-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Discord spoofing requests and causing traffic amplification #322
Comments
Turns out Discord basically does a traffic amplification attack where they send two requests for one image, i.e. duplicating the load on the server. This is already documented at discord/discord-api-docs#1600 with their silly "reasoning":
The second of those requests is spoofed as a browser on Mac OS, but comes from Google Cloud IP address, which is obviously fake and the reason why I had challenged those "browser" requests with a javascript challenge before, as there were thousands of them and no referrer or useful user agent that would give a clue as to what these requests are. The two requests are also sent from two different IP addresses, effectively hitting two different Cloudflare servers, evading its cache, and hitting the crafatar.com server twice for the same resource. Apparently Discord uses the first request to fetch the GET /renders/body/4b12ad0c-7890-4fe9-98d1-168e035a1cc9 HTTP/1.1
Host: crafatar.com
Connection: Keep-Alive
accept-encoding: gzip
X-Forwarded-For: 35.227.62.178
CF-RAY: 838cc834082f1d66-ATL
X-Forwarded-Proto: https
CF-Visitor: {"scheme":"https"}
user-agent: Mozilla/5.0 (compatible; Discordbot/2.0; +https://discordapp.com)
CF-Connecting-IP: 35.227.62.178
CDN-Loop: cloudflare
CF-IPCountry: US
HTTP/1.1 200 OK
content-type: image/png
content-length: 16694
cache-control: max-age=3600
response-time: 86
x-request-id: wbat2stciks
access-control-allow-origin: *
x-storage-type: downloaded
etag: "4049048079"
date: Thu, 21 Dec 2023 02:44:14 GMT
keep-alive: timeout=5
... GET /renders/body/4b12ad0c-7890-4fe9-98d1-168e035a1cc9 HTTP/1.1
Host: crafatar.com
Connection: Keep-Alive
accept-encoding: gzip
X-Forwarded-For: 34.138.41.211
CF-RAY: 838cc836db2d53cf-ATL
X-Forwarded-Proto: https
CF-Visitor: {"scheme":"https"}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11.6; rv:92.0) Gecko/20100101 Firefox/92.0
CF-Connecting-IP: 34.138.41.211
CDN-Loop: cloudflare
CF-IPCountry: US
HTTP/1.1 200 OK
content-type: image/png
content-length: 16694
cache-control: max-age=3600
response-time: 15
x-request-id: r7g8deku7kk
access-control-allow-origin: *
x-storage-type: none
etag: "4049048079"
date: Thu, 21 Dec 2023 02:44:14 GMT
keep-alive: timeout=5
... |
I'm unsure how to deal with this. It is ultimately Discord's fault. I have removed the JavaScript challenge for now, but I will block Discord again if this keeps causing issues. |
Thanks for the update. Considering Discord's dual request behavior, what
about setting up a specific endpoint for Discord requests on Crafatar, like
`https://crafatar.com/discord/renders/head/uuid`? This could help manage
the load by serving minimal data on the initial request and the full image
only on the second request based on the origin. It might reduce server
strain while keeping Discord functionality intact.
…On Thu, Dec 21, 2023 at 2:37 PM jomo ***@***.***> wrote:
I'm unsure how to deal with this. It is ultimately Discord's fault. I have
removed the JavaScript challenge for now, but I will block Discord again if
this keeps causing issues.
—
Reply to this email directly, view it on GitHub
<#322 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AJ2UQNUG5RONMPSZTRBDK73YKOVGBAVCNFSM6AAAAABA5VD2TKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNRVGQZDSMJXGE>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Just want to add that I'm still seeing probably 95% of requests on discord
fail to load
…On Thu, 21 Dec 2023, 2:37 pm jomo, ***@***.***> wrote:
I'm unsure how to deal with this. It is ultimately Discord's fault. I have
removed the JavaScript challenge for now, but I will block Discord again if
this keeps causing issues.
—
Reply to this email directly, view it on GitHub
<#322 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AJ2UQNUG5RONMPSZTRBDK73YKOVGBAVCNFSM6AAAAABA5VD2TKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNRVGQZDSMJXGE>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
The crafatar.com servers are somehow offloaded, but it's very easy to self-host it with Docker. |
I am now blocking Discord after they were sending several hundred requests per second, which is too much for the small VM crafatar is running on. If you happen to maintain some sort of discord bot using crafatar, please host your own instance or lower the amount of requests and let me know. |
I mean is it really due to a bot or just the fact that Discord has to retrieve the past images when a client tries to load them? |
I have no idea
|
[
github.com/crafatar/crafatar/issues/322
]Description:
Experiencing an issue where direct URLs from Crafatar, such as
https://crafatar.com/renders/head/1418475b-1029-4a9a-af78-fbf5d59dfee0.png
, are not displaying in Discord chats or in posts & avatars used by bots. This issue has been occurring since the last change on the system.Technical Details:
Request:
Requesting insights or solutions to ensure that Crafatar images display correctly in Discord, especially since this affects bot functionality as well.
The text was updated successfully, but these errors were encountered: