Pleroma can DoS instances if federated media is too large
Our proxying of remote media is limited by the max_body_length
setting which by default is set to 25MB. The behavior here is not designed to scale. Example:
- Instance federates media larger than 25MB
- Pleroma instance has thousands of active users, post is accepted
- Thousands of users try to render the timeline causing thousands of requests for that media
- Reverse proxy keeps rejecting the media because it's too large, but every user viewing the timeline is effectively causing an HTTP request to the origin because we don't have it in our Mediaproxy cache
How do we solve this? I can think of two ways
- We track failures of these objects in cachex and refuse to do the request. This limits pressure on the peer.
or
- We add a bypass that still allows users to access the media, but each user is proxying without cache to access it. This increases bandwidth usage to the peer but once the user/client has the media downloaded they won't keep causing requests to be sent to the peer. Enormous objects being federated by malicious instances will hurt themselves and the users with all the wasted bandwidth.
Could use some input from others on how best to architect a solution.