Mastodon says its flagship server was hit by a DDoS attack

A massive distributed denial-of-service attack disrupted the flagship server of social networking software company Mastodon, resulting in routine outages and rendering the site temporarily inaccessible.

 

The decentralised social media platform announced on Monday that it was experiencing a major denial-of-service attack. The company’s head of communications, Andy Piper, said that the platform’s streaming APIs had experienced major outage, affecting access to its website and disrupting background queues.

 

Piper, who is set to leave the company on April 28, said that Mastodon had implemented countermeasures against the DDoS attack on Monday evening and had succeeded in making the site accessible. However, temporary disruptions continued to hamper the platform’s availability and performance, including the primary mastodon.social instance.

 

Shortly after midnight on Monday, the social networking platform brought good news to its customers, stating that the denial-of-service attacks had ceased and all operations had returned to normal. 

 

The company is yet to issue a formal statement about the scale of the attacks, the amount of damage inflicted on its main server, and the countermeasures it intends to apply to deter similar attacks in the future.

 

The denial of service attacks on Mastodon occurred shortly after a large-scale denial of service attack targeted Bluesky, another decentralized microblogging social media platform operating on the open-source AT Protocol that gives users more control over algorithms, moderation, and data portability.

 

The DDoS attacks, however, had limited impact on Bluesky’s availability. "The application has remained stable since approximately 9 PM PDT, April 16 despite ongoing Distributed Denial-of-Service (DDoS) attacks," the company announced on April 18. 

 

The company announced an end to the attacks on April 20, stating that the application had remained stable during the course of the attacks and there was no evidence of unauthorised access to private user data.