Bluesky has been dealing with a DDoS attack for nearly a full day
theverge.comThe prevalent discourse/attempt-at-a-meme-but-people-are-taking-it-seriously saying "Bluesky is down because of AI vibecoding!" is starting to get annoying and unoriginal.
Even when Bluesky confirmed it's a DDoS, the line is now "maybe they wouldn't have gotten DDoSed if they didn't vibecode and their code was better."
> Even when Bluesky confirmed it's a DDoS, the line is now "maybe they wouldn't have gotten DDoSed if they didn't vibecode and their code was better."
The context of the "jokes", regardless of if one finds them funny, is that this is exactly how AI boosters (including the bluesky team) have been behaving.
Every little benefit, no matter how small or unfounded, was being attributed to AI usage. So people do the opposite, attributing every little problem to the use of AI.
The implied punchline being "Oh, so now you care about accuracy?"
I haven't seen them do this at all. They've said that they use AI tools when writing code, because most devs do, and they've previewed Attie, their codegen for custom feeds thing, which is a separate tool. None of that is attributing improvements in Bluesky to AI.
As I understand things, the only AI tool the Bluesky team has been pushing has been a feed generator/curator. They have been pushing for vibe coding their systems or for using AI to generate content on Bluesky.
Have not*
Nostr has the highest count of AI boosters per square meter I’ve ever seen, yet nobody seems to be DDoS’ing that.
You have to care about something to DDOS it.
Do you have an example?
A week or two ago, when there was a Bluesky outage and a Claude outage at the same time, people were earnestly pointing to that as evidence that Claude was somehow a load-bearing component of Bluesky, or that AI vibecoding had caused the outage... I had to just disengage but I was also very annoyed by it all.
people really do struggle to differentiate between correlation and causation. we humans love our patterns so that we can make sense of existence.
More like a struggle to STFU about things people don't know much about. I don't think the comments are thought out at all beyond being said in reaction, or likely to get a reaction.
I don't have any anecdotal data, just detecting a whiff of a possible pattern in your statement. DDoS is bots. Any chance the prevalent discourse is bots? "I ain't saying she a gold digger..."
Perhaps underestimating how much the bsky audience absolutely hate AI.
It's funny how closely bsky has replicated the dynamic of old Twitter where the people who run it and the people who use it have completely different priorities and loathe each other.
Maybe I’m in a very atypical corner of Bluesky, but I can’t say I’ve seen more than average anti-AI sentiment.
Also worth considering that there is a lot of anti-AI sentiment outside of our bubble! Maybe not a majority, but the minority is very vocal.
It turns out that this was, in fact, the case. They DDOS'd themselves, with a deployment of their own code - something they have separately claimed is "99% AI written" these days.
Source? Bluesky has not published a RCA yet and they said the would on April 20: https://bsky.app/profile/bsky.app/post/3mjprnr5ptk2m
There is apparently a blog post going around but I am blocked by the person who posted it. I would still wait for the RCA. (EDIT: this is the blog post, it's about an outage a week ago, and does not mention AI: https://pckt.blog/b/jcalabro/april-2026-outage-post-mortem-2... )
I am not surprised. People on Bluesky are so blatantly anti-AI.
Would be funny if this nonsense came mostly from bots to distract from the fact that Bluesky isn't decentralized and thus easier to take out.
Theoretically, if the backend code is optimized enough, a DDoS attempt wouldn't lead to a denial of service since all those requests would just get served as normal. And as long as the network isn't the bottleneck, which it probably is in most cases.
DDoS saturates the network, not the service. Even a box doing nothing would still be unreachable.
Not true, a well done DDoS targets also underlying services (example hitting most consuming DB writes).
There are multiple kinds of ddos attacks targeting different levels of infrastructure. Idk how anyone can say absolutely that a ddos works in one specific way.
A well done DDoS gets the target depeered :)
The interface seemed to function as normal, but specifically the API was targeted, which left a lot of confused users who were seeing the interface peppered with errors. Watching as it unfolded, it seems it affected certain regions to begin with and then slowly spread worldwide.
Seems they might have failed to host the status page (https://status.bsky.app) separately as well, because that went down several times throughout the outage. They also weren't very active in updating the status page, and the notice that was there had a typo of 'reginos' and a description of 'null'.
The status page seems hosted by UptimeRobot, so it looks like it was a problem on their end.
The group that claim to be doing the DDoS also claim to be DDoSing the status page specifically.
What are the chances some company offers to "save" them with a security service which coincidentally will also require users to use the latest officially-sanctioned browsers, OSes, and "trusted" hardware to pass the "security check"...
If you're referring to Cloudflare, the "security check" is not a default setting. For some reason administrators love to use Under attack mode as a band-aid measure to reduce load on the host.
Or they'll (the site operators using Cloudflare proxy) make ill considered firewall rules like "If not Chrome, require security check".
What's your point? You can configure this in Nginx too
Nginx has a built in recaptcha page based on rules? News to me.
Even if it does, the point of Cloudflare's WAF is to avoid the traffic touching the origin if the security check doesn't succeed, so any nginx solution isn't really providing the same value.
At least Apple devices are actually secure and can't really be omitted from things other than gaming and business. Granted, gaming and business are pretty important.
You mean except for that 0day exploit kit floating around on github last week right?
Would you happen to have a link to this? For science of course :)
You mean the one for old ios versions?
You mean the iOS version people are refusing to upgrade from because of the shittified forced UI changes?
You aware that iOS 18 is patched right and "old" means 17 and before?
AFAIK Apple released a patch for EOL devices and not devices which are supported by v26.
False, just updated one a day or two ago, it keeps suggesting iOS 26 but below that was 18.7.7
the amount of people not updating anyway is less than .1%
You mean those three people who refuse to apply ios 18 security patches because they think it'll give them liquid glass?)
> At least Apple devices are actually secure
lol
It seems like DDoS's are getting harder and harder to deal with. The tips that worked 10 years ago are now easily worked around. I keep seeing people on here say "just use TLS fingerprinting" like it's a panacea, but I can't remember the last time an attack didn't spoof their fingerprint.
It feels like, outside of custom behavior tracking, there's no good way to truly protect your site without making it more restrictive in general. Require JS, client side challenges, cloudflare.
Client side challenges would be fine when a DDoS is actually happening, but they're basically targeting certain platforms more than others right now. Not actually helping in keeping a site secure in that case and hurting user experience.
I thought it was distributed/decentralised?
My understanding is that ATProto itself is definitely decentralized but the app view most people interact with using the Bluesky app is centralized ...sort of. The Bluesky app view will read from PDSes hosted by other people, hence people on Bluesky can see stuff posted elsewhere, like users of Blacksky. If the Bluesky app view decides to stop reading from any other PDS (like those of Blacksky, or ones which are self-hosted) they're free to do so. The same is true for alternative app views like Blacksky. Since most people think of Bluesky as the thing you see on the official Bluesky app (which shows the Bluesky app view) an outage of the Bluesky app view will mean they lose the ability to view any posts from any source. If someone's using a separate app view like Blacksky, the most that will happen to them should be that they'll lose interaction with posts coming from Bluesky's PDSes until the outage ends.
I may have the division between Bluesky and Blacksky off, but ATProto does allow this sort of thing. Hosting a PDS is trivial and requires very few resources. Hosting a full app view can be expensive depending on how many PDSes you're ingesting from, but you can decide how much of that you want to do.
Yes, that's the first "D" in "DDoS" ;)
You're probably thinking of Mastadon
In theory! Theoretically it’s not needed to be down at any point today :)
Yes, and other hosts are working normally.
I'm pretty sure the only one that stayed up at all was Red Dwarf, the rest all rely on at least some part of the "main" instance and weren't up
It sounds like Blacksky's outage was much more limited and was caused by them missing some spots where their code still accidentally had some Bluesky integration due to it being the default: https://bsky.app/profile/rude1.blacksky.team/post/3mjnf6pubr...
Thought so too. Odd.
Bluesky has never been distributed/decentralised. It's a single central system, which fetches 0.001% of user data from external systems if the user opts in, and has a marketing team that calls this decentralisation.
The Bluesky app view is centralized in that it can decide which content to show, but A) the hosting of that content is decentralized, and B) alternate app views like Blacksky exist which are fully independent of Bluesky (both Bluesky the company and Bluesky the app view). The Bluesky app view could stop showing users content from Blacksky (or any other) PDSes, but that's it. If you're using the Blacksky app view, afaik Bluesky the company can't do anything other than cut you off from Bluesky's PDSes.
If by "decentralised" you mean "0.001% of it is not only hosted centrally"
They have designed a protocol that could theoretically be decentralised. Then reality hit, and it was centralised.
> If by "decentralised" you mean "0.001% of it is not only hosted centrally"
Sure, much like how email is decentralized in theory but barely is in practice. This doesn’t mean that the decentralized nature is just a marketing gimmick.
It’s unsurprising that almost everyone uses the Bluesky app given that A) the infrastructure for hosting your own relay or app view (I can’t remember which) didn’t have a reference implementation until a while after launch, and B) the user base is much less tech-y than what I’ve seen on Mastodon. Most of the user base moved over in the flight from Twitter/X a couple years ago. I think if it had come out at a different time you’d see something which looked a lot more like Mastodon’s large population distribution.
Also, while this doesn't really matter it looks like the number of users on non-Bluesky PDSes is 1.42% of the total, not 0.001%.
> They have designed a protocol that could theoretically be decentralised. Then reality hit, and it was centralised.
Could you explain what you mean by the underlying protocol having become centralized over time? While I can understand arguing about whether or not Bluesky-the-social-network is practically decentralized to the degree of something like Mastodon or that it became more centralized over time, I think arguing that ATproto[1] itself isn’t decentralized would be ludicrous.
> Sure, much like how email is decentralized in theory but barely is in practice.
Hard disagree. Email is very much decentralized. Doesn't mean that there's still a long tail distrubtion, but its not like 99.999% of email accounts are on Gmail. And I can set up an email account in a few minutes and by choosing from a list of thousands of providers all over the world.
> Email is very much decentralized.
It looks like about 97% of people use iCloud, Gmail, or Outlook as their provider. That doesn't feel like it's terribly different. The people not using one of those big three make up a comparable percent of the total as the number of Bluesky users using alternative PDSes.
Three providers vs one provider does feel very different if those are the only option, but that's not the case for email or Bluesky/AT proto.
> I can set up an email account in a few minutes and by choosing from a list of thousands of providers all over the world.
You can also set up an account on a different PDS and/or use a different app view quite trivially too so I'm not sure that's substantially different.
ATProto would need to use signing key cryptography and content addressable storage to be distributed. If we can't store our data with third parties or create an offline-first system then it's not a decentralized social network.
ATproto does support storing data elsewhere. That’s what a PDS does. I’m not sure what you mean by an offline-first system in this context though or why it’s required for decentralization. Could you elaborate?
Yes, and it only supports storing one's data in one place. If we use local-first as our measuring stick for a decentralized system then ATProto fails since we can't store the msgs anywhere -- such as on the nodes of my friends. Prior art such as secure-scuttlebot had this figured out, and thus no one ever complained about ssb being centralized.
I know, didn't add an /s. I thought it was obvious haha
Curious how they handled it at the CDN level. I use Bunny CDN for video streaming on my project and signed URLs help a lot for abuse prevention, but a full DDoS is a different beast entirely.
Is this just for fun or is there some underlying purpose to those type of attack?
Is it possible to have any certainty when answering that question?
Depending on size, such attacks can be very costly to organize, at least in opportunity cost (that is, using a botnet to attack BlueSky doesn't cost anything per se, but it does mean you can't use it for some other purpose, such as attacking someone else or mining Bitcoin).
If you're asking in general, DDoS attacks can absolutely serve a purpose - either to punish an organization that the attackers are unhappy with, or to hide some other more targeted attacks in a flood of errors, weird behaviors, and tired sysadmins.
One possible purpose is marketing. Owners of the botnet are merely demoing the capabilities for prospective customers.
Hopefully there will be some post-mortem. It seems like we're don't really see that many deliberate DDoS attack anymore. Not that it doesn't happen, but they really don't provide that much value against a target like Bluesky (unless you really hate them).
I'd be interested in how the attack manifests. Is it an actual DDoS? Is it highly aggressive scraping? We should be able to see this in how the attack manifests itself. What is the sources? That's a little harder, but it would be interesting to know if it's compromised devices, residential proxies, rented cloud capacity or something else.
> It seems like we're don't really see that many deliberate DDoS attack anymore.
There are more now then there ever have been in number of infected hosts and total data volume.
The internet is a big place.
”On 13 April 2026, 21 countries joined forces in a coordinated action week that focused on enforcement and prevention measures against over 75 000 criminal users engaging in distributed denial-of-service (DDoS)-for-hire services. With over 75 000 warning emails and letters being sent to identified criminal users and 4 arrests, the action week also led to the takedown of 53 domains and the issuing of 25 search warrants.”
Source: https://www.europol.europa.eu/media-press/newsroom/news/euro...
A decentralized protocol by definition should not be vulnerable to DDos attacks.
Bluesky isn't ATProto.
For all practical purposes, it is.
Thank you for the clarification.
It's federated, not decentralized
You’re saying a mastodon instance can’t vet DDosed?
Truth is if mastodon.social gets ddosd the same as Bluesky I can still use the rest of the network fine. Proof is in the pudding. tons of instances that make up the fabric of redundancy. I think most people would be served better if Bluesky acted differently early with their rollout in a sharded manner?
True. The only 'distributed' part of bluesky is in the PR. Otherwise there'd be more instances.
My mastodon account is not even on mastodon.social, because why would I, when I could have a home server closer to home
i get real tired of people trumpeting that bsky is distributed.
Can i run a private node? can i run a functional node completely within my network segment? because i can with gnusocial and misskey; i've never run mastodon; i am on fosstodon and a couple of other mastodon-likes.
bluesky is to discord what mastodon (fedi) is to IRC.
don't let the fact that most people use the main instances fool you, there's thousands (maybe tens of thousands) of instances. I haven't seen a tally recently, i forget the account that shows them for each "instance type", like pleroma, misskey, mastodon, pixelfed, whatever the reddit clone is, whatever the 4chan clone is, and so on.
anyhow when elon bought twitter mastodon surged. I hope they didn't spend millions upgrading the main instances because most of that dropped off because, you know, everyone's on twitter. only a few million on mastodon.
My whole point is, trying to shoehorn words like "distributed" into a system that i cannot run independently is, well it's just not distributed, that's all.
edit: maybe this is sour grapes because i never got an invite; but maybe i think it's just twitter with a different coat of paint and different buzzwords attached.
Two times some guys at Mastodon tried to convince me to try Bluesky.
I explicitly told them that I want something distributed and that's a high priority, not a nice-to-have.
Yesss, there's definitely some very cheeky marketing going on.
This is half true. If mastodon.social goes down every single one of the accounts made on that instance go down as well. In truly decentralized protocols you own your identity and can take it elsewhere, for instance, in Nostr and SSB, a relay/pub going down is no big deal since you can connect to other servers and maintain communications.
historic posts from the known network and (sometimes media, instance setting) are cached on your own instance in ActivityPub. interactions travel across the known network graph. if an instance vanished forever, overnight, there is at least an imprint of it across the network, albeit instance specific. that may be by design, there are jurisdictions that have people complying with laws and things. not sure how the ecosystems you mention deal with that in particular
That doesn’t answer the point I’m making. If the instance your account was made on explodes, YOU lose your social graph, wether some of your posts survive cached elsewhere is not relevant, your account is gone, and so are your connections.
You have no way to prove an account made after the original instance went down belongs to someone, that’s the issue with federated systems.
As for content moderation, in nostr relay operators such as nostr.build handle legal takedowns on a daily basis, SSB is a little trickier since it’s mostly p2p but pubs are still able to control what flows through them to some degree.
the web, which also gets referred to as decentralized, suffers from the same proof problem. we have identity tied largely to dns. web sites can claim whatever. somewhere a line was drawn to indicate what matters most is creating something without a single point of failure?
Blacksky and other instances of bluesky are not affected, what are you talking about?
Not true, they were down because they still use bluesky's relay
The people I follow on mastodon come from a wide variety of instances. While mastodon.social is the largest instance, most of the accounts I follow are elsewhere.
Granted, all the smaller instances are likely easier to DOS as they are small instances. But mastodon is actually decentralized. If any one instance goes down, everything else keeps working. Unlike Bluesky and ATProto which is more of a theoretical “could be” decentralized.
On the Fediverse you can even block mastodon.social and still have a well populated feed. This is not the case for bluesky.
https://arewedecentralizedyet.online/ is a fun dashboard visualizing how decentralized the Fediverse/Atmosphere is/isn't.