Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mass remote follow being used as attack vector #11360

Closed
fsnk opened this issue Jul 19, 2019 · 3 comments

Comments

@fsnk
Copy link

commented Jul 19, 2019

maliciousintent

The command being used is:
remote_follow_DOS

(Screenshot taken from the attacker's feed; I haven't personally tried it :) )

Presumably the initial intent was just to artificially inflate follower numbers for specific accounts, but since posting this has been actively used against several servers.

Unclear whether simply suspending the remote server is sufficient to prevent impact as the admin interface states "The domain block will not prevent creation of account entries in the database" or whether firewall rules must also be employed.

@mason1900

This comment has been minimized.

Copy link

commented Jul 19, 2019

The attacker seems to be using the following commands:

RAILS_ENV=production bin/tootctl accounts follow anyone@site.tld
RAILS_ENV=production bin/tootctl accounts create name --email e@ma.il --condirmed
@kaniini

This comment has been minimized.

Copy link
Contributor

commented Jul 19, 2019

the feature itself is useful, but I think it should probably be scoped to local accounts only ;)

@rlywtf

This comment has been minimized.

Copy link

commented Aug 6, 2019

https://FreeFediFollowers.ga/ is actively exploiting this in the wild. I recommend fellow fediverse nodes add a domain block for them.

p.s. Adding a domain suspension (also enabling both block options under silence prior to selecting suspend in the moderation panel) will kick off sidekiq jobs and slowly remove all follows from all accounts. 😀

angristan added a commit to angristan/mastodon that referenced this issue Aug 17, 2019

Limit "tootctl accounts follow" to local accounts
To (somewhat) limit mass remote follow. Fix tootsuite#11360

angristan added a commit to angristan/mastodon that referenced this issue Aug 17, 2019

Limit "tootctl accounts follow" to local accounts
To (somewhat) limit mass remote follow. Fix tootsuite#11360

angristan added a commit to angristan/mastodon that referenced this issue Aug 17, 2019

Limit "tootctl accounts follow" to local accounts
To (somewhat) limit mass remote follow. Fix tootsuite#11360

@Gargron Gargron closed this in 3a77090 Aug 17, 2019

mayaeh added a commit to mastodon-ja-l10n-team/mastodon that referenced this issue Aug 18, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.