Incident report : Bot invasion on Mastodon.social

Incident report : Bot invasion on Mastodon.social

The Mod(5) aka @cm_kropot

Today, around 4pm GMT+1, the Mastodon.social instance suffered a massive spamming attack, mainly due to bots.

Thanks to the users of the instance, who reported much of the spam, the attack stopped quickly, lasting around 30-40 minutes.

Upon analysis, most of the bots had validated there email, and where mainly coming from those domains :

  shayzam.net

   khtyler.com

   lagify.com

   providier.com

   cliptik.net

   datasoma.com

   nando1.com

   zdfpost.net

   geroev.net

They might be other domains, but it's interesting to note that most of the domains where only hosting a email server, and nothing else. ( They keep loading with nothing happening. ). It also seems that all the bots where using the same email server, hosted on different domain names.

More than 4.5K access tokens where generated, for various apps called AaA, used to create the bots. Once the user records were disabled, the attack stopped. There must be a bug in the email blacklist code, because the IP was already banned from previous bot attacks. So it's not a first offense. 

What Gargron did was to paginate through the recent user list until he found a cut-off between the random usernames and real looking ones, got that account's creation date, then queried all user records created since that point and checked their e-mail domain against the IP address, and disabled on match. All of the disabled user records where cleared and the spam is being deleted.

The bots connected from random IPs, and most bots never even connected as they where disabled before doing any harm.

Depending on how many domains where actually controlled, the scale of the attack is clearly done with intention to harm mastodon.social, and is not a random spam attack.

Most of the accounts where created recently, in the past day or a bit before, the first was created on 2018-12-08.

The attack also followed a pattern of waves : the bots posted YouTube links, random text and a sleepy emoji, but they did the same kind of posts at the same time. They also spammed a user.

Here are a few toots the bots sent out :

THE LAST ONE
IF YOU ARE NOT BINARY PLEASE RESTORE YOURSELF TO THE LAST WINDOWS BACKUP
Where is admin, is it too busy choosing today's gender, or what?
"@sasukekin as you wish, here i am SUCKSaCKe" , this toot was targeting a artist.
"https://www.youtube.com/watch?v=4n6WP9qHyRM" , A WoW theme music.

Regarding the content of the toots, for example the reference to gender identity and the WoW music, there might be a connection to a isolated script kiddy wanting to do harm towards a community where LGBT+ people are welcome.

Once again, thanks to @Gargron@mastodon.social, @cm_noelle@mastodon.social and @cm_kropot@mastodon.social.