points 3 days ago (2 children)

BuyfromCanada, Degoogle, buyfromEU

[–] Ash@piefed.social 6 points 3 days ago

Im here from boyfromeu

[–] JohnnyEnzyme@piefed.social 4 points 3 days ago (1 children)

Clever; going under the radar a bit.

Come to think of it, that might explain the attack.

[–] cabbage@piefed.social 5 points 3 days ago* (last edited 3 days ago) (1 children)

Yeah, it's probably related to some recent marketing success.

I highly doubt it's anything more conspiratorial than some random guy in the social class sometimes referred to as "average redditor" who decided to see what he could do to fuck with people. Not all that much by the looks of it, I didn't notice any instability at all.

[–] JohnnyEnzyme@piefed.social 3 points 3 days ago (1 children)

I didn’t notice any instability at all.

Might be that it was caught early, or that it varied in severity and time distribution. We'd need some specific tools trained on the site to know for sure. But given the seriousness of the announcement, I'm not convinced it was just a blip, or whatever.

[–] cabbage@piefed.social 3 points 3 days ago

For sure it's something to take seriously. But for me it's also a sign of just how good Rimu & co are at dealing with this stuff. DDoS attacks are going to happen because we're trying to do something nice on the internet. It's nice to see Piefed is as robust as it is.

[–] biltong@piefed.co.za 5 points 3 days ago (1 children)

Check here, these were the posts made !fedibridge@lemmy.dbzer0.com

They got 800,000 views between them

[–] Ash@piefed.social 2 points 3 days ago

yes its DDOS, but in my comment i meant its nefarious but new influx certainly won t help.

[–] artyom@piefed.social 3 points 3 days ago (2 children)

I mean most like answer these days is always AI scraper bots.

[–] mesamunefire@piefed.social 3 points 3 days ago

It its all one url from many different ips that dont really go anywhere, then its probably just regular old DDOS. If your successful, at some point you get them.

I hate to say it but cloudflare has "fixed" this issue a while back and is one of the better solutions. Which of course sucks because it becomes another layer on top of infa that has gone down in the past.

All the fun of being a sys admin :)

[–] JohnnyEnzyme@piefed.social 3 points 3 days ago* (last edited 3 days ago) (1 children)

Wouldn't that tend to show up to the host as such, or as temporarily increased general activity?

DDOS is a very specific kind of attack, as I understand it, involving overwhelming a server with rubbish packets.

[–] artyom@piefed.social 4 points 3 days ago (1 children)

DDOS attacks and AI scraper bots are technically indistinguishable. Both are just crippling the server by making an absurd number of requests.

[–] JohnnyEnzyme@piefed.social 3 points 3 days ago* (last edited 3 days ago) (1 children)

Okay, that's interesting. Note however that the instance runner specifically ID'd this as a DDOS attack. See copy of their message in side-comment here.

[–] artyom@piefed.social 2 points 3 days ago (1 children)

I don't see anything except an absolutely massive image of some sort of warning symbol. What is a "side-comment"?

[–] JohnnyEnzyme@piefed.social 2 points 3 days ago* (last edited 3 days ago)

Sorry, I wish I hadn't uploaded that. The silly image is relatively tiny, but got blown up. Anyway, so you can't see the other comments in this thread? Are you hitting it from an app?

EDIT: I've copy-pasted it in to the main post.

[–] onlinepersona@programming.dev 2 points 3 days ago (2 children)

Is it really a DDOS or piefied just unable to handle an influx of users? Does piefed scale horizontally? Is it async? Does it spawn a thread per request or does it work from a thread/process pool?

Without having looked at the code, my suspicion would be rather that it can't handle thousands of users concurrently and just 20k users trying to use it at the same time looks like DDOS. Piefed is probably nowhere near v1 or has never been tested for performance.

I'd much rather see some evidence for a DDOS e.g a graph showing number of connections to the server, a graph of response time, number of database connections, of something. Just saying "DDOS" when it might just be the software struggling to keep up with legitimate users seems questionable.

P.S this isn't a slight at the piefed devs - performance is usually the last thing on someone's mind who just wants to ship things quickly. Especially with such a demanding and uneducated public that doesn't understand these are unpaid individuals contributing, not paid workers working on the code 9-5, 5 days a week, 50 weeks a year.

[–] rimu@piefed.social 7 points 3 days ago

Definitely not normal traffic.

[–] Skavau@piefed.social 5 points 3 days ago

Piefed.social was busier specifically 2-3 days ago and this did not happen.

[–] HeyThisIsntTheYMCA@lemmy.world 1 points 2 days ago* (last edited 2 days ago) (1 children)

I'm unstable but i'm not that unstable. If I get pissed off I just write bad music you don't gotta worry about me. Think of me like Taylor Swift with the 7 Assholes

wait hold on i'm gonna use that as an album

[–] JohnnyEnzyme@piefed.social 2 points 2 days ago

Think of me like Taylor Swift with the 7 Assholes

Dunno what that means, but you got me chortlin'. 😁

[–] arrrse@piefed.social 1 points 3 days ago

Well that explains the

503 Service Temporarily Unavailable

Its leon, hes mad that he has only bots in twitter

load more comments
view more: next ›